Apple updates security guide

January 13, 2018 ~ hucktech ~ Leave a comment

Apple has updated their security guide to cover changes in iOS 11, new iPhones, Face ID, and Apple Pay Cash at https://t.co/DU8FojKnms Here are some highlights

— Jay Little (@computerality) January 12, 2018

Click to access iOS_Security_Guide.pdf

macOS vuln in IOHIDFamily

January 1, 2018 ~ hucktech ~ Leave a comment

Fuck it, dropping a macOS 0day. Happy New Year, everyone. https://t.co/oG2nOlUOjk

— @siguza@infosec.space (@s1guza) December 31, 2017

Siguza, 01. Dec 2017 (published 31. Dec 2017)
IOHIDeous

“IOHIDFamily once again.”
This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel r/w and can be exploited by any unprivileged user. IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.[…]

https://siguza.github.io/IOHIDeous/
https://github.com/Siguza/IOHIDeous/blob/master/docs/index.md

https://github.com/Siguza/iokit-utils
https://github.com/Siguza/hsp4
https://github.com/Siguza/ios-kern-utils

Apple KB article on Secure Boot

December 20, 2017 ~ hucktech ~ 1 Comment

Apple has a support article about their new Secure Boot. Interesting to see how Windows works with it, under Boot Camp. I wish Apple would also support Linux with Bootcamp, not just Windows.

https://support.apple.com/en-us/HT208330

About Secure Boot – Apple Support

Interesting Apple is supporting Windows Boot Camp with Secure Boot. https://t.co/rKMKQmA8IU

— macshome (@macshome) December 19, 2017

Well, https://t.co/Ot7HgpzySU is (a) good and (b) concerning in terms of there being no definition of which operating systems Apple will be trusting. Microsoft sign Windows with a different key to everything else.

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) December 19, 2017

Pepijn on Apple use of Intel ME

December 15, 2017 ~ hucktech ~ Leave a comment

Interesting, Pepijn Bruienne is looking at new Apple firmware, and how it uses Intel ME.

So it seems I was mistaken in thinking that Apple ships all Macs with Intel ME disabled? A number of recent models actually do have an ME payload in the EFI capsule, seemingly functional. Who knows more about this? pic.twitter.com/Mu3Xx3Acb8

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) December 13, 2017

Interestingly the J137.im4p/MacEFI payload that ostensibly will live inside the T2 still has an ME region, version went from 11.6 in 10.13 DR1 to 11.10 in the bridgeOS 2 payload from November.

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) December 15, 2017

This tells me:
– Even though full secure boot mode is (still) optional, the T2 is now the first thing that boots, not EFI
– Bricking a Mac due to a bad EFI update is impossible
– This is the new normal. Start thinking about adjusting your #macadmins procedures accordingly. https://t.co/zRv8cbvILV

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) December 15, 2017

Also interesting is that the only file the various ME unpacking tools can't decompress is "pavp_mod" since it's encrypted. PAVP is Intel's protected A/V path used for DRM purposes.

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) December 13, 2017

Apple releases iMac Pro, with firmware security updates

December 14, 2017 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/12/13/apple-secure-boot/

SecureBoot on #iMacPro is yet another Mt. Everest of work done by @XenoKovah, @coreykal, @EFIFISH, yours truly and many others. Big thanks to everyone who made it happen. pic.twitter.com/ETgogZPFTG

— Nikolaj Schlej (@NikolajSchlej) December 14, 2017

iMac Pro is here! Workstation-class performance and that brilliant 5K display — we think you pros are going to love it! #iMacPro https://t.co/yqPfUc2EC6

— Tim Cook (@tim_cook) December 14, 2017

A New Level of Integration and Security
iMac Pro brings a new level of integration and security to the Mac with the T2 chip, Apple’s second generation custom Mac silicon. By designing and integrating several new controllers — such as the System Management Controller, image signal processor, audio controller and SSD controller — T2 delivers new capabilities to the Mac like enhanced imaging processing for the FaceTime HD camera. T2 also enables a new level of security by including a secure enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities. Dedicated AES hardware encrypts data on the SSD without affecting performance, while secure boot ensures that only trusted software loads at startup.

https://www.apple.com/newsroom/2017/12/imac-pro-the-most-powerful-mac-ever-available-today/

I wish there was some firmware information in the tech specs:

https://www.apple.com/imac-pro/specs/

Apple seeks UEFI firmware engineer

December 13, 2017 ~ hucktech ~ Leave a comment

Mac Firmware Engineer

The Mac Platform Software team is looking for a firmware engineer to join a new Austin-based team responsible for developing Apple’s UEFI implementation and related technologies for the Mac product line. Mac Platform Software is responsible for bringing up macOS and Windows on all new Mac products, including the development and integration of firmware and systems software for macOS and Windows, the development of platform-level features for the Mac, and the leadership of cross-functional debug and optimization efforts across hardware and software teams. A Mac Firmware Engineer is responsible for the development of Apple’s UEFI implementation and its related technologies. UEFI provides the boot firmware for all Mac systems and plays a critical role in system stability, performance, and battery life. This role also contributes to development of the boot loader and firmware update mechanisms, as well as other related technologies. Primary job responsibilities include firmware feature development supporting new Mac software and hardware features, supporting ongoing efforts to improve the quality of shipped Macs in the field, and assisting the larger Mac Platform organization in cross-functional efforts to design and build new Mac products.
* Experience in firmware/BIOS development
* Experience with boot loaders and firmware/kernel interfaces
* Knowledge of UEFI and the x86 platform and standards, including ACPI, SMM, PnP, PCIe, and JEDEC DDR a plus
* Strong understanding of system power management a plus

https://jobs.apple.com/search?job=56183392&openJobId=56183392#&openJobId=56183392

Rafal Wojtczuk joins Apple!

December 13, 2017 ~ hucktech ~ 1 Comment

I'm happy to announce that (the legend) Rafal Wojtczuk has joined us at Apple

— Xeno Kovah (@XenoKovah) December 13, 2017

Wow, the Apple firmware team keeps getting more and more amazing talent.

Some older reading on Rafal:

https://invisiblethingslab.com/itl/About.html

http://theinvisiblethings.blogspot.com/2008/07/rafal-wojtczuk-joins-invisible-things.html

https://blogs.bromium.com/author/rafalwojtczuk/

Apple Secure Boot

December 13, 2017 ~ hucktech ~ 2 Comments

Apple Insider has a story on new Apple security processor. Caber Sasser reviews a loaner iMac Pro.

http://appleinsider.com/articles/17/12/12/imac-pro-debuts-custom-apple-t2-chip-to-handle-secure-boot-password-encryption-more

⚠️ iMac Pro Alert! Apple (amazingly/unprecedentedly?) provided me with a loaner iMac Pro a few days ago to check out, and in turn, I'm very eager to share my notes with you. Here are six initial impressions in a thread:

— Cabel (@cabel) December 12, 2017

④ New Chip. This seems big. The iMac Pro features new apple custom silicon: the T2 chip. It integrates previously discrete components, like the SMC, ISP for the camera, audio control, SSD control… plus a secure enclave, and a hardware encryption engine.

— Cabel (@cabel) December 12, 2017

⑤ Security. This new chip means storage encryption keys pass from the secure enclave to the hardware encryption engine in-chip — your key never leaves the chip. And, they it allows for hardware verification of OS, kernel, boot loader, firmware, etc. (This can be disabled…) pic.twitter.com/qKJ6bHdtr8

— Cabel (@cabel) December 12, 2017

FAT-EFI: FAT EFI loader plugin for Hopper Disassembler

December 12, 2017 ~ hucktech ~ Leave a comment

This project is a FAT EFI loader plugin for Hopper Disassembler. Apple uses an extension to the standard PE format for EFI binaries to allow FAT EFI binaries that contain both 32 and 64 bits executables. It is very similar to the FAT format, except for a different magic number and for little endianness. This plugin allows to read these FAT EFI binaries with Hopper Disassembler.[…]

https://github.com/pascalwerz/FAT-EFI

https://www.hopperapp.com/

efivalidate (and mojo_thor)

December 3, 2017 ~ hucktech ~ 1 Comment

Rick Mark has released efivalidate, a macOS-centric Ruby-based EFI checking tool. Also, by same author, Mojo_Thor project has activity. I thought it was a one-time drop, but it is actively being updated:

efivalidate is a ruby utility to take a given input EFI payload from macOS and to compare it against Apple’s validation schema. Being written in ruby this can occur off-box to ensure that the utility itself hasn’t been compromised

https://github.com/rickmark/efivalidate

Loki / Thor / Mojo are a triad of Apple internal tools and malware that infects the SMC, EFI and macOS of Apple MacBooks. It is believed that direct access to the hardware is gained by re-flashing the Thunderbolt controller (via ThorUtil)

https://github.com/rickmark/mojo_thor

https://rickmark.me/

Apple macOS High Sierra: can login as root with empty password!

November 28, 2017 ~ hucktech ~ Leave a comment

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs

— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

https://twitter.com/MagerValp/status/935621178869407750

Reminder: if you need a complex password (say to set as a root password) you can use the Password Assistant via Sys Prefs -> Users & Groups -> Change Password… click key icon. Copy password, cancel password change. pic.twitter.com/PtXsM9d3W8

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) November 28, 2017

https://twitter.com/DennisCode/status/935616298683207681

https://twitter.com/a_hailes/status/935601901839806464

Apple SEP story from August, again

November 26, 2017 ~ hucktech ~ Leave a comment

[AFAICT nothing new recently, this is just the August story being rehashed again in November, I think…]

Re: https://firmwaresecurity.com/2017/08/17/apple-secure-enclave-processor-sep-firmware-hacked/

https://twitter.com/kwestin/status/934677472293072896

Apple’s Secure Enclave Processor (SEP) Firmware Decrypted : https://t.co/m6jw1A5RzC , Talks : https://t.co/qF7D2AXLbU , Published decryption keys –> https://t.co/B4apndLBXH cc @xerub

— Binni Shah (@binitamshah) November 26, 2017

key is fully grown https://t.co/MwN4kb9SQI use https://t.co/I9fLo5Iglh to decrypt and https://t.co/og6tiJHbCu to process

— ~ (@xerub) August 16, 2017

https://www.theiphonewiki.com/wiki/Greensburg_14G60_%28iPhone6,1%29

https://github.com/xerub/img4lib

Arg, WordPress inserts the entire contents of Github Gists into posts. To view sepsplit.c, remove the 2 spaces from below URL, or click on 2nd t.co-based URL in above @xerub tweet.

https://gist. github.com /xerub/0161aacd7258d31c6a27584f90fa2e8c

Click to access us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf

Hackaday:

Apple’s Secure Enclave Processor (SEP) Firmware Decrypted

Duo Labs releases EFIgy 10.13

November 22, 2017 ~ hucktech ~ Leave a comment

New version of EFIgy released, initial support for High Sierra EFI versions & batch processing mode for sysadmins https://t.co/6Krg2bvQe5

— Rich Smith (@iodboi) November 22, 2017

An early Thanksgiving from @duo_labs to #macadmins – EFIgy now includes 10.13 data and has a batch mode for checking your entire fleet! Enjoy! 💻🔍 https://t.co/GOtieLLYsn

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) November 22, 2017

https://github.com/duo-labs/EFIgy/

If someone is looking for a side project, creating an @osquery extension that can query the EFIgy API would be so 💰 https://t.co/GaFqfSpOFq

— Chris Long (@Centurion) November 22, 2017

Trammell: eficheck finds Thunderstrike 2

November 6, 2017November 7, 2017 ~ hucktech ~ Leave a comment

Trammell Hudson tests Apple macOS’s eficheck against Thunderstrike2:

https://twitter.com/qrs/status/927565241449410560

https://twitter.com/qrs/status/927599689515626496

https://trmm.net/Thunderstrike
https://trmm.net/Thunderstrike_2
https://support.apple.com/en-us/HT207475

Thunderstrike 2

Apple EFI malware triad: Mojo/Thor/Loki?

October 8, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/osxreverser/status/916404934462939136

https://twitter.com/osxreverser/status/916405321056309249

https://twitter.com/osxreverser/status/916405109617319936

https://twitter.com/osxreverser/status/916473582720638982

Mojo / Thor / Loki are a triad of malware that infects the EFI of Apple MacBooks.[…]

https://github.com/rickmark/mojo_thor

more from Duo on Apple EFI security

September 30, 2017October 2, 2017 ~ hucktech ~ Leave a comment

Nice, in addition to an upcoming new EFI tool, it appears Duo has some defensive advise, using OSQuery, Puppet, and Chef. Click on the first tweet below for an image from their upcoming presentation.

This is the slide from our Apple EFI presentation that shows how to check the EFI versions on your endpoints, full deck coming soon. pic.twitter.com/ukK1CnrvVH

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) September 30, 2017

Great summary and analysis of Apple firmware! You can also use @osquery to collect and check your firmware versions https://t.co/2lCU4v1jqA https://t.co/dk6qstrbS7

— osquery (@osquery) September 30, 2017

Our slides include how to get the data with @osquery, @chef and @puppetize as well as simple shell commands 😄 https://t.co/CDSyC12kAp

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) September 30, 2017

Plus, check the state of your Mac's EFI firmware with @duo_labs' free open-source tool, EFIgy: https://t.co/Hl6C7qaVxG

— Duo Security (@duosec) September 29, 2017

Note that Teddy Reed is giving a presentation on OSQuery in November at Usenix LISA:

Mitchell and @teddyreedv will be at #lisa17 teaching #osquery on Nov 2nd, if you're around, check it out! https://t.co/v5ZJ7qywnq

— osquery (@osquery) September 13, 2017

Pepjin’s Apple EFI version spreadsheet:

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

Our slides include how to get the data with @osquery, @chef and @puppetize as well as simple shell commands 😄 https://t.co/CDSyC12kAp

— Pepijn Bruienne 🐶🌲🧀💴 (@bruienne) September 30, 2017

Nikolaj moves to US

September 30, 2017 ~ hucktech ~ Leave a comment

Apple firmware security researcher Nikolaj Schlej has been working from Europe, and is now moving to the US.

Big thanks to @XenoKovah and @coreykal for meeting me in the US, ending my very busy day full of flights with *GREAT MURICA*-themed party. pic.twitter.com/laD86fj1GJ

— Nikolaj Schlej (@NikolajSchlej) September 30, 2017

Nice picture of the Xeno, Corey, and Nikolaj in the above tweet.

Apple open sources XNU?

September 30, 2017 ~ hucktech ~ Leave a comment

Apple open sources iOS kernel https://t.co/z1ayhs2wfn?

— Hacker News Bot (@newsycombinator) September 30, 2017

https://github.com/apple/darwin-xnu

https://opensource.apple.com/

https://github.com/apple/darwin-xnu/tree/master/pexpert

Does this new Github release contain more than the previous Apple-hosted releases? I’m not yet clear.

Apple macOS automatic EFI checks

September 24, 2017 ~ hucktech ~ Leave a comment

High Sierra automatically checks EFI firmware each week https://t.co/fv8kXhPu67 pic.twitter.com/YsdNkKp4DH

— Howard Oakley, Eclectic Light Co (@howardnoakley) September 24, 2017

https://twitter.com/osxreverser/status/912014988608491520

High Sierra automatically checks EFI firmware each week

Upgrading to High Sierra brings a new and significant security feature: your Mac will automatically check its EFI firmware. In a series of tweets, Xeno Kovah, one of the three engineers responsible for the new tool, has outlined how this works.[…]

High Sierra automatically checks EFI firmware each week

AFAICT, the article references Tweets from earlier today that appear to have subsequently been deleted from Twitter.

Dmitry on macOS and external USB drives

September 4, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/nedos/status/904579391195414528

https://twitter.com/nedos/status/904284980632748032

http://www.grivet-tools.com/blog/2016/target-disk-mode-firmware-password/