Why macOS is unbelievably insecure

The popular belief is that macOS is more secure than Windows. While Macs have less viruses written for them, they still are incredibly insecure. Here are several vulnerabilities you might not have heard of before:

Webcam Spying:

Webcam spying has become increasingly scary. You might say that Macs are completely safe because the webcam has a nice little indicator light that turns on when you are recording. However, this isn’t the case. In some older Macs, there is software built to disable the camera light completely. Even though this happened about 10 years ago, the scary thing is that there’s a setting that’s built-in that changes the brightness of your screen by using the light sensor.

The ‘Automatically adjust brightness’ feature uses the brightness level from the light sensor, while somehow keeping the LED off.

If you’re reading this on a Mac and have this setting enabled, you can place your hand over the light sensor right now and watch the screen go darker. The LED never turns on during this. This means that macOS is at least capturing some data from your surroundings and it is doing so without the little light going on.

Ghost Account Creation:

On a Mac, there’s a pretty-easy way to add a new admin account without permission from the owner of the Mac. Here’s how (and don’t worry — I’ll show you how to prevent this, too):

  1. Restart the mac, and hold down Cmd+S during the boot process. You’ll be greeted with a black screen full of white text.
  2. type ‘mount -uw /’ (without the quotes) and press enter
  3. type ‘rm /var/db/.AppleSetupDone’ (also without the quotes) and press enter again
  4. type ‘sudo reboot’ and finally press enter a third time.
  5. Follow the ‘Welcome to your new Mac!’ setup screens and allows you to create a new admin account.

This method essentially tricks the computer into thinking that it’s being set up for the first time. All your files are still intact, except you now have a new user account under your control. I don’t think I have to say that being able to rip a mac out of just about anyone’s hands and add an admin account is scary.

The mysterious ‘.AppleSetupDone’ file. Make this vanish and you have the ability to add an entirely new admin account without permission of the owner.

If you own a Mac, I bet you’re pretty terrified right now. If you’re running a Mac that is part of the 98% or so that don’t have a firmware password, you are at risk. If someone steals your laptop, they have access to all of the information on your computer. But, Apple wasn’t just about to leave a gaping hole in their system. If you’re interested in blocking these kinds of attacks, try setting a firmware password. Note: If you lose this password, you’ll have to take your computer to Apple to get it fixed, but that’s a small price to pay for peace of mind.

Password reset

Also, given about 5 minutes, it is possible (and quite easy) to reset anyone’s password on most Macs. If you don’t have a firmware password set up (which is very hard to turn on), you’re at risk for this type of attack, too. Here are the steps to resetting anyone’s password on a modern-ish mac:

  1. Restart the mac and hold down Cmd+R during the boot process.
  2. Be greeted with a little loading bar. At this point, you can release Cmd+R
  3. Choose Utilities > Terminal
  4. In the terminal, type ‘resetpassword’ (without the quotes) and press enter
  5. Follow the nicely-designed application that apple intentionally and purposefully created to reset your password.

Keep in mind that you don’t need authorization to do this. The only caveat with this method is that if you have an Apple ID linked to your account, you’ll need to use that to reset your password. However, there are many other ways of resetting passwords (and some of them are pretty easy) than I have described here.

Gatekeeper: A failed attempt at security

In Mac OS 10.7.5, the folks at Cupertino introduced Gatekeeper. While originally designed to protect against malware, it grew into a headache for developers and consumers alike. Apple is creating massive security holes while making developers jump through more hoops just to give their customers peace-of-mind. Here’s what developers have to do to get their app Gatekeeper-approved:

For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven’t been tampered with since they were signed. If an app was developed by an unknown developer — one with no Developer ID — or tampered with, Gatekeeper can block the app from being installed.

If you want to get started with Gatekeeper, you have to pay a hefty $99 fee per year. No wonder some companies just include disabling gatekeeper as part of the installation process. Companies like Lulzbot simply can’t or don’t want to deal with the legal application process. Here’s another quote from their web page:

Enrolling as an Organization
If you’re enrolling your organization, you’ll need an Apple ID as well as the following to get started:
A D-U-N-S® Number
Your organization must have a D-U-N-S Number so that we can verify your organization’s identity and legal entity status. These unique nine-digit numbers are assigned by Dun & Bradstreet and are widely used as standard business identifiers. You can check to see if your organization already has a D-U-N-S Number and request one if necessary. They are free in most jurisdictions. Learn more
Legal Entity Status
Your organization must be a legal entity so that it can enter into contracts with Apple. We do not accept DBAs, fictitious businesses, trade names, or branches.
Legal Binding Authority
As the person enrolling your organization in the Apple Developer Program, you must have the legal authority to bind your organization to legal agreements. You must be the organization’s owner/founder, executive team member, senior project lead, or have legal authority granted to you by a senior employee.

I think that’s why a lot of companies don’t want to have to find a lawyer just to publish an App. I certainly wouldn’t. And then there is malware that easily bypasses gatekeeper. Apple is making everything harder for developers, while letting basic malware like this one slip under the radar. What’s worse is that Apple introduced the ‘Auto Rearm’ feature to Gatekeeper in Yosemite, meaning that it turns on after 30 days of inactivity. Luckily, it’s possible to disable this ‘feature’ by using the Terminal. However, the Terminal can be very scary to some Mac users.

What you can do about this

I have two tips for you. The first is to set a firmware password on your Mac. This protects against all of the password-reset methods that I know of. The second is to enable FileVault. This encrypts your hard drive and makes it so no one can look through your storage volumes.