Successfully reported this slideshow.
Your SlideShare is downloading. ×

What happens on your Mac, stays on Apple’s iCloud?!

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 61 Ad

What happens on your Mac, stays on Apple’s iCloud?!

Download to read offline

“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.

At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)

The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.

“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent.

At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :)

The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.

Advertisement
Advertisement

More Related Content

More from SecuRing (20)

Advertisement

What happens on your Mac, stays on Apple’s iCloud?!

  1. 1. What happens on your Mac, stays on Apple's iCloud?! Bypassing Mac privacy mechanisms
  2. 2. Whoami? Wojciech Reguła Head of Mobile Security at • Focused on iOS/macOS #appsec • Blogger – https://wojciechregula.blog • iOS Security Suite Creator • macOS environments security
  3. 3. Research continuation / fork()
  4. 4. Agenda 1. Introduction to macOS privacy mechanisms 2. macOS entitlements and how to attack them 3. Accessing user’s iCloud account tokens via GarageBand 4. Accessing user’s iCloud account tokens via iMovie 5. Demos & further exploitation 6. Conclusion
  5. 5. Results of this research for now During this talk we will get unauthorized access to user’s • Location • Contacts • Calendar • Reminders
  6. 6. Introduction to macOS Security Mechanisms System Integrity Protection (SIP) • Based on Sandbox kernel extension • Restricts access to many directories on macOS • Denies debugger attachments to processes signed directly by Apple • Also known as rootless, because even root cannot do the above- mentioned operations when the SIP is turned on
  7. 7. Transparency, Consent, and Control (TCC)
  8. 8. Transparency, Consent, and Control (TCC)
  9. 9. Transparency, Consent, and Control (TCC) What resources are privacy-sensitive according to Apple?
  10. 10. Transparency, Consent, and Control (TCC) …but TCC also protects:
  11. 11. macOS Entitlements System
  12. 12. macOS Entitlements System
  13. 13. macOS Entitlements System
  14. 14. macOS Entitlements System
  15. 15. macOS Entitlements System
  16. 16. macOS Entitlements System
  17. 17. macOS Entitlements System
  18. 18. macOS Entitlements System – DYLIB injection flaw A N A P P W I T H P R I V AT E E N T I T L E M E N T S A N AT TA C K E R L O A D S S O M E H O W A M A L I C I O U S D Y N A M I C L I B R A R Y A M F I A N D O T H E R C O M P O N E N T S V E R I F Y I N G E N T I T L E M E N T S A R E H A P P Y 👍🏻
  19. 19. Our target - com.apple.iCloudHelper.xpc • Uses C XPC API for inter-process communication • Will provide us iCloud auth tokens when nicely asked 😊
  20. 20. XPC exploitation https://wojciechregula.blog/post/learn-xpc-exploitation-part-1-broken-cryptography/
  21. 21. Our target - com.apple.iCloudHelper.xpc
  22. 22. Our target - com.apple.iCloudHelper.xpc
  23. 23. Our target - com.apple.iCloudHelper.xpc
  24. 24. Our target - com.apple.iCloudHelper.xpc
  25. 25. Our target - com.apple.iCloudHelper.xpc
  26. 26. Attacking GarageBand G A R A G E B A N D W I T H P R I V AT E I C L O U D E N T I T L E M E N T A N D D I S A B L E - L I B R A R Y - V A L I D AT I O N M O D I F I C AT I O N O F O N E O F T H E D Y N A M I C L I B R A R I E S T O E X E C U T E M Y C O D E T H E I C L O U D H E L P E R H A P P I LY A C C E P T S T H E X P C C O N N E C T I O N 👍🏻
  27. 27. Attacking GarageBand
  28. 28. Attacking GarageBand
  29. 29. Attacking GarageBand
  30. 30. https://vimeo.com/759031806
  31. 31. Attacking GarageBand
  32. 32. Attacking iMovie I M O V I E W I T H P R I V AT E I C L O U D E N T I T L E M E N T A N D W I T H O U T H A R D E N E D R U N T I M E D Y L D _ I N S E R T _ L I B R A R I E S T H AT I N J E C T S A D Y N Y M I C L I B R A R Y W I T H M Y C O D E T H E I C L O U D H E L P E R H A P P I LY A C C E P T S T H E X P C C O N N E C T I O N 👍🏻
  33. 33. Attacking iMovie
  34. 34. Attacking iMovie
  35. 35. Attacking iMovie
  36. 36. Attacking iMovie
  37. 37. Attacking iMovie
  38. 38. Attacking iMovie – fix #2
  39. 39. Stolen iCloud tokens
  40. 40. Using the iCloud tokens – pwning Location
  41. 41. https://vimeo.com/759034238
  42. 42. Using the iCloud tokens – pwning Contacts
  43. 43. Using the iCloud tokens – pwning Contacts
  44. 44. Using the iCloud tokens – pwning Calendar
  45. 45. Using the iCloud tokens – pwning Calendar
  46. 46. Using the iCloud tokens – pwning Reminders
  47. 47. What else uses iCloud tokens?! …
  48. 48. Conclusion & Recommendations
  49. 49. Check your iCloud settings
  50. 50. Wojciech Reguła Head of Mobile Security at Securing @_r3ggi wojciech-regula Thank you!

×