Patrick Wardles says that he “drinks the Apple juice.”
At the same time, the director of research at Synack, Inc. recently gave a presentation at the elite Infiltrate hacking conference in Miami Beach detailing “exactly how to practically create elegant, [email protected] OS X malware.”
So why would a professional hacker who says he loves Apple want to design damaging code that could corrupt some of his most beloved products?
“OS X malware is already an unfortunate reality,” Wardle told Business Insider. “By revealing methods that adversaries are likely already using — and illustrating how these techniques can trivially bypass Apple and 3rd-party security products — we can hopefully encourage open dialogue and ideally improve the situation to become more secure.”
When asked why Apple has not done more to address these security issues itself, Wardle replied that Apple may simply be resting on its laurels since Apple products are more secure by default and the company is not losing any money yet.
“One well-known anti-virus vendor I spoke to recently said that while the Windows version of their anti-virus product has built-in problem-solving capabilities, their OS X version does not yet,” Wardle said. “They were quick to point out that this is because current OS X malware is not as advanced as Windows malware, so they didn’t really see the need.”
Wardle believes this ad-hoc approach to detecting Apple malware is misguided, however, as there are likely advanced OS X security holes out there that just haven’t been found yet.
“My hope is to show how easy it is to create more advanced OS X malware to prod us along toward better security,” Wardle said. He did just that at the recent RSA Security Conference in San Francisco.
Less safe than most think
Many people love their Apple products because they believe they are immune to the kinds of viruses that have long plagued Windows. To a certain extent, that is true — there haven’t been any major OS X worms (while Windows has been hit with several). But Wardle argues that’s not entirely accurate.
“Just because you have a Mac computer doesn’t mean you are any more secure than your Windows counterparts,” he said.
“You should still always strive to adhere to standard security practices — i.e., keep your computer updated and don’t download or run software from untrusted sources.”
Wardle claims that Apple’s past attempts to fix its various security holes were not advanced enough.
On his way home from Infiltrate, Wardle realised
he could bypass Apple’s fix for a vulnerability known as “rootpipe” and get the highest levels of privileges even on a fully patched OS X computer.
“Yes they patched rootpipe, but I was able to side-step their patch,” he explained. “Similarly, I was able to bypass Gatekeeper [an anti-malware featureof the OS X operating system] and build a downloadable image that contained unsigned code which would allow the unsigned code to run, even though Gatekeeper is designed to prevent this.”
Wardle reports security issues to Apple every time he encounters one, and he believes they are actively working to remedy the situation and patch the flaws.
‘I don’t want the Chinese to hack me’
Beyond problems that require a fix from Apple, Wardle discusses another issue: “Legitimate functionality of the OS can be abused by a local attacker/malware to be more stealthy/elegant/effective.”
Detailing that issue is important so that governments and companies are aware of more sophisticated attackers.
“This [Wardle’s] type of exploit research is vital to advancing the science of both offence and defence,” security expert Dave Aitel, CEO of Immunity, Inc., told Business Insider at Infiltrate.
“Most of the time companies only become aware of serious or complex vulnerabilities through the research community, while at the same it’s likely that nation-states have already detected these same vulnerabilities — China, Russia, US and other big countries have large offensive research teams and capabilities.”
For Wardle, it comes down to: “I don’t want the Chinese to hack me.”
Protecting again hacker using legitimate code is tricky because “it’s not really Apple’s fault when legitimate things get abused” and “‘fixing’ them would likely break a lot of legitimate code,” Wardle said.
“Once an attacker has gotten access on your computer or installed malware, you’ve gotta assume its game over,” Wardle said. “If attacker’s were a little more stealthy and abused legitimate features of the OS more, their malware would be harder to detect.”
Consequently, the best thing Apple could do is make some broader security improvements that would make it harder to abuse OS features.
“For example, the OS could say, ‘if you’re an Apple signed process, I’m not going to allow you to load any unsigned dynamic libraries,” Wardle said, referring to the digital ‘libraries’ that hold files for apps on Macs.
Wardle says he is striving to be a part of the solution while also pointing out the problems. At RSA, he released some free security tools of his own.
“These are simply the tools I run on my personal Mac to help keep it secure, and I figured I should share,” Wardle said. “People seem to be responding positively so far — we’re almost at 10,000 cumulative downloads.”