User profile for user: macscantbehacked
macscantbehacked Author
User level: Level 1
4 points

Brand new MacbBook Pro M1 hacked since day 1

So I'm one of those guys claiming my M1 is hacked. I'm a software engineer and I have not been able to use this machine since I bought it this fall. I have reinstalled it close to 20 times using different methods (simple recovery, full recovery from internal disk image, erase disk and install from usb). The link I'm about to share shows the output of lsof -i 4 hours after a fresh install of Ventura. There's 10 000 rows of things happening.


Look for yourself and tell me M1 security cannot be breached.


I wish I could share it here but I made the browser hang by trying to paste it.


[Link Edited by Moderator]



Posted on Mar 29, 2023 6:08 AM

Reply
Question marked as Top-ranking reply
User profile for user: HWTech
HWTech
User level: Level 9
68,090 points

Posted on Mar 30, 2023 8:14 PM

The ultimate reset for the 2018+ Macs is by performing a "Restore" of the firmware which resets the security enclave & firmware which erases the internal SSD destroying all data, plus pushes a clean copy onto the internal SSD. This requires access to another Mac running macOS 12.4+:

Revive or restore a Mac with Apple silicon using Apple Configurator - Apple Support


Do you have your AppleID signed in? Are you using iCloud? That command is monitoring network activity...correct?


If you are migrating/restoring from a backup, then it may be software checking for updates or doing their own thing.


Unfortunately Apple removed your link. You can always paste some of the content into the "Additional Text" whose icon looks like a piece of paper on the forum editing window toolbar.




View in context

Similar questions

3 replies
Question marked as Top-ranking reply
User profile for user: HWTech
HWTech
User level: Level 9
68,090 points

Mar 30, 2023 8:14 PM in response to macscantbehacked

The ultimate reset for the 2018+ Macs is by performing a "Restore" of the firmware which resets the security enclave & firmware which erases the internal SSD destroying all data, plus pushes a clean copy onto the internal SSD. This requires access to another Mac running macOS 12.4+:

Revive or restore a Mac with Apple silicon using Apple Configurator - Apple Support


Do you have your AppleID signed in? Are you using iCloud? That command is monitoring network activity...correct?


If you are migrating/restoring from a backup, then it may be software checking for updates or doing their own thing.


Unfortunately Apple removed your link. You can always paste some of the content into the "Additional Text" whose icon looks like a piece of paper on the forum editing window toolbar.




Reply
User profile for user: qualifiedGuess
qualifiedGuess
User level: Level 1
12 points

Mar 30, 2023 9:28 PM in response to Grant Bennet-Alder

Hey Grant, sorry I missed your reply. I believe I found two exploits that were used.


1) I found some ridiculous config network config which allowed for gaining a login window by connecting to a virtual network interface which routed them to some strange API's in UIService or IOService, I forget (discussed here https://discussions.apple.com/thread/5051003.


2) And then there's the usb firmware which I still suspect. Another person seems to have the same idea. Discussed in the link below, whichI found when I searched for the driver name on google. https://naehrdine.blogspot.com/2021/09/always-on-processor-magic-how-find-my.html


I found both exploits carved into the read-only recovery partition, so recovery just put them right back each time.


HWTech has the solution. Thanks!



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Brand new MacbBook Pro M1 hacked since day 1

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up