What happens on your Mac, stays on Apple’s iCloud?! Bypassing Mac privacy mechanisms
“$ sudo ls ~/Desktop: Operation not permitted”. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism’s main design concern was clear user consent.
I have co-presented extensive research on abusing the TCC mechanisms at Black Hat USA 2021 but this time we won’t be exploiting the TCC directly. Why keep attacking the TCC when iCloud stores tons of macOS users’ secrets?! Default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud?
Good, because you’re protecting your privacy… but most users don’t. 🙂
The presentation will share brand-new research on abusing Apple’s iCloud to get access to the users’ privacy-sensitive data. All that from malicious applications’ perspective without any additional permissions.
In this talk I will:
* describe how macOS privacy mechanisms work
* analyze macOS entitlements system and share attacking methodology
* disclose macOS/iCloud vulnerabilities leading to stealing users’ privacy-sensitive data
* show live demos
* share my exploits
After the presentation, the audience should have a solid knowledge of how macOS privacy mechanisms work, how can be attacked, what is the actual risk, and how to protect yourself.
About the speaker
Wojciech Reguła is a Principal Security Consultant working at SecuRing. He specializes in application security on Apple devices. He created the iOS Security Suite – an opensource anti-tampering framework. He is a Bugcrowd MVP that found vulnerabilities in Apple, Facebook, Malwarebytes, Slack, Atlassian, and others. In his free time, he runs an infosec blog – https://wojciechregula.blog and shared research on among others Black Hat (USA), Objective by the Sea (USA), AppSec Global (Israel), AppSec EU (United Kingdom), CONFidence (Poland), NULLCON (India).