For years scammers and hackers focused largely on Windows x86-based platforms, in many ways because that’s where the bulk of the users were. But times change, and new targets emerge. At Blackhat and Defcon last week we saw a flurry of talks on Mac OSX/iOS security, trying to illuminate possible chinks in the armor.
From proof-of-concept hacks on the boot loader sequence (EFI), where rogue drivers could potentially be hooked into and used to wreak havoc on OSX, to firmware flashing and other low level hacks, running the gamut to app security, and kernel heap as well, the spotlight squarely focused on Mac OSX and iOS. A few years ago Mac sessions were far more rare, so does this mean the age of Mac hacking has arrived?
Well, it depends. It seems Mac has done a better-than-average job of protecting it’s OS stacks, so it’s not going to be a piece of cake. In the talk on hacking the bootloader, it was clear that this isn’t just plug-and-play, there’s definitely some heavy-lifting. And Mac OSX is based on underlying BSD, which has a quite enviable history of minimal security problems, sometimes weeks or months pass between security updates. Not so with many other OS’es.
One hack proof-of-concept involved hacking firmwareâ€¦which resulted in bricking the device in the presenters experiment, less than a happy ending to be sure.
But what about things that are added to the base OS for additional functionality? Java has been particularly problematic in the past few months due exploits, which we mentioned here and here. And if you use iOS or OS X, but download an app that has problems, does that mean the underlying OS is the culprit? Not really, but it represents a problem in the end user’s perception. This is simply a case of the add-ons adding more than a user bargained for (one reason why more Mac users are now running antivirus and antimalware to augment the defenses baked into the OS).
And don’t forget that phishing scams and a host of other web/email-based nastiness can still happen on a Mac/iOS platform, but that’s really user education. And the user continues to be the champion in the race of problem creation, regardless of the platform, Mac/iOS or otherwise, so that’s nothing new.
What may be new is that users may become aware that they should continue to keep their guard up against scams, regardless of the platform. In other words, you shouldn’t ignore security awareness in any computing environment, but blaming Mac/iOS feels too convenient, when there’s a very good chance the problems lie elsewhere.
Still there’s an awful lot more hacker focus on the Apple platforms, including toolsets, test suites, defenses and other coding energy. Will this turn into scams that exploit these operating systems? Stay tuned and we’ll see what happens in the next year.
Author Cameron Camp, ESET