Mitnick Security Blog - Cybersecurity News and Articles

9 Ways Pentesters Breach Mac Security Defenses

Written by Mitnick Security | Aug 13, 2020 6:45:00 PM

There’s a notion that Apple products are unhackable, but no device truly is. While they aren’t as easy to breach as other devices, Macbooks, iPads, iPhones and other Apple devices are compromised by bad actors just like other operating systems.

In this post, we’re revealing nine ways penetration testers often find a way into Mac-based corporate environments to help you strengthen your defenses. If pentesters can do it, so can hackers. Let’s explore some of the top ways Macs are hacked:

1. The MacOS “Root” Bug

Back in 2017, Apple discovered an extremely dangerous bug in their macOS High Sierra (v10.13), which allowed bad actors to gain administrator rights to a Mac by simply typing the word “root” during the authentication process. Then, the hacker could use screen sharing enablement to exploit the Mac remotely. Apple has since released an important patch to protect your desktop as well as the vulnerable Safari app on your Macbook for this harmful exploit. 

LESSON: 

This is just another reminder of the importance of making routine software updates to stay ever-vigilant against new cyber threats. If it’s been some time since you updated your Apple product’s operating system, this is your sign to do so.

2. Unguarded Data

Once a hacker gets past your login defenses, they have full access to all the data you store on your Mac device. They get into your system and can immediately access items on your desktop, unlocked files on your Google Drive or other storage systems, dig through your Internet browser where you have a cached or easily guessed password, etc. For bad actors, this is amazing! For you, a true nightmare.

LESSON: 

Don’t assume that your Apple device is unhackable and leave all your content outside of your system password up for grabs. Encrypt the files and data on your Mac by using Apple’s recommended FireVault. For those unfamiliar with encryption, this will take your stored data and scramble it, making it unreadable to others until the right passcode is entered to decode it. 

3. Interconnectivity

Apple makes life easy for its users, syncing logins across all devices from Macbooks or iPads to Apple Watches. The problem is, once a hacker gets into someone’s Apple ID on one device, they often get free range of the data shared across all. Obviously, this is awful for the user. But this is also terrible news for corporations who allow employees to log into work assets via the user's personal devices, since if someone’s personal device is compromised, the bad actor may be able to get into the business portals too.

LESSON: 

Properly train your staff to keep personal Apple devices separate from business technology and educate them on the dangers of connecting their Apple ID across all shared devices. Don’t be cheap. Buy users their own devices for work. By investing in work-only devices with corporate-vetted tools and secure storage solutions, you increase your chances of keeping malicious actors out.

4. Internal Threats

Sometimes the bad actors aren’t always strangers hacking their way from across the country or world. The culprit could be stealing data right under your nose. Whether it’s a disgruntled employee leveraging their access for ill-intent or a previous staff member that you forgot to disconnect from your work assets, members of your own team could be the real reason your Mac data is being “breached.” 

LESSON: 

Don’t assume that the threat is exterior. If you notice any suspicious activity, properly investigate where the source of the leak is truly coming from before declaring it a cyber attack. In order to prevent future internal issues, we recommend using a strong password management system and enhancing your off-boarding process to ensure staff aren’t running free with the keys to get into your corporate kingdom.

5. Cracked Passwords

A weak password is like putting up a fence and then leaving the gate unlocked. No matter how well-equipped your Mac may be against cyber attacks, if you give hackers an easy way in, they’ll take it. Today’s hackers have software at their fingertips to guess poorly constructed passwords in minutes. If your users have high-level access to your corporate files and use a weak password, a savvy hacker could make their way through your servers with the help of that easy “in.”

LESSON: 

Mac users in particular can use iCloud keychain to access online assets. While this Apple software does use a strong 256-bit AES encrypted wall, if you user picks a weak master password, it’s all for nothing. That’s why it’s important to teach your employees about proper strength techniques and management. Better yet, enact organization-wide password protection by purchasing a password manager software and utilizing encryption and multi-factor authentication. 

6. Physical Breaches


Bad actors don’t always have to breach your Mac from behind the screen either. Sometimes the enemy is a hacker dressed up like a friendly postman, carrying a big stack of boxes in his hands. Your unsuspecting employees hold the door open for him to enter and turn the corner, leaving the intruder with free range of the office. This stranger could plug an infected USB cable into the Mac of an empty desk, injecting the device with malware. From there, their remote partner in crime could silently hack their way in. 

LESSON: 

Educate your team on physical breaches, cautioning them to think before letting anyone into the building without access. Do your part by enhancing your physical security of your storefront or office with high-tech surveillance systems or employing a physical security team, if necessary. 

7. Improperly Disposed Devices


One thing about Apple is they are constantly developing new technology. If your business is frequently updating your tech to stay modern, be sure to properly clear your older devices before getting rid of them. Macs and iPhones allow you to sign in through your Apple ID, granting global access to all supplementary applications like iCloud, iPhoto, iTunes, etc. This could mean bad things if a cyber criminal acquired a device that wasn’t thoroughly cleared.

LESSON:

Do your due diligence and make sure your employees are properly signed out of any Apple-related or corporate IDs/connections before upgrading or replacing any devices. 

8. Public or Lookalike WiFi Networks

Your Macbook may have strong defenses, but sometimes your employees can accidentally willingly download a malicious file. If your team is working remotely from a cafe or tapping into any publicly open WiFi network, they have to be on the lookout for spoofed connections. Hackers can create their own malicious WiFi networks, posed to look like a trusted source (like the Target WiFi or Starbuck’s network) but really be serving you fake content once connected. By downloading recommended updates on the spoofed site or entering username and password information, you are giving back actors access to your network.

LESSON: 

One of the best ways to avoid WiFi trouble is to require your users to log into a corporate VPN or use a business hotspot when working remotely. Learn more about remote security here. When not on a protected network, teach your staff to look hard at URLs and question any downloadable items.

9. Social Engineering

Social engineering is all about the art of deception. It’s that email that looks like it’s from your coworker, asking you to send over the username and password to a shared account. Really, it’s a hacker using a dangerously close email address. It’s the text message that looks like it’s from your boss asking you to transfer money from one account to another, right now, or else. Hackers can come up with some clever ruses to trick your employees into giving them access to private accounts and information, especially when urgency is involved. Mac security aside, oftentimes your team is your weakest link.

LESSON: 

Understand how hackers use social engineering to trick your employees and educate your team on the dangers of phishing and other exploits. Consider investing in formal social engineering training or demonstrations to give your employees some real examples of what these attacks commonly look like. After that, you can easily perform a social engineering strength test to see what they’ve learned. 

Penetration Testing for Mac-Based Environments

No matter what environment you have— Mac or not— you may not be safe from cyber threats.

Luckily, with the right penetration test, threats can be detected long before they’re exploited by a real hacker.

 

 



Learn more about our expert led pentesting services here.