“$ sudo ls ~/Desktop: Operation not permitted”. Apple’s Transparency, Consent, and Control (TCC) framework limits access to private information like documents, a camera, a microphone, emails, and more in order to preserve your privacy. Since authorisation is required to grant such access, the mechanism key design priority was clear user consent. At Black Hat USA 2021, I co-presented considerable research on abusing the TCC mechanisms, however, this time, we won’t be directly exploiting the TCC. Given that iCloud has tons of macOS users’ secrets, why keep attacking the TCC? The default configuration makes Mac synchronize a lot of data. Don’t you have your iMessages/Photos/Calendars/Reminders/Notes accessible from iCloud? That’s good because you take care of your privacy… but most users don’t. :) The brand-new research on abusing Apple’s iCloud to gain access to users’ sensitive data will be shared during the presentation. All that from a malicious applications’ perspective without any additional permissions.

1. What happens on your Mac,
stays on Apple's iCloud?!
Bypassing Mac privacy mechanisms

2. Whoami?
Wojciech Reguła
Head of Mobile Security at
• Focused on iOS/macOS #appsec
• Blogger – https://wojciechregula.blog
• iOS Security Suite Creator
• macOS environments security

3. Research continuation / fork()

4. Agenda
1. Introduction to macOS privacy mechanisms
2. macOS entitlements and how to attack them
3. Accessing user’s iCloud account tokens via GarageBand
4. Accessing user’s iCloud account tokens via iMovie
5. Demos & further exploitation
6. Conclusion

5. Results of this research for now
During this talk we will get unauthorized access to user’s
• Location
• Contacts
• Calendar
• Reminders

6. Introduction to macOS Security Mechanisms
System Integrity Protection (SIP)
• Based on Sandbox kernel extension
• Restricts access to many directories on macOS
• Denies debugger attachments to processes signed directly by Apple
• Also known as rootless, because even root cannot do the above-
mentioned operations when the SIP is turned on

7. Transparency, Consent, and Control (TCC)

8. Transparency, Consent, and Control (TCC)

9. Transparency, Consent, and Control (TCC)
What resources are privacy-sensitive according to Apple?

10. Transparency, Consent, and Control (TCC)
…but TCC also
protects:

11. macOS
Entitlements
System

12. macOS Entitlements System

13. macOS Entitlements System

14. macOS Entitlements System

15. macOS Entitlements System

16. macOS Entitlements System

17. macOS Entitlements System

18. macOS Entitlements System – DYLIB injection flaw
A N A P P W I T H
P R I V AT E
E N T I T L E M E N T S
A N AT TA C K E R
L O A D S
S O M E H O W A
M A L I C I O U S
D Y N A M I C
L I B R A R Y
A M F I A N D
O T H E R
C O M P O N E N T S
V E R I F Y I N G
E N T I T L E M E N T S
A R E H A P P Y
👍🏻

19. Our target - com.apple.iCloudHelper.xpc
• Uses C XPC API for inter-process communication
• Will provide us iCloud auth tokens when nicely asked 😊

20. XPC exploitation
https://wojciechregula.blog/post/learn-xpc-exploitation-part-1-broken-cryptography/

24. Our target - com.apple.iCloudHelper.xpc

25. Our target - com.apple.iCloudHelper.xpc

26. Our target - com.apple.iCloudHelper.xpc

27. Our target - com.apple.iCloudHelper.xpc

28. Our target - com.apple.iCloudHelper.xpc

29. Attacking GarageBand
G A R A G E B A N D
W I T H P R I V AT E
I C L O U D
E N T I T L E M E N T
A N D D I S A B L E -
L I B R A R Y -
V A L I D AT I O N
M O D I F I C AT I O N
O F O N E O F T H E
D Y N A M I C
L I B R A R I E S T O
E X E C U T E M Y
C O D E
T H E
I C L O U D H E L P E R
H A P P I LY
A C C E P T S T H E
X P C
C O N N E C T I O N
👍🏻

30. Attacking GarageBand

31. Attacking GarageBand

32. Attacking GarageBand

41. https://vimeo.com/759031806

42. Attacking GarageBand

43. Attacking iMovie
I M O V I E W I T H
P R I V AT E
I C L O U D
E N T I T L E M E N T
A N D W I T H O U T
H A R D E N E D
R U N T I M E
D Y L D _ I N S E R T _
L I B R A R I E S
T H AT I N J E C T S
A D Y N Y M I C
L I B R A R Y W I T H
M Y C O D E
T H E
I C L O U D H E L P E R
H A P P I LY
A C C E P T S T H E
X P C
C O N N E C T I O N
👍🏻

44. Attacking iMovie

45. Attacking iMovie

46. Attacking iMovie

47. Attacking iMovie

48. Attacking iMovie

49. Attacking iMovie – fix #2

50. Stolen iCloud tokens

51. Using the iCloud tokens – pwning Location

52. https://vimeo.com/759034238

53. Using the iCloud tokens – pwning Contacts

54. Using the iCloud tokens – pwning Contacts

55. Using the iCloud tokens – pwning Calendar

56. Using the iCloud tokens – pwning Calendar

57. Using the iCloud tokens – pwning Reminders

58. What else uses iCloud tokens?!
…

59. Conclusion & Recommendations

60. Check
your
iCloud
settings

61. Wojciech Reguła
Head of Mobile Security at Securing
@_r3ggi wojciech-regula
Thank you!