At the Defcon hacker conference in Las Vegas, security researcher Patrick Wardle drew attention to several vulnerabilities in macOS’s background task management (BTM). Like from one Report by Wired states that it should be possible for attackers to circumvent Apple’s warning system and thus install persistent malware on a Mac without the user noticing.
Researchers silenced macOS alerts
Introduced with macOS Ventura in October 2022 Background Task Management should actually notify users when a piece of software tries to create persistence – i.e. anchors itself in the system in such a way that it also survives a restart of the computer. If such a warning immediately follows the user’s installation of an application, it can usually be considered benign. However, if it appears unexpectedly, this may indicate a malware infection.
While Wardle fundamentally supports the protection mechanism implemented by Apple “a good thing” at the same time, he warns that the implementation of the function has so far been so poor “that any malware that is a bit sophisticated can easily bypass surveillance”. This is how the researcher demonstrated at the Defcon three different ways to bypass macOS persistence notifications. One of them therefore requires root access on the target device, but the other two do not.
Among other things, Wardle presented an exploit that took advantage of the way Apple’s warning system communicated with the operating system’s kernel. In another case, he managed to exploit the ability of unprivileged users to put processes to sleep to suppress the persistence notifications. However, the Wired report does not give any technical details about the processes.
The quality still leaves a lot to be desired
The security researcher is said to have made Apple aware of problems with the BTM beforehand. The group then corrected these, but the company failed to improve the overall quality of the tool, which ultimately brought the new weaknesses to light. As a result, Wardle finally decided to share his findings at Defcon without notifying Apple again beforehand.
The researcher considers Apple’s approach of providing such tools hastily and in an insufficiently tested form to be problematic, since the group is giving users a false sense of security. “They didn’t understand that the feature required a lot of work”according to Wardle.