Researchers have discovered an exploit that allowed them to remotely hack Apple's Mac computers right out of the box which they will demonstrate during this year's Black Hat security conference in Las Vegas.
Chief Security Officer at Mac management company Fleetsmith, Jesse Endahl and Dropbox staff engineer Max Bélanger uncovered the bug within the company's hardware management setup tools that can be used to compromise enterprise devices.
While the hack is quite difficult to set up, in theory hackers or even rogue nation states could create a man-in-the-middle attack to download malware or other malicious software before a client logs on to a brand new Mac for the first time.
Large companies can send out preconfigured devices to employees working abroad or remotely using Apple's Device Enrolment Program and Mobile Device Management (MDM) platform.
Fleetsmith and other companies like it, participate in MDM programs so that they can send employees new hardware directly from Apple. However, when a user first opens and logs into their device it connects to Apple's servers as well as those of the MDM vendor to retrieve a configuration manifest.
Endahl and Bélanger discovered a bug in the company's MDM sequence that provides hackers with the opportunity to install malicious code on a Mac without alerting the end user.
Endahl explained how effective the hack is to Wired, saying:
"We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time. By the time they’re logging in, by the time they see the desktop, the computer is already compromised."
Luckily though, Apple has already been made aware of the exploit and a fix was released in the latest update to macOS High Sierra.
Image Credit: Eugenio Marongiu / Shutterstock