Mac OS X security threats and Mac attacksDate: Feb 19, 2009
In an interview at the Black Hat DC Briefings, SearchSecurity.com's Neil Roiter talks to security researcher Vincenzo Iozzo about his latest Mac OS research. Iozzo explains how he found a way to inject malicious code directly into Mac OS X memory, leaving no trace for forensics investigation. Iozzo and researcher Charles Miller plan to demonstrate the technique against the Apple iPhone at Black Hat Europe in April. Learn about Mac OS X security threats, Mac attacks and more in this video.
Read the full transcript from this video below:
Black Hat DC 2009: Mac OS attack method
Neil Roiter: Hi this is Neil Roiter at Black Hat DC for SearchSecurity.com. We're speaking with Vincenzo Iozzo, who presented his technique for injecting malicious code into OS10 memory. Why are you so interested in Mac attacks and why should security people be interested?
Vincenzo Iozzo: Well the reason why I started with Mac OS X security is because it's my operating system. So I was rather interested in it, and also because there was a general lack of research in this field. And I think that also other security people should start thinking about how to attack Mac OS X because there are very few reserves, I can count them on my hand, so, I think it's a rather interesting and new field to explore.
Neil Roiter: Is it also because there are so many more Mac's coming in the workplace now, especially for executives using them?
Vincenzo Iozzo: Well, yes this is one of the reasons in a sense that from now on I can guess that a lot of new malware and research is going to be done on Mac OS X and I wanted to be one of the first to tackle this operating system. Also because I think it is rather less secure then people think it is. So well yeah, it might be for a boom in the number of the Macs that are now available.
More resources on Mac OS X security
Learn about the first Mac OS X worm discovery
Read about Mac OS X attacks
Get information about Mac OS X security
Neil Roiter: Your attack relies first on having a reliable exploit of an unpatched Mac system. So what is the significance, what is the importance in your technique?
Vincenzo Iozzo: Well the importance is that I am able to actually check an arbitrary binary which means that I can write my own piece of code in a high-level language and then inject it in the victim machine. And also another important thing is let's say a great technique from an anti-forensics' point of view because when it comes to actually analyze the computer, avoid leaving traces on your disc. So this is a great thing because the analyzer doesn't know where to find the code that was used to actually attack the machine.
Neil Roiter: So an attacker, if they use your technique successfully, can you give a couple of examples of the kinds of nasty things they could do from that point?
Vincenzo Iozzo: Well let's say that you want to inject a rootkit in a victim machine; you can do this by using my attack. You would be able to this anyway, but you should first download the binary and then execute it, which means that the binary should stay on their disc. And this is not that good if you actually want to stay started, and it might be your purpose since you are using a rootkit.
And another interesting thing is that as I said before, you can write your own paled for example Point and Aroube and then inject it on the victim machine and this would create a new field, a new way of actually attacking a machine. So I think these are the most interesting things that you can do with my attack.
Neil Roiter: You mentioned at the end of your talk a real teaser that this technique will be able to extend this technique to iPhones, which will reach a much larger population. Could you talk a little bit about that?
Vincenzo Iozzo: Well, me and Charlie Miller actually did this; we just implemented the whole code that I showed for Mac OS X to iPhone, and the interesting facts about the iPhone implementation is that if a vulnerability is found on the phone, we can use it as a memory on the fly jailbreaking, which means that we have greater attacks of face when it comes to actually exploiting iPhones. So I think it's rather more interesting than the implementation of OS X actually.