BlackHat: Behind the scenes of iOS and Mac Security

June 28, 2019 ~ hucktech ~ Leave a comment

At BH this year @radian's going to cover a bit of what we've been up to pic.twitter.com/dNjc4cKO0r
— Xeno Kovah (@XenoKovah) June 28, 2019

Very excited to return to the Black Hat stage this year to talk about some world-class Apple security features! iOS code integrity and Pointer Authentication Codes, Mac secure boot with the T2 Security Chip, the crypto behind the Find My feature, and more: https://t.co/ftnHs3iBO5 https://t.co/SzkzTt354z
— Ivan Krstić (@radian) June 26, 2019

Ivan Krstić, Head of Apple Security Engineering and Architecture at Apple, will be speaking at BlackHat on the T2 security processor:

[…]We will discuss three iOS and Mac security topics in unprecedented technical detail, offering the first public discussion of several key technologies new to iOS 13 and the Mac.[…]The T2 Security Chip brought powerful secure boot capabilities to the Mac. Comprehensively securing the boot process required protections against sophisticated direct memory access (DMA) attacks at every point, even in the presence of arbitrary Option ROM firmware. We will walk through the boot sequence of a Mac with the T2 Security Chip and explain key attacks and defenses at each step, including two industry-first firmware security technologies that have not been publicly discussed before.[…]

https://www.blackhat.com/us-19/briefings/schedule/#behind-the-scenes-of-ios-and-mac-security-17220

Apple: Product security certifications, validations, and guidance for SEP: Secure Key Store

June 7, 2019 ~ hucktech ~ Leave a comment

This is a new product support document from Apple:

This article contains references for key product certifications, cryptographic validations, and security guidance for Secure Enclave Processor (SEP): Secure Key Store. Contact us at security-certifications@apple.com if you have any questions.[…]

https://support.apple.com/en-us/HT209632

Vice: The Prototype iPhones That Hackers Use to Research Apple’s Most Sensitive Code

March 7, 2019 ~ hucktech ~ Leave a comment

These are phones that get stolen from Apple's Chinese factories and find their way to the hands of some of the best iOS hackers out there.

The researchers who first analyzed the Secure Enclave Processors and spoke about it at Black Hat in 2016 used them. https://t.co/RV2jg07osj

— Lorenzo Franceschi-Bicchierai (@lorenzofb) March 6, 2019

The prototype iPhones that hackers use to research Apple's most sensitive code: https://t.co/ZJq7doSstN pic.twitter.com/VHVh2w39RF

— Motherboard (@motherboard) March 6, 2019

[…]The thing that his team had been able to analyze for the first time was the iPhone’s Secure Enclave Processor (SEP), which handles data encryption for the iPhone. How they were able to do this was a valid question given Apple’s notorious secrecy, and the fact that the SEP is one of the most important and most closely guarded components of the iPhone, the most secure smartphone on the market. […]

https://motherboard.vice.com/en_us/article/gyakgw/the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days

EFI-Firmware-Password-Simulator: macOS EFI Password Simulator

December 5, 2018 ~ hucktech ~ Leave a comment

A new macOS EFI password tool has appeared on Github today
…but I’ve no time today to look at how it works. 😦

CLOSED-SOURCE WARNING: The project includes a few pre-compiled .EFI binaries but no source, so be careful.

https://github.com/smileycreations15/EFI-Firmware-Password-Simulator

See-also:
https://firmwaresecurity.com/2018/05/02/apple-set-your-firmware-password/
https://firmwaresecurity.com/2016/01/02/efi_bruteforce-efi-pin-of-apple-macbooks/

Apple T2 docs updated

November 29, 2018 ~ hucktech ~ Leave a comment

Apple has updated their T2 knowledge base article:

https://support.apple.com/en-us/HT208862

How to determine if a Mac has the Apple T2 security chip

November 26, 2018 ~ hucktech ~ Leave a comment

Here’s an article that describes how you can check if an Apple system is T2-based or not:

https://www.idownloadblog.com/2018/11/20/mac-models-t2-chip-howto/

Duo Security on Apple T2 chip

November 20, 2018 ~ hucktech ~ Leave a comment

https://duo.com/decipher/apples-t2-chip-good-for-secure-boot-could-be-better

https://duo.com/blog/secure-boot-in-the-era-of-the-t2

ish: Linux shell for iOS

November 12, 2018 ~ hucktech ~ Leave a comment

A Linux user space implemented on iOS, using those function pointer-based interpreters too, running x86 binaries. As such, doesn't even require special entitlements and is on TestFlight.https://t.co/n28ybxYTjp

— Longhorn (@never_released) November 9, 2018

https://github.com/tbodt/ish

https://ish.app/

Apple: About Secure Boot

November 11, 2018 ~ hucktech ~ Leave a comment

Apple has — at least I think so — updated their Secure Boot knowledge base article in the last few days:

https://support.apple.com/en-us/HT208330

Apple hates Linux

November 7, 2018 ~ hucktech ~ Leave a comment

New Apple T2-enabled hardware no longer allows Linux to be used.

https://fossbytes.com/apple-t2-security-chip-blocking-linux-booting-new-macs/

http://infosurhoy.com/cocoon/saii/xhtml/en_GB/technology/apple-t2-safety-chip-removes-linux-assist-from-some-newer-macs-update/

https://www.theregister.co.uk/2018/11/06/apple_mac_linux_woes/

https://www.trustedreviews.com/news/apple-t2-chip-linux-mac-problems-3616180

Apple publishes whitepaper on T2 security chip

October 30, 2018 ~ hucktech ~ Leave a comment

Two new Macs with T2 and a white paper about it, pretty good day so far.https://t.co/lo52DnfJsZ

I'd like to personally thank HW engineering and HW bring-up teams at Apple and Intel for eSPI SAF capability of new chipsets. pic.twitter.com/fFZYOVtU3E

— Nikolaj Schlej (@NikolajSchlej) October 30, 2018

We’ve released the first Security Overview for the Apple T2 Security Chip! Mac secure boot, storage encryption, and more, e.g.: “Mac portables with the T2 chip have a hardware disconnect that ensures the microphone is disabled when the lid is closed.”https://t.co/m1OestLPAC

— Ivan Krstić (@radian) October 30, 2018

Click to access Apple_T2_Security_Chip_Overview.pdf

New Apple MacBook Pros prevented from non-Apple Independent Repair

October 5, 2018 ~ hucktech ~ Leave a comment

NEW: Apple has introduced proprietary software locks into the new MacBook Pros that will prevent anyone except Apple from fixing them: https://t.co/fJRDteNd8X

— Jason Koebler (@jason_koebler) October 4, 2018

https://motherboard.vice.com/en_us/article/yw9qk7/macbook-pro-software-locks-prevent-independent-repair

Failure to run Apple’s proprietary diagnostic software after a repair “will result in an inoperative system and an incomplete repair.”

Bloomberg: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

October 4, 2018 ~ hucktech ~ 1 Comment

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.

[…]There are two ways for spies to alter the guts of computer equipment.
One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden.
The other method involves seeding changes from the very beginning.[…]

Allegedly a supply chain attack on Supermicro's servers installed small CPUs disguised as passive capacitors on the mainboard that were able to take over the BMC, which could then compromise the main CPU: https://t.co/Dop9Atmg1q pic.twitter.com/OR5jSvtAma

— Trammell Hudson ⚙ (@qrs) October 4, 2018

This story is something. https://t.co/tTctvvFrrH

— Matthew Green (@matthew_d_green) October 4, 2018

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Complementary question to ask yourselves after the BMC hardware hack: who has the signing CA for the firmware upgrades of <enter your device> and how do you know there aren’t several “other” intermediate CAs?

“Dormi preoccupato”™¹
__
¹ sleep in fear, Italian conscript classic.

— Arrigo Triulzi (@cynicalsecurity) October 4, 2018

This also is another explanation for Apple dropping Supermicro servers a few years ago, the rumors at the time were due to compromised firmware updates: https://t.co/sS9FkHMPpI

— Trammell Hudson ⚙ (@qrs) October 4, 2018

All hope is lost pic.twitter.com/CoI3eIhFdf

— Update failed, host not responding (@Taiki__San) October 4, 2018

Howard Oakley on Booting the Mac

September 1, 2018September 1, 2018 ~ hucktech ~ Leave a comment

Howard Oakley has yet another new blog post on how Apple EFI works:

Booting the Mac: Will my Mac boot from this disk? A visual guide https://t.co/tIp9Q2wnLh pic.twitter.com/AcjBWy6Z6J

— Howard Oakley (@howardnoakley) September 1, 2018

Booting the Mac: Will my Mac boot from this disk? A visual guide

There have been multiple recent blog posts on Apple EFI from this author! Eg:

https://firmwaresecurity.com/2018/08/30/booting-the-mac-bless-and-what-makes-a-volume-bootable/

https://firmwaresecurity.com/2018/08/26/booting-the-mac-visual-summary/

https://firmwaresecurity.com/2018/08/26/whats-stored-in-mac-nvram/

https://firmwaresecurity.com/2018/08/24/booting-the-mac-the-kernel-and-extensions/

https://firmwaresecurity.com/2018/08/10/booting-the-mac-loading-boot-efi-and-secure-boot/

Booting the Mac: bless, and what makes a volume bootable

August 30, 2018 ~ hucktech ~ 1 Comment

Booting the Mac: bless, and what makes a volume bootable https://t.co/ACNYgbeeYk

— Howard Oakley (@howardnoakley) August 30, 2018

The last piece in the puzzle that is the booting of a Mac is understanding how any given volume is made bootable, and how it can be made the next startup volume.[…]

Booting the Mac: bless, and what makes a volume bootable

Booting the Mac: Visual Summary

August 26, 2018 ~ hucktech ~ 1 Comment

Booting the Mac: Visual Summary https://t.co/JabWmsxJ68 pic.twitter.com/ihN4sLTRaj

— Howard Oakley (@howardnoakley) August 25, 2018

This article provides a simplified visual summary of the various stages which take place when a modern Intel Mac starts up in macOS 10.12 or 10.13, from pressing the Power button through to running the kernel and its extensions.[…]

Booting the Mac: Visual Summary

BootProcess

What’s stored in Mac NVRAM?

August 26, 2018 ~ hucktech ~ 1 Comment

What’s stored in NVRAM? https://t.co/y5VdLEKSLH

— Howard Oakley (@howardnoakley) August 24, 2018

NVRAM stores key settings which your Mac cannot obtain from disk during startup. Variables vary according to the model, version of macOS, and EFI firmware in use. Included among these are the following:[…]

What’s stored in NVRAM?

mac-white-papers: “Every” OS X/ macOS white paper

August 24, 2018 ~ hucktech ~ Leave a comment

Every iOS security white paper ever published [1]
Every macOS/ OS X white paper ever published [2]
1.https://t.co/xHzKp7TP7C
2. https://t.co/NwGhE1Zy0A

— mikey (@0x0304) August 23, 2018

https://github.com/0xmachos/mac-white-papers

Booting the Mac: the kernel and extensions

August 24, 2018 ~ hucktech ~ 1 Comment

Booting the Mac: the kernel and extensions https://t.co/w7UZlIkpfD

— Howard Oakley (@howardnoakley) August 23, 2018

The whole purpose of the BootROM and EFI phases is to get to load and run the macOS kernel and its extensions, which is what boot.efi, the “OS X booter”, finally does. Although boot.efi doesn’t suddenly vanish, from here on it is very little needed.[…]

Booting the Mac: the kernel and extensions

mOSL: Bash script to audit and fix macOS High Sierra (10.13.x) security settings

August 14, 2018 ~ hucktech ~ Leave a comment

I've created a tool to audit and fix macOS security settings called mOSL (macOS Lockdown), I'll be discussing it at @BSidesMCR this week. I believe it's now stable enough for others to use.https://t.co/5G4rr5o1Bi

— mikey (@0x0304) August 13, 2018

Settings that can be audited/ fixed:

enable automatic updates
enable gatekeeper
enable firewall
enable admin password preferences
enable terminal secure entry
disable firewall builin software
disable firewall downloaded signed
disable ipv6
disable mail remote content
disable remote apple events
disable remote login
set airdrop contacts only
set appstore update check daily
check SIP
check kext loading consent
check EFI integrity
check filevault
check firmware password set

https://github.com/0xmachos/mOSL