In 1999, Apple released a slew of new features with Mac OS 9, calling it "the best internet operating system ever". The idea was to unlock the full potential of the turquoise iMac G3—the Internet Mac!—released in 1998.
Joshua Hill found a modem configuration bug that's been in Apple operating systems for two decades. In those days ,Apple did not have to worry about security. Few people were buying its computers and hackers were only really interested in computers which had access to serious data. If any bugs were found, Apple fanboys repeated a mantra that there "were no bugs in Apple gear and it was too secure to be hacked".
Hill told Wired the flaw was serious and could have potentially been exploited by an attacker to get persistent, remote root access to any Mac, meaning full access and control. It would have been harder to do since 2016's macOS Sierra (though still not technically impossible) to exploit in practice.
Hill said: "But it is an extremely fun bug to work on. I had been playing with some of this stuff when I was a very young kid—my very first hack when I was 12 years old. I used some of my old tricks to find which places would be vulnerable basically."
The original version of the attack simply took advantage of a service Apple used to offer called Remote Access. Essentially, you could call up your computer from a phone or another PC, and control it remotely without even needing to enter a username or password. Ah, the '90s. Hill and a friend - the one who swapped a modem for the Han Solo trading card - would go to each others' houses nearly every day because they were the only two kids at their school in Lexington, Kentucky, who had Macs. Hill realised that he could use Remote Access to secretly connect their two computers, and would be able to call into his friend's machine from afar and "have some fun".
Hill got his chance to perform the physical access attack while his friend was in the shower. The next day, he pretended to be sick, so he could stay home while his buddy was at school, and both sets of parents were at work. "I dialled in and I added a couple of additions to the novel he had been writing", Hill said.
Remote Access does not run in macOS. But Hill remembered his first hack, and in 2017, while studying macOS and iOS's VPN protocols, he discovered an ancient bug that could replicate something similar.
The exploit centres on a sort of universal translator Apple created for modems known as the CCLEngine, which helps interpret and orchestrate data links between two computers. Hill realised that he could remotely bypass the CCLEngine's authentication requirements for initiating a remote connection between computers using a common type of attack known as a buffer overflow. Software is set up to keep extra data in a sort of holding pen called a buffer. So the hack strategically overfills this buffer such that data "overflows" into other parts of the memory—often giving the attacker more system control in the process.
From there, Hill could access a communication socket with privileges to read, write, and execute code on the system.
"It’s extremely awfully written", Hill says. He realised an attacker could send a specially crafted packet to the socket that would trick it into establishing a remote connection with root system access instead of as a normal user. Finally, Hill found a way to persistently maintain this fundamental control by setting the automatic network configuration tools to relaunch every 10 seconds and confirm that the remote connection was still active. In this way, even if the attacker's root channel crashed or failed, it would quickly reestablish itself.