One way operating system developers try to protect a computers's secrets from probing hackers is with an appeal to the human at the keyboard. By giving the user a choice to “allow” or “deny” a program’s access to sensitive data or features, the operating system can create a checkpoint that halts malware while letting innocent applications through. But former NSA staffer and noted Mac hacker Patrick Wardle has spent the last year exploring a nagging problem: What if a piece of malware can reach out and click on that “allow” button just as easily as a human?

At the DefCon hacker conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks he’s pulled off against macOS versions as recent as 2017 release High Sierra, capable of so-called synthetic clicks that allow malware to breeze through the permission prompts meant to block it. The result could be malware that, once it has found a way onto a user's machine, can bypass layers of security to perform tricks like finding the user's location, stealing their contacts or, with his most surprising and critical technique, taking over the deepest core of the operating system, known as the kernel, to fully control the computer.

"The user interface is that single point of failure," says Wardle, who now works as a security researcher for Digita Security. "If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms."

Wardle's attacks, to be clear, don't offer a hacker an initial foothold on a computer; they only help a hacker's malware penetrate layers of security on an already infected machine. But Wardle argues they could nonetheless serve as powerful tools for sophisticated attackers trying to silently steal more data from, or gain deeper control of, a machine they’ve already penetrated with a malicious attachment in a phishing email or some other common technique.

Invisible Clicks

MacOS includes a feature that lets some programs, like AppleScript, generate “synthetic clicks"—mouse clicks that are generated by a program rather than a human finger—that allow features like automation and usability tools for the disabled. To keep malware from abusing those programmed clicks, however, it blocks them on some sensitive “allow” prompts.

But Wardle was surprised to discover that macOS fails to protect the prompts for things like extracting the user’s contacts, accessing their calendar, or reading the latitude and longitude of their machine, determined by which Wi-Fi networks it’s connected to. His malicious test code could simply click through prompts as easily as human.

'It's this ridiculous bypass that I found by incorrectly pasting code.' Patrick Wardle, Digita Security

Wardle has also experimented with using synthetic clicks for far more serious hacking techniques. He had previously discovered that malware could also use an obscure macOS feature called "mouse keys," which allows the user to manipulate the mouse cursor with the keyboard, to perform synthetic clicks that bypass security prompts. In a talk he gave last March at the SyScan security conference in Singapore, Wardle pointed out that Apple had overlooked the mouse key function, so that it wasn't blocked when it clicked through "allow" prompts on even highly sensitive features like accessing the macOS keychain, which contains users' passwords, and installing kernel extensions that can add code to the most powerful part of a Mac's operating system.

Apple responded by patching Wardle's mouse-key hack. But when he later tried testing ways to get around that patch, he stumbled into an even stranger bug. A synthetic click includes both a "down" command and an "up" command, which correlate to clicking a mouse and then releasing it. But Wardle accidentally copied and pasted the wrong snippet of code, so that it performed two down commands instead. When he ran that code, the operating system mysteriously translated the second "down" into an "up," completing the click. And those "down-down" synthetic clicks, Wardle discovered, aren't actually blocked when used to click on an "allow" prompt for installing a kernel extension.

"It's this ridiculous bypass that I found by incorrectly pasting code," he says. "I tripped over it because I wanted to run out and surf and I was being lazy."