MacOS Location Privacy Red Pill: A Rabbit Hole Resulting in 24 CVEs

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
Not yet available
Language
English
Abstract
User location information is inherently privacy sensitive as it reveals a lot about us: Where do we work and live? Which cities, organizations & institutions do we visit? How does our weekly routine look like? When are we on a vacation and not at home?
MacOS has introduced multiple layers of security mitigations to protect sensitive user location information from attackers and malicious applications over the years — but are these enough?

­­­­­­In this talk, we dive into how attackers could have exploited multiple design flaws, information disclosures and logic vulnerabilities spread all across the macOS stack, leading to all kinds of ways to bypass the macOS TCC Location Services privacy protection and precisely localize the user without consent.
We will show how attackers could have retrieved precise real time & historical geographic user locations hiding in various components of the persistence layer, within application state restoration files and error log messages that could be triggered via reliably exploitable HTTP response callback race conditions.
Digging deeper, we find that the precise user location can be reconstructed with lossless precision by combining various sources of metadata, which were accessible through different pathways and quirks of the operating system, such as: Access point SSID’s + signal strength data, Apple Maps location query data caches, custom application binary plists and even Find My widget UI structure metadata enabling to precisely reconstruct the victims AirTag locations.
These issues have been responsibly reported in the scope of the Apple Security Research program and resulted in 24 CVE entries in Apple’s security advisories for macOS.

We will finish of by investigating how we can prevent such issues in the future: Extended automated privacy focused integration testing, shifting responsibility of privacy preservation from developers to the system framework level and a more privacy focused API architecture of localization relevant frameworks.

Talk ID
38c3-656
Event:
38c3
Day
2
Room
Saal GLITCH
Start
2:45 p.m.
Duration
01:00:00
Track
Security
Type of
Talk
Speaker
Adam M.
Adam M.
Talk Slug & media link
38c3-656-macos-location-privacy-red-pill-a-rabbit-hole-resulting-in-24-cves

The video is not yet available