Security researchers on Tuesday unveiled a method that could’ve allowed hackers to bypass a wide range of commercial products designed to protect Apple devices from malware. While there’s no evidence the bypass was ever used maliciously, the issue went unnoticed for over a decade.
The vulnerability is in how vendors such as Google and Facebook verify the origin of code to ensure it hasn’t been modified. Tools produced by these companies and several others use official code-signing APIs to confirm that code can be trusted. The method being used was flawed, however, making it easy for a hacker to pass off code as if it had been signed by Apple — to masquerade as Apple, in other words.
The issue was discovered by security firm Okta in February 2018. Apple was contacted soon after and affected developers were subsequently notified. The affected vendors, according to Okta, include: VirusTotal, Google, Facebook, Objective Development, F-Secure, Objective-See, Yelp, and Carbon Black.
Code-signing is a security construct whereby cryptographically generated signatures are used to verify the source of code. The code is digitally signed using a private key known only to the author. This is paired with a public key, which anyone can use to verify that code was signed using the author’s private key. But the process used by security vendors to check the signatures was flawed, theoretically allowing hackers to imitate Apple.
“Different types of tools and products use code signing to implement actionable security; this includes whitelisting, antivirus, incident response, and threat hunting products,” Okta engineer Josh Pitts wrote in a blog. “To undermine a code signing implementation for a major OS would break a core security construct that many depend on for day to day security operations.” (The nuts and bolts of the issue are disclosed by Pitts here.)
The problem, which may or may not have ever been exploited, was discovered, reported, and disclosed with a short period of time. All that’s left really is a little finger-pointing.
In remarks published by Okta, Apple seems to indicate it was the developers’ fault for not running the checks properly. The developers, meanwhile, say that Apple’s documentation — which has supposedly been updated — was both confusing and unclear. Given the wide range of products affected, the latter seems more than likely.