One way to try [S9009004] system developers to protect a computer's secrets from hacker attacks is by appealing to people at the keyboard. By allowing the user to "allow" or deny a program's access to sensitive data or features, the operating system can create a checkpoint that stops malware and lets innocent applications through. But former NSA employee and well-known Mac hacker Patrick Wardle spent the last year investigating a nagging problem: what if a malicious program can reach the "allow" button as easily as a human?
At the DefCon Hacker Conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks that he has carried out since 201
"The user interface is the only point of failure," says Wardle, who now works as a security researcher for Digita Security. "Having a way to interact synthetically with these alerts gives you a very powerful and generic way to bypass all of these security mechanisms."
Wardle's attacks offer, to be clear, a hacker's first stop computer; They only help a hacker's malware penetrate security layers on an already infected machine. But Wardle argues that they could still serve as powerful tools for sophisticated attackers trying to tacitly steal more data from a machine they've already infiltrated with a malicious system in a phishing email or other common technique. Invisible Clicks
MacOS includes a feature that allows some programs, such as AppleScript, to generate "synthetic clicks" – mouse clicks generated by a program rather than a human finger – that enable features such as automation and disability-friendly user tools. However, to prevent malware from abusing these programmed clicks, they are blocked by some sensitive "allow" prompts.
But Wardle was surprised to see that macOS did not protect the prompts, such as or read the latitude and longitude of your machine, depending on which Wi-Fi networks it is connected to. His malicious test code could just click on thr (19659008) "It's this ridiculous redirection I found by incorrectly inserting code."
Patrick Wardle, Digita Security
Wardle has also experimented with the use of synthetic clicks for far more serious hacking techniques. He had previously discovered that malware can also use an obscure macOS feature called a "mouse key" that allows the user to manipulate the mouse pointer over the keyboard to make synthetic clicks that bypass security prompts. In a lecture he gave last March at the SyScan Security Conference in Singapore, Wardle pointed out that Apple had overlooked the mouse key function, so it was not blocked by "clicking through" prompts with highly sensitive features such as accessing the macOS keychain, which contains users' passwords, and installing kernel extensions that can add code to the most powerful part of the Mac operating system.
Apple patched Wardle's mouse key hack. But when he later tried to find ways to circumvent this stain, he stumbled into an even stranger beetle. A synthetic click contains both a "down" command and an "up" command that correlate with a mouse click and then release. But Wardle accidentally copied and pasted the wrong code snippet so that two down commands were executed. When he executed this code, the operating system mysteriously translated the second "down" into an "up" and completed the click. And Wardle's "down-down" synthetic clicks are not blocked when they click on an "allow" request to install a kernel extension.
"It's this ridiculous workaround I found by incorrectly inserting code," he says. "I stumbled over it because I wanted to run and surf and I was lazy."
If malware can use this trick to install a kernel extension, it can often take advantage of this extra code to gain full control of a target computer. Windows kernel extension-style drivers must be signed by a MacOS developer to install them. However, if an existing signed kernel extension has a security flaw, a malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware that Kaspersky unveiled last March, which later turned out to be a hacking tool used by US Special Forces to track ISIS targets, used exactly that technique.
"A lot of advanced malware is really trying to get inside The kernel is like a godmode," says Wardle. "If you can infect the kernel, you can see everything, bypass security mechanisms, hide processes, sniff user attacks, it's really a game over."
Apple did not respond to WIRED's request comment on Wardle's findings. Wardle admits he did not tell Apple the details of his research in advance of his DefCon meeting, but gave them an unpleasant surprise. But he argues that Apple, after alerting the company to its previous findings before SyScan, should not have made sloppy, exploitable bugs in the same security measures. "I've reported a lot of bugs and there do not seem to be any inspirational changes," says Wardle. "Let's try something different."
Of course, Wardle's clicks on the synthetic clicks from pop-up windows are still made visible to users, indicating the presence of malware on their computer. But Wardle points out that malware can wait for signs of inactivity, suggesting that the user may have left the machine before triggering and clicking through the macOS prompts. It can even darken the screen during these inactive moments, so these prompts are not visible at all.
Wardle acknowledges that his synthetic click attacks do not directly provide immediate access to the inner sanctum of a Mac. But in a certain hacker's hand, they could be a dangerous tool. And he argues that they are part of a repeating pattern of Apple's new security slump, with a vulnerability that allowed anyone to gain privileged access to a Mac by simply "rooting" as a user name into a bug in Apple's file system Software typed in "passwords when someone just asks for a password hint."
"We see these really low security holes that keep coming up," says Wardle. "This mistake is so lame in a way, but it's also very powerful, it makes me laugh and cry at the same time."