The future of macOS security: Baked-in protection and third-party tools
Anyone in the information security industry who’s interested in Mac security probably knows who Patrick Wardle is. Apart from being Chief Security Researcher at Synack, he’s also the creator of a number of security tools for macOS, which he makes available for free on his Objective-See project site.
He has recently scaled back at his traditional 9-to-5 job so that he could dedicate more time and energy to pursuing his passions: to create new free macOS security tools that will hopefully be viable alternatives to paid commercial products, continue to improve those tools he already made, continue to report macOS vulnerabilities to Apple, and to blog about all things related to macOS security (malware, vulnerabilities, OS internals).
I had the pleasure of meeting Wardle in person at this year’s edition of Hack In The Box Amsterdam, and we got talking about Mac security, his work and plans for the future.
macOS threats
“I think Apple has benefited from general trends in ‘Operating System level’ security. That is to say, like most major operating systems macOS now ships with ‘baked-in’ security features and malware mitigations. Thus, even though hackers and malware authors are now turning their attention more towards macOS, it luckily is becoming an ever harder target to infect,” he told me.
“As such, I’m not sure we’ll ever see a massive influx of macOS malware – at least malware that is able to effectively infect a wide-range of Mac users.”
However, there is no denying that Mac malware has become more commonplace. Recently we saw OSX/MacRansom – the first “Ransomware as a Service” for macOS, and annoying adware for macOS is (unfortunately) pretty unexceptional.
In his opinion, users can expect ransomware to transition to Mac systems. “Mac users are just as vulnerable as Windows users, and from the attackers point of view, are basically an ‘untapped’ target demographic,” he noted.
He also pointed out that even though macOS has some fairly secure core components (such as the FreeBSD parts), there is also much extra cruft that has been added over there years, making the OS a very broad attack surface for hackers.
Apple’s protections for macOS
Apple is notorious for keeping their cards close to their chest, but I often wondered whether the company is considering (or is already working on) a native Mac security solution that will be better than XProtect at detecting new malware.
Wardle says that, as far as knows, Apple isn’t building any new comprehensive anti-malware solution, and he believes this is a very conscious decision.
For one, by doing so, they would admit that Mac malware is a real and growing issue, and he’s not sure that is something they want to do. Secondly, products that can detect new malware are going to have some false positives.
“I’m sure this is something that Apple wouldn’t want to ‘burden’ their users with – and I don’t blame them. I think the wiser approach – and the approach that Apple is taking – is to continually introduce both better and more malware mitigations into the OS – mitigations that may be able to stop new malware in its tracks.”
“An example is ‘Secure Kernel Extension Loading’ that will be present in macOS High Sierra. This security enhancement aims to block the loading of kernel extensions until the user explicitly approves them. While there isn’t a lot of (public) macOS malware that has kernel components, this new feature may generically block it, and new malware that tries to load kernel extensions. Of course malware authors will be able to bypass this – but that’s a separate discussion,” he noted.
As far as XProtect is concerned, it is a good tool that does what it was designed to do: block known/existing malware. And now that it supports YARA signatures, he believes that it should be able to do this even better.
One thing that concerns him, though, is that Apple often messes up security patches. “I often look into the way Apple patches something and often they either don’t patch the core issue, fumble the patch or introduce worse issues. Some examples of this that I’ve found, reported and received CVEs for include: CVE-2015-3673, CVE-2015-7024, and CVE-2017-6987.”
Wardle’s security tools
“My ambitions for this effort is simply to keep creating free tools that can protect my personal Mac, and the Macs of my users. I feel like I have a unique insight into security issues facing macOS and also the ability to create tools to address these issues. So why not create tools and share them freely with the world?”
All user tools will continue to be 100% free – no ads/adware, no collection of user data, no time-trials, he promises.
He tries to make them easy-to-use for non-tech savvy users, but notes that they still require users to know a little something about the OS.
“For example, OverSight will tell you that a program is using your webcam. If it’s Facetime or Skype it’s fine, but if it’s malware that has uses an Apple-sounding name, you have to be knowledgeable enough to recognize it as malware,” he notes.
One way to discover if it’s malware is to search for some mention of it online. Another is to email him.
“My dream is to find brand new malware that no-one else has ever detected before.” But so far, he has had no luck on that front: he has mostly detected new adware variants. “The Shazam thing was cool, though,” he notes, referring to the discovery made by an OverSight user that the Shazam widget kept the microphone active even when users specifically switched the toggle to OFF in their app.
OverSight is also the most popular tool he created, perhaps because people are rightfully very concerned about malware accessing their webcams and microphones. Still, he’s most proud of BlockBlock.
“Though it’s conceptually simple (it just monitors persistence locations), it’s been able to generically detect all persistent macOS malware that has been discovered since its release almost two years ago,” he says. “Now, I’m sure malware will eventually bypass that, but I’ll be sure to update it as needed.”
Writing robust security tools is a lot of work, he notes, and users invariable find issues that need to be addressed. But the work has given him a much better understanding of macOS internals, as well as having the added bonus of revealing several macOS core security issues (which he duly reported to Apple).
Future plans
Wardle is currently working on new projects, while also continuing to improve and add new features to his existing ones.
He hopes to release soon an open source process monitoring library, and he’s also working on a free open source macOS firewall.
“While it won’t have all the bells and whistles of the existing commercial products, I think that a lot of people will be stoked about the price (free!) and that fact that it’s open source. Of course this is a rather big project to take on, but I’m making good progress.”
So far, users have shown their appreciation through emails and tweets thanking him for his work, and some have decided to finance it through Patreon.
“Since I’m only working part-time at Synack, I took a pay cut and I am now responsible for all my own ‘benefits’ such as health insurance,” he explained. “All the financial support from Patreon is inspiring and definitely helps offset these costs. It has also encouraged me to release more open source tools and continue to give back more to the macOS community.”
Advice for Mac users
Are there any other tools that he would recommend to Mac users to increase their security, I asked him.
“Little Snitch. It’s a good product, I run it, and I think it’s good to have a firewall. Other than that, nothing much – AV solutions for macOS don’t detect much, and Apple has XProtect built-in to protect users against known threats,” he says.
Be smart about the things you click on, and always run the latest version of the OS and the various software you use. “Hackers target vulnerabilities in software, so keeping it upgraded will block most attacks,” he points out.
Unless, of course, the attackers are from a government. In that case, the probability of getting hacked is higher – not due to attack or malware sophistication, but because of the attackers’ persistence.