Black Hat USA briefing indicates possible set-up exploits in enterprise-level Macs

The Black Hat Conference took place in Las Vegas this year. It included a presentation in which two researchers, Jesse Endahl from the company Fleetsmith and Max Bélanger from Dropbox, outlined how popular set-up methods for Apple Macs can be exploited for malicious purposes.

Essentially, Endahl and Bélanger have identified a bug in the tools Mobile Device Management (MDM) and Device Enrollment Program (DEP) that could allow scope for a man-in-the-middle (MitM) attack. This MitM attack could allow a third party access to a Mac during its set-up. Normally, MDM and DEP are very well-secured through techniques such as certificate-pinning in the course of this process. It needs to be, as it allows Apple to farm MDM out to companies such as Fleetsmith so that enterprise customers can set up their Macs by themselves on delivery.

However, Endahl and Bélanger found that a step in which the MDM connects to the Mac app store to download software was not protected by pinning. Therefore, an MitM standing between the online resources of the MDM vendor in question and the device could redirect this download to one containing malware instead.

On the other hand, the researchers stressed that the successful insertion of the MitM in the right 'position' was incredibly difficult to pull off successfully. In addition, it requires versions of macOS older than 10.13.6 - however, companies such as Fleetsmith still rely on such a version for MDM provision. Endahl also reported that Apple, as well as his own employer, had been informed of this issue. Therefore, it will hopefully be addressed soon.

Source(s)