February 23, 2021
Apple unveiled its annual Platform Security Guide, now 200 pages, which provides the first-ever detailed documentation of its new M1 chips. The company is known for being reticent to release much in-depth technical information as part of its “security through obscurity” strategy to fend off hackers. However, this latest edition of the guide offers “significantly expanded information,” including details about the secure enclave and other software features and is designed to enable customers use the technology’s defense attributes.
Wired reports Guardian Firewall app founder Will Strafach notes that, “everything can be reverse engineered.” “But having a verbose and well-detailed authoritative document from Apple is helpful, as it allows folks to know the intentions and limitations associated with certain security capabilities,” he said.
Specifically, Strafach “wants to know more about how M1 chips securely handle booting other operating systems … [and] is curious about Apple’s iOS 14 enhancements that were meant to negate a ubiquitous jailbreak exploit but can be circumvented in some cases.”
Apple security researcher Patrick Wardle would like to “see more details on Apple’s own antivirus and malware detection tools.” He added that, “while the information provided by Apple is often quite helpful, I wish they would be more focused on practical advice for using their security components to lock systems down.”
At Johns Hopkins University, the Platform Security Guides have been a “really useful resource,” said PhD student Maximilian Zinkus. He and his colleagues have compiled the Guides from 2012 onward from third party sources.
Elsewhere, Wired reports that GoSearch22, a member of the Pirrit Mac adware family, targets Apple’s Arm-based M1 processor, “released for the MacBook Pro, MacBook Air, and Mac mini in November.” The M1 chip, unlike its predecessor Intel x86 architecture, lets Apple “bake specific Mac security protections and features directly into its processors … [and] required legitimate developers to work on building versions of their software that run ‘natively’ on M1 for optimal performance.”
Wardle noted that GoSearch22 “takes a standard tactic of posing as a legitimate Safari browser extension and then collecting user data and serving illicit ads like banners and popups, including those that link to other malicious sites.” The adware was signed with a paid Apple developer ID account; Apple has since revoked the GoSearch22 certificate. Wardle found that VirusTotal’s antivirus scanners, which spot the Intel x86-based malware, are 15 percent less likely to detect the M1 versions.
At security firm Red Canary, researchers are also “investigating an example of native M1 malware that appears distinct from Wardle’s finding.”
Ars Technica reports that, “a previously undetected piece of malware found on almost 30,000 Macs [in 153 countries] is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.”
They reveal that the infected computers, every hour, “check a control server to see if there are any new commands the malware should run or binaries to execute” — but they “have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown.” No evidence that the malware self-destructed has been found.