Can a MAC be hacked? How do you know if it happens?

Be it ethical or not, hacking aims at spotting issues in your MacBook. These basically split into vulnerabilities or flaws that attackers can exploit and features you may want to change so that your macOS would fit your preferences and needs best. You may customize your operating system without affecting its security-sensitive properties. Feel free to customize the appearance of windows, Desktop themes, dot position and suchlike parameters that have nothing to do with affecting macOS security. However, beware the margin is very uncertain. For instance, if you are about to gain root access to the OS or add custom codes to the apps installed, this does affect MacBook security. Such customization may create extra flaws adding to those the crooks already exploit.
It goes without saying that a MacBook exposure to hacking is worth considering. In plain English, yes, MacBook can be hacked, and special attention is to be paid to black-hat hacking. Meanwhile, please note that certain types of user-initiated customization are a kind of hacking that may create extra opportunities for cybercriminals.

MacOS underlying vulnerabilities

I bet you have heard the story of a macOS invulnerable to any threats. The operating system leverages unique security approaches that make standard hacking tactics useless in too many cases. Those facilities, if fail, represent the underlying source of vulnerabilities the attackers can explore.

App Sandbox introduced back in 2012 provides essential restrictions for Mac software. This limits the resources a sandboxed program can reach and the actions it can take. In terms of security, the implications are unprecedented. There is no evidence suggesting that any actual virus has succeeded in executing its payload as a malicious code integrated into Mac software.

Picture 1: Sand holding a boy sunk up to his chest images an app sandboxed by macOS

Things are not that great when it comes to system performance. Certain high-profile apps run outside of the Sandbox. Why? Because the restrictions are too tight or rather their demand for the resources is too high. In the absence of actual viral attacks for a decade, chiefly due to the unrivaled post-invasion defense by the Sandbox, this might be the most critical basic macOS vulnerability.

Picture 2: Former Apple engineer reflecting on App Sandbox

A popular blogger claiming he was an AppKit engineer at the time of (and in charge of!!!) App Sandbox introduction has admitted the software in the Sandbox underperformed due to the limitations imposed. He concluded the App Sandbox was“a grievous strategic mistake for the Mac”. According to him, Mac should stop sandboxing any apps and only continue applying this feature for system services, “which is totally sensible”.

In fact, too many users simply disable the Sandbox for a particular app. Others turn off the system integrity protection altogether. This way or another, all or some of the apps run outside the App Sandbox. This further debunks the myth that a MacBook is invulnerable to pure viruses as the software in macOS, even if carries a viral code, cannot do much while being sandboxed. Furthermore, stand-alone apps also may perform malicious payload as long as they run out of the Sandbox.

You do not need special skills to disable App Sandbox. It is the MacBook that has no other in-built proactive defense means against hacking attacks.

Gatekeeper and DeveloperID represent the external level of Mac security. While the App Sandbox deals with the applications already running, it is the Gatekeeper that examines those entering the operating system. Should they fail to provide a valid certificate, they are not to pass the verification. Bad news is the hackers may come up with their malicious apps presenting stolen or fake certificates that still qualify. Just like in the case of the Sandbox, users might be unhappy with AppStore and other recognized apps. They get used to ignoring Apple entry security warnings or disable them for good without installing adequate third party protection.

Yet another vulnerability to mention is a DMG file. This type of file enjoys unrestricted access to your MacBook. Its typical functionality is to install the apps you download. MacOS verifies the app has a valid certificate and lets it in. A DMG file enters as is, for the system recognizes it as a technical file designed to install the application properly. In the absence of such a file, you would rather need a physical carrier like a compact disk or a flash memory.

DMG is a convenient way to handle your Mac installations. However, it is a common source of vulnerability as it is not subject to verification by the Gatekeeper.

A DMG-related vulnerability exists due to too few restrictions on handling the type of file in question. It is thus essentially different from Sandbox and Gatekeeper vulnerabilities. The said pair represents restrictive systems themselves.

Lacking adequate constraints, Single-User Mode represents the vulnerability of the same type as DMG. This mode in macOS provides unrestricted access to a range of critical system features. The fact about Single-User Mode is that malefactors can access it without any conditions as long as they have a physical access to the target MacBook.

Picture 3: Single-user boot

Hacking MacBook in a nutshell

Did you know that you can hack your MacBook? In fact, hacking is anything that changes the system beyond its design. Design has a very vague meaning. Does macOS design include App Sandboxing? By default, yes, it does. Sandboxing is also easy to disable.

We assume the Apple does not expect regular users to deal with advanced operations like disabling App Sandbox. Such activity, even if not to be considered hacking, creates vulnerabilities that black-hat hackers would readily exploit.

Rather than being authorized or not, initiated by an immediate user or a remote party, hacking implies unit-targeting activities. Its ultimate goal is to take over a particular machine. A typical guide to hacking reviews a particular device to be attacked. Distance to such a device is a key input determining the choice of your hacking method. In the light of the above, we will consider below the three basic MacBook hacking scenarios.

Scenario 1: MacBook exposed to unauthorized physical access

Imagine you are a hacker tasked to gain access to a particular MacBook. Having a physical access to your target device is a good opportunity to install a backdoor. If you can access the attacked device for a longer time, you may deploy your attack manually in a Single-User Mode. If your access is limited in time, there is still a workaround. With the Rubber Ducky, a flash drive designed specifically for hacking purposes, a successful physical attack is a matter of several seconds. If you combine it with a single-line Python command, you may create a backdoor enabling you to remotely control the compromised MacBook.

Picture 4: Single-line Python command capable of establishing MacBook backdoor

Scenario 2: MacBook exposed to wireless networks

Wireless network attacks include two major types. The first type deals with brute-forcing attacks. These aim at gaining access to the network to use its shared drives and options of access to the MacBooks using that network. There is a special class of malware specifically designed to exploit network-based vulnerabilities.

The other type of wireless network attacks leverage tools like Aircrack and WireShark. These apps enable capturing network data without accessing the network router. The advantage of such attacks is that they leave very few traces. East-to-apply yet technically advanced post-capture solutions discard a bulk of routine data. The attacker is able to focus on the most prospective sets that remain.

Cannot break in? Scan and fake it! Hacking wireless network is not necessarily about intercepting its data or gaining access to it. Wi-Fi deauthentication attack is a common hacking scenario that suppresses and confuses the local networks around. Hackers widely use hardware called deauther to wreak havoc over local networks.

Picture 5: Deauther wreaking havoc with local networks around it

Basic functionality of the hardware enables three types of attacks:

(1) Deauth attacks any network around disconnecting it from Wi-Fi;

(2) Beacon spawns fake networks to make a mess among the local networks in range;

(3) Probe aims at other networks monitoring their activities. It looks for imaginary network names confusing other Wi-Fi Trackers.

Scenario 2: MacBook exposed to Internet threats

Web-based attacks do not typically start with malware. Follow-up for Python-enhanced Scenario 1 above would include malicious activities via the backdoor. Those activities would develop via the Internet.

Any hacking requires an entry point. For web-based attacks, social engineering may provide one. This works fine both for macOS and any other operating system around. Again, Windows is the most susceptible as long as it dominates its industry.

If we are to compare a sheer hacking aimed at overtaking the system for good and a malicious app mass-propagation, these are mutually complementary tactics. For instance, Scenario 1 above shows how a physical attacker first drops a backdoor, and then introduces malware via the Internet. This works the opposite way as well: malware may be first to break in, and then the malware, for instance, a trojan dropper, stealthily introduces a backdoor so that the system gets hacked. However, the first-malware-then-backdoor scenario is quite unlikely in a MacBook due to its sandboxing and other security features.

As regards macOS malware-based hacking, it seems like Apple tends to ignore potential threats, and so the real black-hat hackers do. In 2019, a number of grey-hat or ethical hackers reported zero-day vulnerabilities to Apple or its certified software developers.

Zero-day vulnerability is a flaw that the respective software operator is unaware of or fails to patch. In short, Apple or other parties concerned responsible for patching the vulnerabilities provided zero-response to the zero-vulnerabilities reported over the recent period. In the notorious case of Gatekeeper bypass, Filippo Cavallarin, its discoverer, notified Apple of the flaw and provided 90 days deadline for the company to fix it. He disclosed it only in three months since the detection date as Apple seemed to ignore his messages, let alone providing a fix. This was followed by a nearly immediate release of OSX/Linker that exploited the said vulnerability. In fact, the malware did not carry any meaningful payload, yet it could.

Picture 6: Deauther wreaking havoc with local networks around it

To sum it up, your MacBook being hacked is quite a plausible outcome of multiple options available to the hackers. Most of the attacks use a web-based infection vector. Apple tends to ignore zero-day and potential vulnerabilities. MacOS has long since needed reviewing and enhancing its approach to anti-hacking measures.

Picture 7: Apple running away from hackers instead of resisting the attacks

Leave a Reply