March 17, 2017 by

White Hats Hack MacBook Pro’s Touch Bar

 A pair of hackers at this year’s installment of the popular Pwn2Own hacking contest have succeeded in compromising a MacBook Pro’s Touch Bar, replacing the touch interface with a message of their own through an exploit discovered on the Safari browser.

The Pwn2Own hacking conference showcases some of the best coders and hackers from around the world and this year’s event, its tenth anniversary, was no different.

Last year, hackers at the conference succeeded in exploiting all four major browsers – Google Chrome, Apple’s Safari, Microsoft Internet Explorer and Mozilla Firefox.

This year’s highlight, sees hackers pull off an exploit to take over the much-publicized Touch Bar on Apple’s MacBook Pro. For their prowess, the hackers were rewarded $28,000.

Samuel Groß and Niklas Baumstark were able to take advantage of an unspecified number of logic bugs to exploit Safari. From here, the white hat hackers took root control of the operating system on a MacBook Pro. A feat in and of itself, the hackers stood to win monetary rewards and accumulate nine points in the competition. However, the hackers then proceeded to do one better, enthralling those attending the event with a cheeky custom message on the Touch Bar.

The Zero Day Initiative website, reveals a few details about the hack:

.They employed a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate their privileges to root in macOS. Unfortunately, the UAF had already been corrected in the beta version of the browser, but this bug chain still netted them a partial win, garnering them $28,000 and 9 Master of Pwn points.

Meanwhile, the information and process toward the hack will be shared with Apple, before the public or the rest of the cybersecurity community finds out how the exploit and attack were implemented.

The first day of the Pwn2Own contest has already awarded $233,000 USD and 45 points towards teams. Altogether, the day saw five successful attempts, one partial success, two failures and two withdrawn entries.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Fake Software Updates Can Lead To Stolen Keychains On Apple Products

  Recently there has been a small uptick in the occurrences in fake software updates, in...

Read more arrow_forward

Hacker Exploits MacOS FileVault2 Password in 30 Seconds

Ulf Frisk, a Swedish hacker and penetration tester has revealed a new exploit that any attacker can...

Read more arrow_forward

Security Researcher Arrested after Revealing Flaws in Election Website

  A security researcher who revealed vulnerabilities in a Florida county election website...

Read more arrow_forward