[unable to retrieve full-text content]
Apple’s supply string the most closely checked and analyzed on earth, both because of the control the organization exerts and keen interest from 3rd events. But there is nevertheless never an assurance a mass-produced item will come from the field completely pristine. In reality, it’s possible to remotely compromise a fresh Mac initially it links to Wi-Fi.
That assault, which researchers will demonstrate Thursday at Ebony Hat security conference in Las vegas, nevada, targets enterprise Macs that utilize Apple’s Device Enrollment Program and its particular Mobile Device Management platform. These enterprise tools enable employees of a company to walk through personalized IT setup of a Mac themselves, no matter if they work in a satellite workplace or from home. The idea is an organization can ship Macs to its employees straight from Apple’s warehouses, plus the products will automatically configure to participate their business ecosystem after booting up the very first time and connecting to Wi-Fi.
DEP and MDM demand a lot of privileged access to make all of that secret happen. Then when Jesse Endahl, the chief security officer for the Mac administration company Fleetsmith, and Max Bélanger, a staff engineer at Dropbox, found a bug in these setup tools, they realized they might exploit it to get unusual remote Mac access.
“We discovered a bug that allows united states to compromise the product and install harmful pc software before the user is ever also logged set for the first time,” Endahl says. “By the time they’re logging in, once they see the desktop, the computer is already compromised.”
The scientists notified Apple in regards to the issue, and the business circulated a fix in macOS High Sierra 10.13.6 last thirty days, but products which have been already manufactured and ship with an older version of the os will still be vulnerable. Bélanger and Endahl also keep in mind that Mobile Device Management vendors—third events like Fleetsmith that businesses hire to implement Apple’s enterprise scheme—also should support 10.13.6 to fully mitigate the vulnerability.
Each time a Mac turns on and connects to Wi-Fi the very first time, it checks in with Apple’s servers basically to say, “Hey, I’m a MacBook with this particular serial quantity. Do I fit in with somebody? What should I do?”
‘If you’re capable set this up at the business level you might infect everybody.’
Max Bélanger, Dropbox
If the serial number is enrolled within DEP and MDM, that first check will automatically initiate a predetermined setup series, through a number of additional checks with Apple’s servers as well as an MDM merchant’s servers. Companies typically count on a third-party MDM facilitator to navigate Apple’s enterprise ecosystem. During each step of the process, the system uses “certificate pinning,” a method of confirming that particular internet servers are whom they claim. However the researchers found a problem during one action. Whenever MDM hands to the Mac App Store to install enterprise software, the sequence retrieves a manifest for what to download and where to install it without pinning to confirm the manifest’s authenticity.
In case a hacker could lurk somewhere between the MDM merchant’s internet server while the target unit, they might replace the download manifest having harmful the one that instructs the computer to as an alternative install malware. Architecting this elaborate man-in-the-middle assault is too hard or expensive the typical web criminal, but well-funded and driven hackers could manage it. The tainted download server would should also have legitimate internet certification, another hurdle that makes the assault harder but most certainly not impossible. From there, attackers could install such a thing from spyware to cryptojacking pc software on vulnerable Macs. They might even grow a malicious tool that evaluates devices on a corporate community discover susceptible systems it could distribute to. As soon as a hacker has put up the assault, it could target every Apple computer a given company places through the MDM procedure.
“among the aspects that’s scary about any of it is when you’re able to set this up at the business level you might infect everybody according to where you are doing the man-in-the-middle,” Bélanger says. “This all takes place really early in the device’s setup, so there aren’t actually limitations on what those setup elements can do. They have complete power, so they’re vulnerable to being compromised in a pretty unique method.”
Bélanger and Endahl anxiety your attack isn’t effortless. They may be able only show a form of it at Black Hat because Endahl works at Fleetsmith, and that can create the certified server while the man-in-the-middle assault on MDM merchant himself. And so they praise Apple’s application security and also the MDM process general, noting that Apple has produced the capability to kill harmful apps once the company discovers them.
But they emphasize that it will be possible for a well-funded, determined attacker to exploit the flaw should they were buying method onto Macs. Plus the prospective to make use of the assault as being a leaping down point to bore deeper into corporate networks would have lots of appeal. Hackers might even simplify the assault by focusing on employees whom home based and are also more straightforward to man-in-the-middle, as a result of their consumer-grade routers.
“The attack is so powerful that some federal government would be incentivized to set up the task doing it,” Endahl says.
Apple’s patch will proliferate quickly to negate the flaw, but it is a good reminder no matter that also minute weaknesses in an ecosystem since elaborate as Apple’s can have possibly severe effects.
More Great WIRED Stories
When news hit this week that West Virginian military members serving abroad will become the first people to vote by phone in a major US election this November, security experts were dismayed. For years, they have warned that all forms of online voting are particularly vulnerable to attacks, and with signs that the midterm elections are already being targeted, they worry this is exactly the wrong time to roll out a new method. Experts who spoke to WIRED doubt that Voatz, the Boston-based startup whose app will run the West Virginia mobile voting, has figured out how to secure online voting when no one else has. At the very least, they are concerned about the lack of transparency.
“From what is available publicly about this app, it’s no different from sending voting materials over the internet,” says Marian Schneider, president of the nonpartisan advocacy group Verified Voting. “So that means that all the built-in vulnerability of doing the voting transactions over the internet is present.”
And there are a lot of vulnerabilities when it comes to voting over the internet. The device a person is using could be compromised by malware. Or their browser could be compromised. In many online voting systems, voters receive a link to an online portal in an email from their election officials—a link that could be spoofed to redirect to a different website. There’s also the risk that someone could impersonate the voter. The servers that online voting systems rely on could themselves be targeted by viruses to tamper with votes or by DDoS attacks to bring down the whole system. Crucially, electronic votes don’t create the paper trail that allows officials to audit elections after the fact, or to serve as a backup if there is in fact tampering.
But the thing is, people want to vote by phone. In a 2016 Consumer Reports survey of 3,649 voting-age Americans, 33 percent of respondents said that they would be more likely to vote if they could do it from an internet-connected device like a smartphone. (Whether it would actually increase voter turnout is unclear; a 2014 report conducted by an independent panel on internet voting in British Columbia concludes that, when all factors are considered, online voting doesn’t actually lead more people to vote.)
Thirty-one states and Washington, DC, already allow certain people, mostly service members abroad, to file absentee ballots online, according to Verified Voting. But in 28 of those states—including Alaska, where any registered voter can vote online—online voters must waive their right to a secret ballot, underscoring another major risk that security experts worry about with online voting: that it can’t protect voter privacy.
“Because of current technological limitations, and the unique challenges of running public elections, it is impossible to maintain separation of voters’ identities from their votes when Internet voting is used,” concludes a 2016 joint report from Common Cause, Verified Voting, and the Electronic Privacy Information Center. That’s true whether those votes were logged by email, fax, or an online portal.
Voatz says it’s different. The 12-person startup, which raised $2.2 million in venture capital in January, has worked on dozens of pilot elections, including primaries in two West Virginia counties this May. On a website FAQ, it notes, “There are several important differences between traditional Internet voting and the West Virginia pilot—mainly, security.”
Voatz CEO Nimit Sawhney says the app has two features that make it more secure than other forms of online voting: the biometrics it uses to authenticate a voter and the blockchain ledger where it stores the votes.
The biometrics part occurs when a voter authenticates their identity using a fingerprint scan on their phones. The app works only on certain Androids and recent iPhones with that feature. Voters must also upload a photo of an official ID—which Sawhney says Voatz verifies by scanning their barcodes—and a video selfie, which Voatz will match to the ID using facial-recognition technology. (“You have to move your face and blink your eyes to make sure you are not taking a video of somebody else or taking a picture of a picture,” Sawhney says.) It’s up to election officials to decide whether a voter should have to upload a new selfie or fingerprint scan each time they access the app or just the first time.
“We feel like that extra level of anonymization on the phone and on the network makes it really really hard to reverse-engineer.”
Nimit Sawhney, Voatz
The blockchain comes in after the votes are entered. “The network then verifies it—there’s a whole bunch of checks—then adds it to the blockchain, where it stays in a lockbox until election night,” Sawhney says. Voatz uses a permissioned blockchain, which is run by a specific group of people with granted access, as opposed to a public blockchain like Bitcoin. And in order for election officials to access the votes on election night, they need Voatz to hand deliver them the cryptographic keys.
Sawhney says that election officials print out a copy of each vote once they access them, in order to do an audit. He also tells WIRED that in the version of the app that people will use in November, Voatz will add a way for voters to take a screenshot of their vote and have that separately sent to election officials for a secondary audit.
To address concerns about ballot secrecy, Sawhney says Voatz deletes all personal identification data from its servers, assigns each person a unique but anonymous identifier within the system, and employs a mix of network encryption methods. “We feel like that extra level of anonymization on the phone and on the network makes it really really hard to reverse-engineer,” he says.
Experts Are Concerned
Very little information is publicly available about the technical architecture behind the Voatz app. The company says it has done a security audit with three third-party security firms, but the results of that audit are not public. Sawhney says the audit contains proprietary and security information that can’t leak to the public. He invited any security researchers who want to see the audit to come to Boston and view it in Voatz’s secure room after signing an NDA.
This lack of transparency worries people who’ve been studying voting security for a long time. “In over a decade, multiple studies by the top experts in the field have concluded that internet voting cannot be made secure with current technology. VOATZ claims to have done something that is not doable with current technology, but WON’T TELL US HOW,” writes Stanford computer scientist and Verified Voting founder David Dill in an email to WIRED.
Voatz shared one white paper with WIRED, but it lacks the kind of information experts might expect—details on the system architecture, threat tests, how the system responds to specific attacks, verification from third parties. “In my opinion, anybody purporting to have securely and robustly applied blockchain technology to voting should have prepared a detailed analysis of how their system would respond to a long list of known threats that voting systems must respond to, and should have made their analysis public,” Carnegie Mellon computer scientist David Eckhardt wrote in an email.
Ideally, experts say, Voatz would have held a public testing period of its app before deploying it in a live election. Back in 2010, for example, Washington, DC, was developing an open-source system for online voting and invited the public to try to hack the system in a mock trial. Researchers from the University of Michigan were able to compromise the election server in 48 hours and change all the vote tallies, according to their report afterward. They also found evidence of foreign operatives already in the DC election server. This kind of testing is now considered best practice for any online voting implementation, according to Eckhardt. Voatz’s trials have been in real primaries.
“West Virginia is handing over its votes to a mystery box.”
David Dill, Stanford University
Voatz’s use of blockchain itself does not inspire security experts, either, who dismissed it mostly as marketing. When asked for his thoughts on Voatz’s blockchain technology, University of Michigan computer scientist Alex Halderman, who was part of the group that threat-tested the DC voting portal in 2010, sent WIRED a recent XKCD cartoon about voting software. In the last panel, a stick figure with a microphone tells two software engineers, “They say they’ve fixed it with something called ‘blockchain.’” The engineers’ response? “Aaaaa!!!” “Whatever they’ve sold you, don’t touch it.” “Bury it in the desert.” “Wear gloves.”
“Voting from an app on a mobile phone is as bad an idea as voting online from a computer,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins, who has studied electronic voting systems since 1997. “The fact that someone is throwing around the blockchain buzzword does nothing to make this more secure. This is as bad an idea as there is.”
Blockchain has its own limitations, and it’s far from a perfect security solution for something like voting. First of all, information can be manipulated before it enters the chain. “In fact, there is an entire industry in viruses to manipulate cryptocurrency transactions before they enter the blockchain, and there is nothing to prevent the use of similar viruses to change the vote,” says Poorvi Vora, a computer scientist and election security expert at George Washington University.
She adds that if the blockchain is a permissioned version, as Voatz’s is, “It is possible for those maintaining the blockchain to collude to change the data, as well as to introduce denial of service type attacks.”
Sawhney pushes back against this last critique, telling WIRED that the blockchain verifiers in the Voatz system is a collection of vetted stakeholders such as Voatz itself, election officials, nonprofit voting auditors, and politicians.
And even though the transaction is through an app rather than a browser, Vora says previously identified risks of internet voting remain. “Both the browser and the app run on the operating system underneath, and both, hence, inherit the vulnerabilities that go with relying entirely on software,” she says.
Sawhney admits the concern about malware on a person’s device is legitimate but thinks that creating a program to manipulate votes would be so hard as to be impractical. “It’s theoretically possible, if that malware had been specifically written to intercept votes passing, to reverse-engineer our application, break all our keys, specifically modify if somebody marks oval A change it to oval B, and then bypass the identifier and send it to the network, but that is so, so hard to do in real time,” he says. “It is possible, but we haven’t found a way to do it.” He adds that the app checks the phone for malware before downloading on a device, though he admits it could be possible for malware to go undetected.
The role of facial recognition in authenticating voter identities is another thing that concerns experts. Schneider worries that there could be ways to trick that technology using videos available elsewhere on the internet, for instance. And Vora notes that facial-recognition technology has known racial biases that could affect who even is able to access Voatz.
Sawhney tells WIRED that Voatz has people manually check the facial-recognition authorization. This is possible at the moment but could become an issue if the technology were to be introduced to a wider electorate, as Voatz states on its website is the ultimate goal. In fact, Voatz has already encountered a scaling problem. When Utah GOP voters tried to use the app during their caucus in April, many couldn’t get it to work. You can read about many voters’ experience in bad reviews of Voatz they left in Apple’s App Store. Sawhney tells WIRED that the issues stemmed from voters attempting to download the app and authenticate themselves minutes before polls closed, which didn’t give Voatz enough time.
Though Voatz has answers for much of the criticism it has faced this week, none of its responses are likely to convince security experts that the smartphone voting app is ready for November. At the very least, the security world’s reaction to Voatz underscores how important transparency is in the rollout of any new voting system. “West Virginia is handing over its votes to a mystery box,” Dill says.
But election officials in West Virginia are enthusiastic about the app. “They used it in the primary in a couple of the other counties to do a test drive, and they said it was wonderful,” says Kanawha County Clerk Vera McCormick, who oversees voting in the state capital of Charleston and plans to allow the 60 overseas military members registered in her county to use Voatz to vote. “We’re excited and my understanding is the security is wonderful, so we’ll find out.”
More Great WIRED Stories
[unable to retrieve full-text content]