January 15, 2016 | 1 Min. Read

Synack ♥s ShmooCon

Updated: Slides from “Gatekeeper Exposed” presentation at ShmooCon 2016

Jan 15, 2016

One of my all-time favorite hacker cons, ShmooCon, is fast approaching. Synack is honored to be speaking again for the second consecutive year!
In ‘Exposing Gatekeeper’, I’ll be presenting a full teardown of Gatekeeper. This anti-malware feature is baked directly into OS X and attempts to block the execution of untrusted code from the internet. Apple boldly claims that because of Gatekeeper, both trojans and tampered downloads are generically blocked. So hooray! Mac users are all secure…right?

Well – no 🙁 Even on a fully-patched OS X 10.11.2 system, Gatekeeper is trivial to bypass. So hackers can (re)start their trojan distributions while nation states can get back to MitM’ing HTTP downloads from the internet.

What’s that you say? Kaspersky Internet Security is really distributed over HTTP? Let’s MitM that, injecting some known (unsigned) OS X malware into an unsuspecting user’s download (best viewed in full-screen mode):

While I’ve discussed Gatekeeper before, this talk is a much deeper technical dive, plus contains a myriad of new information such as patch analysis, and details of the new bypass. Moreover, I’ll be releasing a personal tool that can generically thwart such attacks, protecting OS X users.

Looking forward to seeing you Sunday, January 17 at 12:00!