A Deep Dive into macOS MDM (and How it can be Compromised)

Presented at Black Hat USA 2018, Aug. 9, 2018, 11 a.m. (50 minutes)

<p>On macOS, DEP (Device Enrollment Program) and MDM (Mobile Device Management) are the recommended methods for automating the initial setup & configuration of new devices. MDM can offer sophisticated system configuration options, including privileged operations such as adding new trusted root CA certificates to the System Keychain. Apple's MDM implementation has gained popularity in the enterprise world recently due to their richer feature set.</p><p>The recent introduction of User Approved MDM and the continued enhancements to security technologies such SIP, Gatekeeper and others is evidence of Apple's ongoing commitment to MDM. Some operations, such as whitelisting of allowed kernel extensions, are now only supported if the device is enrolled in a trusted MDM. Under the hood, the DEP & MDM implementation involves many moving parts. Within macOS, several daemons are involved in the process of bootstrapping the trust necessary to bring a new up device to a fully provisioned state. If an attacker can identify vulnerabilities within the bootstrapping process and effectively exploit them, they may be able to make use of this trusted process to compromise a device as it first boots.</p><p><span style="font-size: 13.34px;">Our talk walks through the various stages of bootstrapping, showing which binaries are involved, the IPC flows on the device, and evaluates the network (TLS) security of key client/server communications. We will follow with a live demo showing how a nation-state actor could exploit this vulnerability such that a user could unwrap a brand new Mac, and the attacker could root it out of the box the first time it connects to WiFi.</span><br></p>

Presenters:

  • Max Bélanger - Staff Engineer, Dropbox
    Max Bélanger is a strategic advisor at Dropbox. He joined the company in 2010 as one of its first engineering interns and helped build many of Dropbox's desktop features, including Finder integration and the Dropbox Badge. He most recently served as architect for Dropbox's desktop products. Max studied Software Engineering at the University of Ottawa, Canada.
  • Jesse Endahl - Chief Security Officer & Chief Product Officer, Fleetsmith
    Jesse Engdahl is co-founder, CPO, and CSO at Fleetsmith. He previously worked at Dropbox, where he spent a year as an IT Engineer and two and a half years as an Infrastructure Security Engineer. He has spoken on security at conferences such as BSides SF and HashiConf. Jesse studied Political Economy & Urbanization at the University of California, Berkeley, and is a classically trained vocalist.

Links:

Similar Presentations: