Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.
MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.
When a device is enrolled in MDM, it receives a Configuration Profile, which can either be installed manually or automatically using the Device Enrollment Program (DEP). If DEP is used on macOS, the device automatically checks in with the MDM server during the initial setup process or after the system has been reset to factory settings and the operating system has been reinstalled.
The DEP profile received by a device during this process is delivered by Apple but populated by the MDM server. The profile includes information such as the MDM server’s URL, pinned certificates, and which screens should be skipped during the setup process.
One of the most popular MDM commands used during the initial setup process is InstallApplication, which allows administrators to install a specified application package. The command relies on a manifest URL that returns an XML file containing all the information needed to install the app.
Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, showed this week at the Black Hat security conference how a threat actor could compromise the retrieval of the manifest and install a different application than the one intended by the victim.
Exploitation involves a man-in-the-middle (MitM) attack, which makes it difficult for unsophisticated cybercrime groups. However, a sophisticated state-sponsored actor or a malicious ISP may be able to carry out such an attack and infiltrate devices in a targeted organization.
According to Bélanger and Endahl, an attacker could use this method to take full control of Mac computers right after they are unboxed, as soon as they connect to the organization’s Wi-Fi network.
The researchers disclosed their findings to Apple in late April and the tech giant acknowledged their findings on May 2. The company implemented a fix on July 9 with the release of macOS 10.13.6.
Apple addressed the issue by implementing a new MDM command named InstallEnterpriseApplication. This command allows MDM vendors to provide specific certificates to pin the request to the manifest URL.
“It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem,” the researchers wrote in a paper.