Researchers Remote Hack Brand-New MacBook On Its Very First Boot

Macs used to have a persona of "no viruses or hacks" with many feeling like the MacBook and other Apple computers were more secure and therefore better than Windows counterparts. This was a long-running argument in PC enthusiast circles and despite ample evidence that Macs are vulnerable to attacks, some still feel that the Mac is immune to most of the hazards posed to a Windows user.

Apple's latest 2018 MacBook models certainly aren’t immune from significant issues and flaws right out of the box. The high-end Core i9 version was hampered by thermal throttling out of the box that Apple blamed on a flaw in macOS, and a patch was later issued.

Researchers at the Black Hat security conference in Las Vegas demonstrated on Thursday that it is possible to remotely compromise a brand-new Mac computer the first time that it connects to WiFi. The hack targets Mac computers that use the Apple Device Enrollment Program (DEP) and its Mobile Device Management (MDM) platform. That pair of tools are used by workers in enterprise organizations that need to walk through a customized setup of their shiny new Mac to meet IT requirements within the company. The goal of those tools is to allow the end user of the Mac to be able to set up their new Mac to operate within their enterprise environment even if they are setting the device up from home or a remote office with no IT personnel available.

The rub is that to operate both DEP and MDM require privileged access to make the custom setup work. The researchers who discovered this flaw are Jesse Endahl, the chief security officer at Fleetsmith, and Max Bélanger, an engineer at Dropbox. "We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time," Endahl says. "By the time they’re logging in, by the time they see the desktop, the computer is already compromised."

The duo says that they notified Apple about the issue and that Apple released a fix for the attack in macOS High Sierra 10.13.6 last month. Owners of Macs should know that Mac systems manufactured before that fix was released are still vulnerable right out of the box. Endahl also points out that the MDM vendor that an enterprise chooses must fully support 10.13.6 to mitigate the vulnerability.

This attack could be leveraged by a nefarious user if the attacker was somehow able to hide between the MDM vendor website and the victim device with a man-in-the-middle attack. With such access, the attacker would be able to replace the download manifest sent from the MDM with a malicious manifest that forces the Mac to install malware on first boot. The bright side here is that engineering this sort of attack is said to be too difficult or expensive for the average hacker to pull off. The most likely attackers to try and pull off this sort of attack would be governments according to the researchers. Determined hackers could potentially infect every new Mac a company sets up using the MDM process if they were able to pull this off opening the door for massive data theft.

"One of the aspects that’s scary about this is if you’re able to set this up at the company level you could infect everybody depending on where you do the man-in-the-middle," Bélanger says. "This all happens very early in the device’s setup, so there aren’t really restrictions on what those setup components can do. They have full power, so they’re at risk of being compromised in a pretty special way."