Client Story: Abusing Apple's Shared Password Feature to Gain Initial Access
In a recent engagement, several members of the Hoplite Red Team, composed of testers who simulate real-world attacks, set out to gain access to a client's internal network through physical social engineering at one of their retail facilities.
The goal was to gain access to the client’s internal corporate network like an attacker would by finding an open network port and plugging in a rogue device that would grant the Hoplite team remote, persistent access. However, the client's retail stores were locked down with strong, well-configured network access controls. None of the team’s bypass techniques allowed them to get in, but they didn’t stop there.
After browsing the store and failing to find a suitable network port, the testers creatively used a combination of social engineering and knowledge of the technology in the store to achieve their initial foothold on the corporate network. They quickly devised a strategy to access one of several desktop computers the employees regularly use within the stores.
With some convincing, the testers were able to persuade an employee to let them use the in-store desktop to shop for items on the client's online store. This gave them access to the iMac computer, which was also connected to the internal client network. Internal network access was achieved, and the client’s internal network was compromised.
The testers then saw an opportunity to use Apple's "Share a Wi-Fi Password" feature to gain persistent access to the client's internal network. They added their phone numbers to the iMac’s contact list, which allowed them to share the wireless network credentials to their own mobile devices, granting them access to the client's internal network from anywhere with a wireless signal. The team then decrypted the Wi-Fi password so that they could utilize the wireless network on more powerful testing devices. Once the team had access to the corporate network, they were able to elevate their access to domain admin through Kerberoasting on the internal network. This was bad news for the client, even more so than the initial breach, and indicated a critical vulnerability the client needed to proactively improve defense for.
Prevention & More Information about Apple's Share Credentials Feature
While the "Share a Wi-Fi Password" feature is not technically a security flaw, there are a few ways to prevent abuse of this attack path.
Segmentation of wireless network from client's internal network: While this may be the most difficult technical remediation item to achieve, having a secure, tiered, and segmented network makes attackers’ lateral movement and pivoting abilities much more difficult.
Social engineering awareness: The Achilles heel of any organization. Social engineering awareness training for all employees is essential to creating a secure and mature security posture.
Restricting access to the iMac's contact list: If access for adding contacts was restricted to those with the credentials for the iMac we used in the store, we couldn’t have shared the wireless password and the attack would have been limited to the single host we were using. (https://support.apple.com/guide/mac-help/control-access-to-your-contacts-on-mac-mh43711/mac)
It is also important for organizations to conduct regular security assessments, including this type of physical penetration testing and social engineering, to identify vulnerabilities in their security controls and improve their overall security posture. By doing so, enterprises can proactively address any weaknesses and reduce the risk of successful physical social engineering attacks.
Physical social engineering attacks can be a significant threat to organizations, especially those with retail facilities and other public-facing locations. The Hoplite team’s creative use of social engineering and abuse of Apple's "Share a Wi-Fi Password" feature highlights the importance of having strong, layered security controls and regularly conducting security assessments to identify and address vulnerabilities in an organization's security posture.
Glossary
There are a lot of technical concepts in here - as your technical translators, we’ve defined a few of them for you.
Kerberoasting is a technique used by attackers to extract and crack credentials of domain user accounts in a Microsoft Active Directory environment. This may allow them to elevate their access privileges and move laterally within the network.
Persistent access is a serious threat - it means attackers can keep their access to networks despite efforts to cut off their access, such as changed credentials or system reboots.
Physical social engineering is the evaluation of an organization’s ability to prevent unauthorized users from gaining access to internal networks on their premises, or from requesting access from an authorized user in person.