![](\"https:\/\/media.wired.com\/photos\/5b6c9522f6d47809bff3a5c3\/master\/pass\/Apple_KX2GDJ.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Sun, 12 Aug 2018 17:00:00 +0000<\/strong><\/p>\n One way operating <\/span>system developers try to protect a computers's secrets from probing hackers is with an appeal to the human at the keyboard. By giving the user a choice to \u201callow\u201d or \u201cdeny\u201d a program\u2019s access to sensitive data or features, the operating system can create a checkpoint that halts malware while letting innocent applications through. But former NSA staffer and noted Mac hacker Patrick Wardle has spent the last year exploring a nagging problem: What if a piece of malware can reach out and click on that \u201callow\u201d button just as easily as a human?<\/p>\n At the DefCon hacker conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks he\u2019s pulled off against macOS versions as recent as 2017 release High Sierra, capable of so-called synthetic clicks that allow malware to breeze through the permission prompts meant to block it. The result could be malware that, once it has found a way onto a user's machine, can bypass layers of security to perform tricks like finding the user's location, stealing their contacts or, with his most surprising and critical technique, taking over the deepest core of the operating system, known as the kernel, to fully control the computer.<\/p>\n "The user interface is that single point of failure," says Wardle, who now works as a security researcher for Digita Security. "If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms."<\/p>\n Wardle's attacks, to be clear, don't offer a hacker an initial foothold on a computer; they only help a hacker's malware penetrate layers of security on an already infected machine. But Wardle argues they could nonetheless serve as powerful tools for sophisticated attackers trying to silently steal more data from, or gain deeper control of, a machine they\u2019ve already penetrated with a malicious attachment in a phishing email or some other common technique.<\/p>\n MacOS includes a feature that lets some programs, like AppleScript, generate \u201csynthetic clicks"\u2014mouse clicks that are generated by a program rather than a human finger\u2014that allow features like automation and usability tools for the disabled. To keep malware from abusing those programmed clicks, however, it blocks them on some sensitive \u201callow\u201d prompts.<\/p>\n But Wardle was surprised to discover that macOS fails to protect the prompts for things like extracting the user\u2019s contacts, accessing their calendar, or reading the latitude and longitude of their machine, determined by which Wi-Fi networks it\u2019s connected to. His malicious test code could simply click through prompts as easily as human.<\/p>\n 'It's this ridiculous bypass that I found by incorrectly pasting code.'<\/p>\n Patrick Wardle, Digita Security<\/p>\n Wardle has also experimented with using synthetic clicks for far more serious hacking techniques. He had previously discovered that malware could also use an obscure macOS feature called "mouse keys," which allows the user to manipulate the mouse cursor with the keyboard, to perform synthetic clicks that bypass security prompts. In a talk he gave last March at the SyScan security conference<\/a> in Singapore, Wardle pointed out that Apple had overlooked the mouse key function, so that it wasn't blocked when it clicked through "allow" prompts on even highly sensitive features like accessing the macOS keychain, which contains users' passwords, and installing kernel extensions that can add code to the most powerful part of a Mac's operating system.<\/p>\n Apple responded by patching Wardle's mouse-key hack. But when he later tried testing ways to get around that patch, he stumbled into an even stranger bug. A synthetic click includes both a "down" command and an "up" command, which correlate to clicking a mouse and then releasing it. But Wardle accidentally copied and pasted the wrong snippet of code, so that it performed two<\/em> down commands instead. When he ran that code, the operating system mysteriously translated the second "down" into an "up," completing the click. And those "down-down" synthetic clicks, Wardle discovered, aren't actually blocked when used to click on an "allow" prompt for installing a kernel extension.<\/p>\n "It's this ridiculous bypass that I found by incorrectly pasting code," he says. "I tripped over it because I wanted to run out and surf and I was being lazy."<\/p>\n If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a target machine. Kernel extensions\u2014like drivers in Windows\u2014must be signed by a developer for MacOS to install them. But if an existing signed kernel extension has a security flaw, a piece of malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware Kaspersky revealed last March<\/a>, which was later revealed to be a hacking tool used by US special forces to track ISIS targets<\/a>, used this exact technique.<\/p>\n "A lot of advanced malware really tries to get into the kernel. It\u2019s like god mode," Wardle says. "If you can infect the kernel, you can see everything, bypass any security mechanism, hide processes, sniff user keystrokes. It\u2019s really game over."<\/p>\n Apple didn't respond to WIRED's request for comment on Wardle's findings. Wardle admits that he didn't actually tell Apple the details of his research ahead of his DefCon talk, instead handing them an unpleasant surprise. But he argues that after he alerted the company to his earlier findings before SyScan, Apple shouldn't have left sloppy, exploitable bugs in the same security protections. "I've reported a ton of bugs to them and it doesn\u2019t seem like it's inspiring changes," Wardle says. "So let\u2019s try something else."<\/p>\n Of course, the pop-up prompts that Wardle's synthetic clicks bypass are still be visible to users, tipping them off to the presence of malware on their computer. But Wardle points out that malware can wait for signs of inactivity, which hint that the user might have walked away from the machine, before triggering and clicking through macOS's prompts. It can even dim the screen during those inactive moments so that those prompts aren't visible at all.<\/p>\n Wardle concedes that his synthetic click attacks don't exactly offer instant access to a Mac's inner sanctum. But in certain hackers' hands, they could be a dangerous tool. And he argues they're part of a repeating pattern of Apple's recent security sloppiness<\/a>, from a vulnerabilty that allowed anyone to gain privileged access to a Mac simply by typing "root" as their username<\/a> to a bug in Apple's file system software that revealed users' passwords when someone merely asks for a password hint<\/a>.<\/p>\n "We're seeing these really low-hanging vulnerabilities that keep popping up," Wardle says. "This bug is so lame in a way, but it's also very powerful. It makes me want to laugh and cry at the same time."<\/p>\n