Objective by the Sea 4.0

Objective by the Sea, the world’s premier Mac-focused security conference, returned to Maui this year for its fourth installment.

As usual, the conference featured an all-star lineup of macOS security researchers. But although many of the talks were fairly technical, and aimed at Mac security professionals, there were also a lot of valuable insights for everyday Mac users as well.

Here are some of the highlights and key takeaways:

Tech-enabled abuse on Apple platforms

Eva Galperin, Director of Cybersecurity for Electronic Frontier Foundation, gave a presentation entitled “Siri, Find My Ex”.

In her talk, Galperin discussed the problem of intimate partner surveillance on Apple platforms. She explained how Apple has taken steps to make it harder for abusers to spy on iOS users, and shared resources to help people detect a range of privacy threats on an iPhone. In addition, she discussed some of the privacy issues around AirTag, and closed with recommendations for how the tech industry can curb tech-enabled abuse.

Takeaway: Apple is aware of the issue of tech-enabled abuse on its platforms, and has taken measures to protect users. Nevertheless, many challenges still remain, and the problem is far from “solved” (even on the iPhone).

What’s in your Wallet

Sarah Edwards is a digital forensics researcher who specializes in Apple platforms. At OBTS, she gave a talk entitled “Pocket Litter — A Peek Inside Your Apple Wallet”.

Edwards notes that more and more people have started to “go digital” with mobile wallet apps like Apple Wallet (especially during the pandemic). In addition to credit card payment methods, Wallet can now be used to store travel passes, entertainment tickets, loyalty cards, COVID vaccination information, and official IDs. That’s a lot of personal information being managed on your iPhone — and being synced between different devices and cloud accounts. In her talk, Edwards takes a forensics researcher’s peek under the hood of Apple Wallet to see what forensic artifacts are being created by all of this activity.

Takeaway: As in years past, Edwards’ OBTS talk is a healthy (if somewhat disturbing) reminder that our digital lives generate a ton of sensitive data about us. That data can be accessed by skilled forensics experts in the course of an investigation — and potentially by bad actors who gain access to our devices.

The great update debate

Josh Long, a veteran macOS security researcher, gave a presentation entitled “n-1 and n-2: Should we really trust in you?”.

Long explored the issue of Apple’s security updates for the n-1 and n-2 versions of macOS (i.e., macOS Catalina and macOS Mojave at the time of writing). He conducted an extensive survey of macOS security updates and found that in many cases, there seem to be discrepancies in what Apple is patching. For example, one major vulnerability was patched in macOS Big Sur and Catalina, but not in macOS Mojave. Long reached out to a security researcher who had done an independent analysis of the vulnerability, and discovered that Mojave is indeed affected by it — even though it remains unpatched in that version of macOS! Long also spent some time discussing security updates for older versions of iOS as well.

Takeaway: Based on his research, Long concludes that “generally speaking, the current version of macOS is the safest one”, since it receives the most patches overall. Mac users should avoid using the n-1 and n-2 versions of macOS when possible — something to keep in mind as Apple prepares to release macOS Monterey.

Finding bugs on macOS

macOS security researcher Csaba Fitzl gave a talk called “Mount(ain) of Bugs”.

Fitzl’s presentation detailed multiple vulnerabilities in the macOS mount system operation. He also took a look at things from the offensive side, explaining how the mount operation can be used as an exploitation technique. The talk is quite technical, but is valuable for anyone interested in vulnerability research or in the security aspects of macOS internals. In the Q&A, Fitzl also talks a bit about his “bittersweet” experience with the Apple Security Bounty program, which has been criticized by other security researchers in recent weeks.

Takeaway: Despite Apple’s enhancements to macOS security in recent years, there are still fruitful avenues for exploitation available to threat actors — which means that we will likely continue to see macOS 0-days for the foreseeable future.

Hard data on Mac malware

Thomas Reed gave a talk entitled “Mac Detections by the Numbers”

Reed’s work gives him access to telemetry data from a large number of Macs, which puts him in a good position to comment on trends in macOS malware. In 2021, as in years past, adware and PUPs remain the most common type of threat on macOS. Reed also reported on emerging macOS malware threats, including a new variant of XCSSET, the much-ballyhooed Silver Sparrow, XcodeSpy, and more.

Takeaway: Reed closed with an important warning about PUPs and adware, the kind of Mac malware that consumer users are most likely to encounter. He points out that in many cases, this supposedly “less malicious” malware is actually more technically sophisticated than the nation-state malware on macOS! Mac users would therefore be wise to take such threats seriously.

Spies like … us?

Runa Sandvik and Patrick Wardle co-presented a talk entitled “Made In America: Analyzing US Spy Agencies’ macOS Implants”. Wardle is the founder of Objective by the Sea and a noted Mac malware analyst. He previously worked for the U.S. National Security Agency (NSA). Sandvik is a security researcher who specializes in cybersecurity for high-risk people.

The presentation provides a deep analysis of Green Lambert and DoubleFantasy, a pair of nation-state hacking tools for macOS. But interestingly, these spying tools don’t come from abroad: from Russian intelligence or the Chinese military. They’re homegrown, developed by the CIA and NSA.

Wardle and Sandvik give us a rare look inside the cyber-espionage activities of the U.S. intelligence community. They also provide a practical demonstration of how malware analysts take apart a hacking tool in order to understand how it works.

Takeaway: The 21st century threat landscape goes way beyond “hackers in hoodies”. Sophisticated state actors (both overseas and at home) are working to compromise the platforms that we use — and that includes macOS and iOS.