There are few things Apple users love more than being Apple users. The tight security features and largely virus-free ecosystem have long given the Mac enthusiast a feeling of superiority over virus-ridden PC brethren. One problem: It's no longer true and hasn't been true for some time.
Apple's reputation for security was earned long ago. A group of hackers proved how dated that notion is earlier this week when they took control of the Transmission BitTorrent app and used it to distribute malicious software to Mac users that encrypts files on a victim’s machine and demands a $400 ransom payment to release the affected files.
It is not clear which versions of OS X, Mac's operating system, are affected. But it is clear that much of the Mac's reputation for safety was simply a function of not being attacked. For most pro hackers, the smaller Mac ecosystem simply wasn't worth the time. But that's changing. Indeed, the 6,500 people who downloaded the software unwittingly showed that cybercriminals’ investment in cracking Apple software is starting to pay off.
“Windows was really insecure for a long time, and Mac didn’t have a lot of market share so they weren’t as much of a target,” said Patrick Wardle, a former U.S. National Security Agency staffer who's now director of research at the security firm Synack. “If I’m going to hack an organization's devices now, it’s going to be Apple. They’re a security soft target.”
Apple's security weaknesses begin with the software designed to protect it.
Apple's Gatekeeper, first introduced in 2012 as part of OS X Mountain Lion, has become the primary security measure on OS X computers. It's meant to ensure that users only download apps and other software that have already been approved by Apple, either via the App Store or from identified developers who include a preapproved developer certificate (which verifies a developer's identity) in their product. It's a measure that's meant to prevent users from downloading outside programs that would enable hackers to steal their passwords and financial information, secretly capture audio or video or worse.
But Gatekeeper also includes a number of vulnerabilities that researchers have proved can be exploited for nefarious means. Last year Wardle exposed a mechanism in Gatekeeper that would allow hackers to bypass the protection by infecting software that has already been approved by Apple. Essentially, once an app was approved by Gatekeeper, it was always trusted, even if it started distributing malware later on.
Apple responded to Wardle's revelations in January by issuing a security update that only blocked the files Wardle provided to the company. The update didn't address the deeper problem: trusted files can still be used to distribute a variety of shady software. That's largely what appears to have happened in the ransomware attack, where attackers faked Transmission's already-approved developer certificate to distribute their own ransomware code.
“I wasn't really surprised, we were expecting this,” Wardle said, adding that Apple computers running El Capitan, the newest version of the Mac OS, without antivirus software rank at a five on a security scale of one to 10. Windows 10 is closer to a seven. “From a technical point of view there was no reason we hadn't seen this before. It was just neat that it was signed, which is an easy way around Mac Gatekeeper.”
Apple quickly revoked the digital certificate upon learning Transmission files were infected.
Apple’s OS X held 7 percent of the worldwide operating system market as of November 2015, according to figures released by Net Applications. But just because an OS is less used doesn’t mean it’s safe. And now, with Apple computer sales expected to grow after a slight sales dip in the first fiscal quarter of 2016, it’s clear the attacks are going to continue, according to Grayson Milbourne, security intelligence director at the security company Webroot.
“We’ve seen attacks on Apple growing over the past few years, particularly in adware and apps that change your browser’s settings, but it’s all been much less severe than something like ransomware,” Milbourne said. “It’s really just following what people are doing online and how they’re accessing the Internet.”
Two years ago, the monthly average of infected Mac computers varied between 10,000 and 70,000 machines, according to the security firm Symantec. Research published last year by the cybersecurity company Bit 9 declared that, in 2015 alone, “The number of OS X malware samples has been five times greater than in 2010, 2011, 2012, 2013 and 2014 combined.” That number is expected to rise drastically in 2016, according to Symantec and other security vendors.
Apple has yet to employ a number of the security strategies Microsoft has had no choice but to explore as the proprietor of 91.39 percent of the operating systems in use in the world. With the launch of Windows 10 last summer, the company offered a $100,000 bug bounty to anyone who found a security vulnerability and reported it through the proper channels.
Microsoft also has a history of reaching out to hackers who previously made life difficult for the corporation. In 2006, Microsoft hired members of the Polish hacking group Last Stage of Delirium, which had exploited a hole in the Windows Remote Procedure Call interface and laid the groundwork for the Blaster worm— a program that used Microsoft sites to launch cyberattacks.
Such tactics could have detected issues in Gatekeeper and the certificate verification process before the security measures were released publicly.
“If you want to get better at what you do, especially when it comes to security, you need to make sure you plug as many holes as possible,” said Liviu Arsene, senior threat analyst at Bitdefender, a Romanian cybersecurity company that unveiled research on the ransomware affecting Mac computers. “The cost of actually having a breach is much higher than the cost to your company under a bug bounty.”
Neither of those efforts would have prevented the ransomware from hitting Windows users. Windows computers, widely used by individuals as well as employers, remain a tempting target for ransomware attackers who stand to make millions by separating users from their data.
Along with Gatekeeper, Apple computers also employ the technique known as Sandboxing, which limits the amount of information apps can access on a user's computer. Users are warned that a file downloaded from an unknown third party could contain malware. Apple's Safari browser also employs a robust anti-phishing algorithm that warns users before they visit websites containing potentially harmful materials.
"A lot of Apple's security mitigations rest on Gatekeeper," said Patrick Wardle. "They're just not as proactive as Microsoft, with the bug bounty and consulting with external hackers ... but they're making a ton of money, so why would they spend a ton of money on security when they don't really have to?"
Apple declined to comment for this story.
Apple fans can at least relax in knowing the iPhone is, generally, safer than Android mobile devices. Along with passcode encryption and end-to-end encrypted iMessages, iPhones include security features that would need to be disabled in order to download a potentially malicious app. Meanwhile, ransomware attackers have disguised their malware as pornography apps and video players that have bilked countless downloaders out of hundreds of dollars apiece.
“So far there hasn’t been any ransomware for iPhones because you’d have to sideload an app onto the iPhone,” said Liviu Arsene. “Few people really jailbreak their phones.”