Apple's solid supply chain may explode new Macs that are already hacked.
Obtaining a new Mac usually means realizing a new bug-free system, but security researchers have discovered that there is a way to hack before launching a new Mac.
This attack uses the Enterprise Mac using Apple 's Device Enrollment Program and mobile device management platform. This tool enables companies to fully customize Macs shipped directly from Apple. However, if the system is defective, an attacker can remotely put the malware on the Mac.
Hack enterprise Mac
Jesse Endahl, chief security officer of Mac management company Fleetsmith and MaxBélanger, staff engineer at Dropbox, are planning to uncover security flaws at the Black Hat Security Conference in Las Vegas.
"Before the user logged in for the first time, a bug was found to infringe the device and install malicious software," Endahl says. "When you see the desktop when you log in, the computer has already been compromised."
Endahl and Belanger discovered that there is no certificate pinout to verify the manifest's trustworthiness when checking applications that the Enterprise Mac installs from the Mac App Store using MDM. Hackers can use malware exploits to install malicious applications and access data. Even worse, this flaw could potentially be used to hack the entire computer of the company.
Apple received notification on this matter. Fixes were made to MacOS High Sierra 10.13.6, but the devices shipped with older versions of macOS are vulnerable.