10

I was working from Starbucks today on my Macbook Air running OS X 10.11.5, and a strange thing happened.

I was in Chrome and browsing the web, when a Bluetooth connection request popped up from an unknown device. I rejected the connection, and continued on, assuming someone had simply accidentally requested to pair with the wrong device. A few minutes later, another pairing request from the same device, I rejected it again, and then turned off Bluetooth. (I noticed that there were two trusted devices listed - an apple keyboard and trackpad.)

I was working in Chrome and had several windows open, and within a few minutes, it had completely bogged down and was beginning to lock up (somewhat unusual, but not entirely unprecedented since it'll occasionally max out on RAM with lots of chrome tabs open, but usually it's a far larger number).

I decided to reboot, so I closed out everything and hit restart. During reboot, it briefly showed some error messages and text over an image background. Unfortunately, I wasn't able to read much of the text before it moved on, but it mentioned the registry and listed out lots of memory locations like 0x01515125125 etc. I've never had any issues with it or seen the screen before. It did a quick cycle through and then presented me with the normal login screen.

It seemed very fishy to me at this point, so I loaded into the guest account. I was googling around to see if it's even possible to get hacked via an open Bluetooth connection, and then a box popped up saying 'Safari wants to use your "login" keychain', which I canceled (never seen before, but then again - I don't use safari), and continued browsing. A few minutes later it popped up again and I was like "f it I'm out" and left. Booted my laptop on the way home and logged into my admin account and disabled Wi-Fi.

Am I being super paranoid here? Is this even possible to get a keylogger or malware like that? How could I verify?

Alexandre Neukirchen
  • 193
  • 2
  • 4
  • 16
Cameron Shaw
  • 101
  • 1
  • 4
  • 1
    OS X does not have a "registry" (AFAIK, Windows is the only OS with such a thing). Perhaps you saw "registers"? Maybe check Google images to see if you can find a similar screen. Anyhow, there's not really much we can do but say: Maybe? These issues aren't terribly compelling and could be explained by any number of things though. – Alexander O'Mara Aug 25 '16 at 20:45
  • Yes, pardon me, it was registers actually. The screen looked similar to these: http://i.stack.imgur.com/hs0SJ.jpg http://i.stack.imgur.com/nI9zx.jpg – Cameron Shaw Aug 25 '16 at 20:57
  • 4
    Ok, so you had a kernel panic on reboot. Can't really draw any conclusions about it though. – Alexander O'Mara Aug 25 '16 at 20:59
  • Fair enough. Time to wait and see I guess. I downloaded MalwareBytes for Mac from my desktop and transferred it via USB to the mac and ran it. It found one "infection" called 'Spigot', but I suspect that's more of a PUP / adware. And most of the google results for it are a few years old anyway. I logged my google account out of chrome and wiped browser cache, history, and stored passwords. Thanks for your help so far. Anything I could do to/run to detect if there was any type of keylogger/rootkit/etc, short of sniffing all my IP traffic? – Cameron Shaw Aug 25 '16 at 21:04

2 Answers2

2

Piquing my interest, I wanted to do some research and found that these types of cases are relatively common. In cases like this, if your Security & Privacy settings are still set to default and bluetooth is regularly used in conjunction with the Public folder, then yes, there's the potential that someone could gain access. But, only to that Public folder.

Alternatively, it bears mentioning, that bluetooth devices when discoverable will search for all the other bluetooth devices in range, which is about 20 - 30 feet. This doesn't necessarily means that they're connected, but that the Mac can see the device for pairing.

There's an interesting paper that details tracking anonymized bluetooth devices, but this is in-keeping with an adversarial mindset and that the target is being actively monitored and tracked. They examined W10 devices as well as MacOS and iOS devices using the below criteria:

We passively record advertising events, while Bluetooth in macOS / iOS is enabled. Additionally, the Airdrop sharing feature is launched on the respective devices, and the resulting advertising events are recorded. We measure data generated by various up-to-date iPhones Tracking Anonymized Bluetooth Devices58(iPhone 5s, iPhone 8, iPhone X, running iOS 11),two iPads (iPad, iPad Pro running iOS 12), and two Macs (iMac A1419 and Macbook Pro A1502 running macOS 10.13)

From a MITM perspective, there was a bluetooth security flaw, which CERT issued a security warning for in 2018 that details "Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device."

The impact of which was, "An unauthenticated, remote attacker within range may be able to utilize a man-in-the-middle network position to determine the cryptographic keys used by the device. The attacker can then intercept and decrypt and/or forge and inject device messages."

Nevertheless, this was patched fairly quickly and, should a user be up-to-date, would have little reason to be concerned. However, there's always means to harden security on a MacOS device and, while it may defeat the purpose of some of the convenient, streamlined interoperability of Apple devices (e.g Handoff, Airdrop, etc.), it decreases the potential of a malicious attack on the computer.

Regardless of the Apple Security Platform narrative, it bears keeping in mind that there necessitates a reasonably security-oriented mindset when it comes to having a machine that connects to the internet or is capable of connecting to any other device. While it's arguably not feasible, the most secure PC is the one that never touches the internet. In this case though, there isn't anything to really worry about.

Wildtaco
  • 21
  • 3
  • "Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters ... " Isn't that exactly the same as the very recent Windows 10 problem detected by the NSA? – gnasher729 Jan 18 '20 at 14:52
-4

It could potentially have been an early variant of 'Blueborne' (there's been 8 identified so far). Perfect for an MITM attack in a cafe:

New Bluetooth Malware Affects Billions of Devices, Requires No Pairing

V-2
  • 1
  • 2
  • That would suggest a targeted attack, which is probably not the case here unless the author is a high-value target. – André Borie Oct 26 '17 at 13:59
  • 3
    According to the article, macOS is not one of the targeted OSs. Also, it states that no user interaction is required, so it would be odd that a pairing request would pop up if the whole point of it is that pairing isn’t required. – saltthehash Oct 26 '17 at 14:18