At Defcon 2018, ex-NSA staffer and a popular Mac hacker Patrick Wardle presented his research work which involved bypassing the layers of security in macOS that are meant for blocking malware from spreading in the system with the help of synthetic clicks.
Every OS has a mechanism that prevents hackers’ intention of stealing the sensitive data by asking the user whether they want to give access to the data to a certain application or not. The user has to choose between “Allow” and “Deny.” When the user denies access, a checkpoint is created by the system that stops the particular application from running and allows other applications to perform smoothly.
Wardle’s research work is based on this very issue. He believes that malware can reach out and click on the “Allow” button as easily as a human being.
Note that it is only possible when a malware has already entered the system. Wardle performed the hack on macOS High Sierra version. He demonstrated that with the help of synthetic clicks, the malware bypassed the permission prompts that are supposed to block it. Once the malware obtains the permission, it can find the user’s location, steal contacts and take over the kernels to control the entire system.
What are Synthetic Clicks?
Synthetic clicks or invisible clicks is a feature of macOS that allows some programs such as AppleScript to produce synthetic clicks that are not prompted by human beings but the program itself. These clicks are meant for automation and running usability tools for disabled. However, to keep the security intact, invisible clicks are not allowed on some sensitive “Allow” and “Deny” popups.
Wardle has discovered that macOS does allow synthetic clicks on prompts that ask for users’ contacts, their calendar, recording the location of a user, and identify the network that he is connected to.
A malicious test code run by him glided through the prompts as easily as human beings.
Past March, Wardle talked at Syscan 360 held in Singapore about the vulnerabilities of macOS and how it could be exploited with synthetic clicks. He tried to dig even further and found out that synthetic clicks could also be used for accessing the macOS keychain which holds all the user stored passwords and could also install kernel extensions that can add codes to take over the system.
slides from my SyScan360 talk "Synthetic Reality: Breaking macOS One Click at a Time" are now online: https://t.co/AWFs9pcFRM tl;dr via "Mouse Keys" 🐭🔑 one could invisibly break many of Apple's local macOS security mechanisms 🤒🍎 pic.twitter.com/h3OgSQc38C
— patrick wardle (@patrickwardle) March 23, 2018
Apple, then, patched the vulnerability pointed out by Wardle.
Wardle hasn’t informed Apple about this vulnerability yet but says that he has warned the company several times before about the capabilities of synthetic clicks. He said, “I’ve reported a ton of bugs to them, and it doesn’t seem like it’s inspiring changes,”
The popup that asks user’s permission to grant or deny the access appears despite getting the approval from synthetic clicks. If this happens, the user will get alert automatically. To this, Wardle says that the malware could wait for the inactivity when the user is not sitting in front of the system to notice the permission granted from synthetic clicks. It is also possible that malware could lower the brightness of the screen during that moment to make it almost unnoticeable for the users.
Wardle ended that talk at Defcon 2018 by saying that these security flaws are “lame” yet “powerful.” Apple needs to fix these frequently occurring vulnerabilities to assure users that macOS is fail proof and secure.
Read more about the happenings at Defcon 2018