Lily Hay Newman06.02.19 6:00 AM
In 1999, Apple released a slew of new features with Mac OS 9, calling it “the best internet operating system ever.” The idea was to unlock the full potential of the turquoise plastic iMac G3—the Internet Mac!—released in 1998. But 12-year-old Joshua Hill didn’t have an iMac. To take advantage of all the new connectivity from his parents’ mid-’90s Mac Performa, he needed a modem that would plug into the computer through one of its chunky “serial” ports. So, naturally, he swapped his holographic Han Solo trading card with a friend for a 56k modem and started poking around. Twenty years later, his childhood fascination has led him to unearth a modem configuration bug that’s been in Apple operating systems all these years. And Apple finally patched it in April.
Hill, who is now a vulnerability researcher, is presenting the 20-year-old bug at the Objective by the Sea Mac security conference in Monaco on Sunday. The flaw could have potentially been exploited by an attacker to get persistent, remote root access to any Mac, meaning full access and control. This isn’t as bad as it sounds, though, Hill says. The specific exploit string he developed only works on certain generations of OS X and macOS and Apple has added protections since 2016’s macOS Sierra that made the bug prohibitively difficult (though still not technically impossible) to exploit in practice. And since Apple operating system adoption rates are always high, there isn’t a significant population of truly retro Mac software out there to target.
“It’s not really a scary bug,” says Hill, a cofounder at the mobile firewall maker Guardian. “But it is an extremely fun bug to work on. I had actually been playing with some of this stuff when I was a very young kid—my very first hack when I was 12 years old. I used some of my old tricks to basically find which places would be vulnerable.”
Apple did not return a request for comment about Hill’s findings or the historic nature of the bug.
Lily Hay Newman covers information security, digital privacy, and hacking for WIRED.
The original version of the attack simply took advantage of a service Apple used to offer called Remote Access. Essentially, you could call up your computer from a phone or another PC, and control it remotely without even needing to enter a username or password. Ah, the ’90s. Hill and a friend (the one who swapped a modem for the Han Solo trading card) would go to each others’ houses nearly every day, because they were the only two kids at their school in Lexington, Kentucky, who had Macs. Hill realized that he could use Remote Access to secretly connect their two computers, and would be able to call into his friend’s machine from afar and “have some fun,” as he puts it.
Hill got his chance to perform the physical access attack while his friend was in the shower. The next day, he pretended to be sick so he could stay home while his buddy was at school and both sets of parents were at work. “I dialed in and I added a couple of additions to the novel he had been writing,” Hill says, laughing.
Remote Access as it was conceived then is long gone from macOS. But Hill always remembered his first hack, and in 2017, while studying macOS and iOS’s VPN protocols in his research for Guardian, he discovered an ancient bug that could replicate something similar. Devices like smartphones have a built-in modem to send and receive data between computers (mainly across the internet), and they aren’t generally programmed to be compatible with other modems. But PCs are designed to be more customizable, and, especially in the early days of the internet, it was important that they be able to interoperate with modems from all different manufacturers that might essentially speak different languages. Hill found that these old modem configurations still underlie the network tools in Macs today, including those that automatically create network configurations for peripherals you might plug in—like an ethernet cable or a mobile USB hotspot.
The exploit centers on a sort of universal translator Apple created for modems known as the CCLEngine, which helps interpret and orchestrate data links between two computers. Hill realized that he could remotely bypass the CCLEngine’s authentication requirements for initiating a remote connection between computers using a common type of attack known as a buffer overflow. Software is set up to keep extra data in a sort of holding pen called a buffer. So the hack strategically overfills this buffer such that data “overflows” into other parts of the memory—often giving the attacker more system control in the process.
From there, Hill could access a communication socket with privileges to read, write, and execute code on the system. “It’s extremely awfully written,” Hill says. He realized an attacker could send a specially crafted packet to the socket that would trick it into establishing a remote connection with root system access instead of as a normal user. Finally, Hill found a way to persistently maintain this fundamental control by setting the automatic network configuration tools to relaunch every 10 seconds and confirm that the remote connection was still active. In this way, even if the attacker’s root channel crashed or failed, it would quickly reestablish itself.
This ability to set up persistent access is perhaps the most unbelievable thing of all about the attack, Hill says. It’s possible because of a system monitoring oversight—when the configuration file fails and relaunches it doesn’t generate a crash log. “It’s very bad programming practice, but this is very, very old code,” Hill says. “I’m assuming this is why it has never been seen, though, because you can’t go in and see the crashes.”
Now that Apple has patched the flaw, Hill says the most important thing to him is using his investigation into the bug as an example for kids and early-career bug hunters who are looking for strategies to uncover new issues. “I love vulnerabilities,” he says. “Every time I find a new one it feels like you found a piece of a puzzle on the floor you lost weeks ago. Many people ask me how to find exploits. I want to show them.”