The new Apple T2 chip makes it difficult to audition through the built-in microphone of the
3r3114. 3r3114.
Apple has published documentation 3r3119. on the T2 security chip, which is built into the latest branded notebooks, including the MacBook Pro introduced at the beginning of the year and the recently announced MacBook Air. 3r3114.
3r3114.
Until today, little was known about the chip. But now it turns out that this is a very interesting chip. It has a number of security features, including the storage and protection of device encryption keys, fingerprint data and secure boot functions. In addition, the 3r332 chip. hardware [/i] disables the microphone of the built-in camera when closing the lid of the laptop. 3r3114.
3r3119. 3r3114.
“This shutdown is implemented at the hardware level and therefore does not allow any software, even with the privileges of root or kernel in macOS, and even software on the T2 chip, to turn on the microphone when the lid is closed,” the published guide says The microphone is given one paragraph. 3r3114.
3r3114.
3r3114. 3r3114.
It also adds that the camcorder itself is 3r3323. [/i] does not turn off. hardware, because "its field of view is completely blocked by a closed lid." 3r3114.
3r3114.
Apple said the new feature adds an “unprecedented” level of security for the Mac. We are talking about protection against malicious programs, trojans and RAT, which recently became widespread for the operating system macOS (under Windows such programs in large numbers exist a long time ago). 3r3114.
3r3114.
The threat of hackers connecting to webcams on laptops became a reality a few years ago, with the proliferation of remote administration tools (RAT). At the same time, the habit of sticking a laptop webcam with tape or an opaque sticker spread among users. 3r3114.
3r3114.
Until a certain moment, some users believed that Apple’s webcams on Apple laptops could not be activated without the user's knowledge, but last year, malware was detected as 3r3346. Fruitfly which dispelled this myth. 3r3114.
3r3114.
At first glance, the malware is quite simple and consists of only two files:
3r3114.
~ /.client
SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044
3r3114.
~ /Library /LaunchAgents /com.client.client.plist
SHA256: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3 3r3114. 3r3114.
The .plist file itself simply supports the constant operation of .client. But the latter is much more interesting: it is a minified and obfuscated Perl script that, among other things, establishes a connection with one of the management servers. 3r3114.
3r3114.
But the most interesting part of the script is at the end of the __DATA__ section. There a Mach-O binary file was found, a second Perl script and a Java class, which is extracted by the script, written to the /tmp /folder and executed. In the case of the Java class, it starts with pple.awt.UIElement set to true, that is, it does not appear in the Dock. 3r3114.
3r3114.
It is this binary that takes screenshots (from the display) and accesses the webcam. The researchers point out that for this, the malware uses truly “ancient” system calls that were used before OS X appeared. 3r3114.
3r3114.
SGGetChannelDeviceList
SGSetChannelDevice
SGSetChannelDeviceInput
SGInitialize
SGSetDataRef
SGNewChannel
QTNewGWorld
SGSetGWorld
SGSetChannelBounds
SGSetChannelUsage
SGSetDataProc
SGStartRecord
SGGetChannelSampleDescription 3r3114. 3r3114.
From this, they conclude that the authors do not have the experience of modern development for Mac, but use the old documentation, which hints at their foreign origin from a region where Apple technology is not installed everywhere. In addition, the binary includes the source code of the open library libjpeg in the 1998 version. One way or another, the malware successfully performs its functions and spies on Mac users through the laptop’s built-in webcam. 3r3114.
3r3114.
It is known that espionage through laptop webcams is used not only by curious hackers for entertainment, but also by special services. In the British intelligence service GCHQ for many years acted the department for the development of such trojans in the framework of the program 3-33116. Optic Nerve
. Even some famous techies like Mark Zuckerberg
sealed with tape 3r3119. webcam on a laptop.
! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e. ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r3124.
