What happens on your Mac, stays on Apple’s iCloud?!

1. What happens on your Mac, stays on Apple's iCloud?! Bypassing Mac privacy mechanisms

2. Whoami? Wojciech Reguła Head of Mobile Security at • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security

3. Research continuation / fork()

4. Agenda 1. Introduction to macOS privacy mechanisms 2. macOS entitlements and how to attack them 3. Accessing user’s iCloud account tokens via GarageBand 4. Accessing user’s iCloud account tokens via iMovie 5. Demos & further exploitation 6. Conclusion

5. Results of this research for now During this talk we will get unauthorized access to user’s • Location • Contacts • Calendar • Reminders

6. Introduction to macOS Security Mechanisms System Integrity Protection (SIP) • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above- mentioned operations when the SIP is turned on

7. Transparency, Consent, and Control (TCC)

8. Transparency, Consent, and Control (TCC)

9. Transparency, Consent, and Control (TCC) What resources are privacy-sensitive according to Apple?

10. Transparency, Consent, and Control (TCC) …but TCC also protects:

11. macOS Entitlements System

18. macOS Entitlements System – DYLIB injection flaw A N A P P W I T H P R I V AT E E N T I T L E M E N T S A N AT TA C K E R L O A D S S O M E H O W A M A L I C I O U S D Y N A M I C L I B R A R Y A M F I A N D O T H E R C O M P O N E N T S V E R I F Y I N G E N T I T L E M E N T S A R E H A P P Y 👍🏻

19. Our target - com.apple.iCloudHelper.xpc • Uses C XPC API for inter-process communication • Will provide us iCloud auth tokens when nicely asked 😊

20. XPC exploitation https://wojciechregula.blog/post/learn-xpc-exploitation-part-1-broken-cryptography/

21. Our target - com.apple.iCloudHelper.xpc

26. Attacking GarageBand G A R A G E B A N D W I T H P R I V AT E I C L O U D E N T I T L E M E N T A N D D I S A B L E - L I B R A R Y - V A L I D AT I O N M O D I F I C AT I O N O F O N E O F T H E D Y N A M I C L I B R A R I E S T O E X E C U T E M Y C O D E T H E I C L O U D H E L P E R H A P P I LY A C C E P T S T H E X P C C O N N E C T I O N 👍🏻

27. Attacking GarageBand

30. https://vimeo.com/759031806

32. Attacking iMovie I M O V I E W I T H P R I V AT E I C L O U D E N T I T L E M E N T A N D W I T H O U T H A R D E N E D R U N T I M E D Y L D _ I N S E R T _ L I B R A R I E S T H AT I N J E C T S A D Y N Y M I C L I B R A R Y W I T H M Y C O D E T H E I C L O U D H E L P E R H A P P I LY A C C E P T S T H E X P C C O N N E C T I O N 👍🏻

33. Attacking iMovie

38. Attacking iMovie – fix #2

39. Stolen iCloud tokens

40. Using the iCloud tokens – pwning Location

41. https://vimeo.com/759034238

42. Using the iCloud tokens – pwning Contacts

43. Using the iCloud tokens – pwning Contacts

44. Using the iCloud tokens – pwning Calendar

45. Using the iCloud tokens – pwning Calendar

46. Using the iCloud tokens – pwning Reminders

47. What else uses iCloud tokens?! …

48. Conclusion & Recommendations

49. Check your iCloud settings

50. Wojciech Reguła Head of Mobile Security at Securing @_r3ggi wojciech-regula Thank you!

What happens on your Mac, stays on Apple’s iCloud?!

You are reading a preview.

Check these out next

What happens on your Mac, stays on Apple’s iCloud?!

More Related Content

More from SecuRing (20)

Recently uploaded (20)