One way operating system developers try to protect a computers’s secrets from probing hackers is with an appeal to the human at the keyboard. By giving the user a choice to “allow” or “deny” a program’s access to sensitive data or features, the operating system can create a checkpoint that halts malware while letting innocent applications through. But former NSA staffer and noted Mac hacker Patrick Wardle has spent the last year exploring a nagging problem: What if a piece of malware can reach out and click on that “allow” button just as easily as a human?
At the DefCon hacker conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks he’s pulled off against macOS versions as recent as 2017 release High Sierra, capable of so-called synthetic clicks that allow malware to breeze through the permission prompts meant to block it. The result could be malware that, once it has found a way onto a user’s machine, can bypass layers of security to perform tricks like finding the user’s location, stealing their contacts or, with his most surprising and critical technique, taking over the deepest core of the operating system, known as the kernel, to fully control the computer.
“The user interface is that single point of failure,” says Wardle, who now works as a security researcher for Digita Security. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”
Wardle’s attacks, to be clear, don’t offer a hacker an initial foothold on a computer; they only help a hacker’s malware penetrate layers of security on an already infected machine. But Wardle argues they could nonetheless serve as powerful tools for sophisticated attackers trying to silently steal more data from, or gain deeper control of, a machine they’ve already penetrated with a malicious attachment in a phishing email or some other common technique.