​NaughtyMag: Making Macbook Blink Its Data Away

Transcript

1. ADHOKSHAJ MISHRA Staff Detection Engineer - Linux Agent CWS DBT,

   SentinelOne Inc. July 05, 2025 Chaos Club Hyderabad आषा ढ़ शु क्ल दशमी शक सं० १९४७ भा ग्य नगर, भारत MAKING AIR-GAPPED MACBOOK 😉 ITS DATA AWAY NAUGHTYMAG

2. Agenda Who am I? Introduction The MagSafe Controlling MagSafe LED

   Making a side channel 1. 2. 3. 4. 5. Improvements and countermeasures 6.

3. Who am I? • Detection fella by day, malware fella

   by night • Known for giving existential crisis • Guilty pleasure: setting things on fire • Life motto: let there be malware • Current gig: Staff Detection Engineer - Linux Agent, SentinelOne Inc. • Let us connect • LinkedIn: adhokshajmishra Who am I? 1

4. The technique(s) presented hereafter are offensive in nature; and are

   generally considered a criminal offense if practiced without proper authorization in place. It is presented here for educational purpose only. In other words, if you come to me saying that you are neck-deep in mess due to these techniques, I won’t feel responsible at all. You have been warned. Disclaimer

5. 2. INTRODUCTION

6. • Side channels are cool • Social browny points! •

   Side channels are little bit tricky to pull off • More browny points! • Some software can control LED status • Battery management software • Stop charging at 80% • And make LED green Introduction 2 Inspiration

7. 3. THE MAGSAFE

8. • Ground • Power (Vcc) • Adapter Sense / 1-Wire

   Protocol • Power (Vcc) • Ground The MagSafe 3 Connector Pinout

9. The MagSafe 3 1-Wire Protocol

10. • Used to collect information about connected charger • Family

    • Wattage • Serial number • Etc. The MagSafe 3 1-Wire Protocol

11. • Used to control dual LEDs present on MagSafe connector

    • DS2413: 1-wire dual channel addressable switch • Can take command over 1-wire from MacBook • Can switch LEDs on / off The MagSafe 3 1-Wire Protocol

12. • Charger provides a very low current at power pins

    (@ ~3V DC) • Mac applies resistive load, and pulls power input voltage further down (~1.5V - 1.7V) • Charger detects power input voltage has been pulled low. • After ~1 second, charger switches to full voltage (14V - 20V) • Mac detects full voltage • Mac reads charger ID using 1-wire protocol • Mac switches to using input power, instead of battery (if it is happy with ID). • Mac switches on appropriate LEDs. The MagSafe 3 Charger startup

13. The MagSafe 3 Software side of things

14. The MagSafe 3 Software side of things

15. The MagSafe 3 Software side of things

16. • There is no direct API to control LED •

    But • LED is controllable via SMC • IOKit can talk to SMC • Therefore, we can still control the LED • As long as we know correct key, and value The MagSafe 3 Software side of things

17. 4. CONTROLLING MAGSAFE LED

18. io_connect_t conn; mach_port_t masterPort; io_iterator_t iterator; io_object_t device; IOMasterPort(MACH_PORT_NULL, &masterPort);

    Controlling MagSafe LED 4 Find and open SMC device

19. Find the device CFMutableDictionaryRef matchingDictionary = IOServiceMatching("AppleSMC"); IOServiceGetMatchingServices(masterPort, matchingDictionary, &iterator);

    device = IOIteratorNext(iterator); Controlling MagSafe LED 4 Find and open SMC device

20. Open the SMC device IOServiceOpen(device, mach_task_self(), 0, &conn); Controlling MagSafe

    LED 4 Find and open SMC device

21. Prepare the data to be written SMCVal_t writeVal; SMCKeyData_t inputStructure,

    outputStructure; size_t structureOutputSize; memset(&inputStructure, 0, sizeof(SMCKeyData_t)); memset(&outputStructure, 0, sizeof(SMCKeyData_t)); Controlling MagSafe LED 4 Writing the desired values

22. Prepare the data to be written inputStructure.key = _strtoul(writeVal.key, 4,

    16); inputStructure.data8 = SMC_CMD_WRITE_BYTES; inputStructure.keyInfo.dataSize = writeVal.dataSize; memcpy(inputStructure.bytes, writeVal.bytes, sizeof(writeVal.bytes)); Controlling MagSafe LED 4 Writing the desired values

23. Perform the SMC write IOConnectCallStructMethod(conn, KERNEL_INDEX_SMC, &inputStructure, sizeof(SMCKeyData_t), &outputStructure, &structureOutputSize);

    Controlling MagSafe LED 4 Writing the desired values

24. Controlling MagSafe LED 4 SMC Data Key Value LED State

    ACLC 00 Restore to system control ACLC 01 Off ACLC 03 Green ACLC 04 Orange ACLC 06 Slow Blinking Orange ACLC 07 Fast Blinking Orange ACLC 25 Blinks Orange, then LED goes Off

25. 5. MAKING A SIDE CHANNEL

26. • All we have is a lousy LED • For

    sake of easy filtering in video, we can’t really use LED off state. • We have to encode the data in a chain of changing LED colors. Making A Side Channel 5 Constraints

27. • Since we have two distinct colors, we can use

    them to encode 0s and 1s. • And transmit data in binary stream. • Problem: what happens when there are multiple 0s or 1s in succession? • Cannot rely on accurate frame counting / time lapse etc. • Not usable except in ideal conditions, for a very small duration. Making A Side Channel 5 The naive method

28. • Instead of encoding bits in color state, we can

    encode them using change in color state. • 0: orange to green • 1: green to orange • Each color state can have same tick length • At worst, we will have same color spanning two ticks. • That can be dealt with, because we will also have repeating instances of color spanning one tick. • Problem solved? Making A Side Channel 5 We can do better!

29. • Problem: way too slow. • Solution: morse code •

    Only two symbols • Dot • Dash • More compact than sending bit stream Making A Side Channel 5 We can do better!

30. • Encoding • Green: 0 • Orange: 1 • Dot:

    10 • Dash: 110 • Space: 00 (optional) Making A Side Channel 5 Morse code

31. • Sample data: hello world • Convert into morse code:

    • .... . .- .. .- .. --- / . -- --- .-. .- .. - .. • Convert morse code into color coding sequence • 10101010001000101101010001011010100011011011000101101100011011011000101101 000101101010001101010 • Blink LEDs as per 1s and 0s • Record the blinking from a video camera Making A Side Channel 5 Leaking data

32. • The way color encoding is done, orange cannot have

    duration longer than two time ticks • Option 1: 10 -> duration is 1 tick. • Option 2: 110 -> duration is 2 ticks. • Sanity check • Get the longest tick of orange • Get the shortest tick of orange • The ratio for the above two should be very close to 2:1 • Because frames can be dropped Making A Side Channel 5 Recovering data from video

33. • Find the “beginning of transmission” marker • Start reading

    durations of LED colors by counting frames for each color. • Convert color + duration combinations into chain of 1 and 0 • Convert the above sequence in the following order: • 110 -> - (dash) • 10 -> . (dot) • 00 -> (space) • Decode the morse code Making A Side Channel 5 Recovering data from video

34. DEMO TIME

35. None
36. None

37. 101010100010001011010100010110101000110110110001 01101100011011011000101101000101101010001101010

38. 101010100010001011010100010110101000110110110001 01101100011011011000101101000101101010001101010

39. 101010100010001011010100010110101000110110110001 01101100011011011000101101000101101010001101010

40. 101010100010001011010100010110101000110110110001 01101100011011011000101101000101101010001101010

41. 1010101000100010-10100010-101000 - -- 0010 -- 00 - -- 00 10-100010-101000-1010

42. 1010101000100010-10100010-101000 - -- 0010 -- 00 - -- 00 10-100010-101000-1010

43. ....00.00.- . . 00.- .. 00 -- - 00. -

    - 00 -- - 00.-.00.- . . 00- ..

44. ....00.00.- . . 00.- .. 00 -- - 00. -

    - 00 -- - 00.-.00.- . . 00- ..

45. .... . .- .. .- .. -- - . --

    -- - .-. .- .. - ..

46. .... . .- .. .- .. -- - . --

    -- - .-. .- .. - .. H E L L O W O R L D

47. 6. IMPROVEMENTS

48. • In practice, synchronization and error correction both should be

    used. • For synchronization, use a sequence which is NOT a valid data encoding. • Use one sequence as beginning marker • Use second sequence as ending marker • Use any suitable scheme for error correction Improvements 6 General improvements

49. • If MagSafe connector (with the cable maybe?) can be

    replaced • There is no need to blink LED • Connector can recognize marker sequences (self-synchronization codes) • Connector can leak the data over non-visible electro-magnetic spectrum • More powerful transmitter can be put inside a rouge charging brick • Active only when transmission is supposed to happen. • Synchronization signals can be transmitted by rouge MagSafe connector, over specially crafted rouge cable. Improvements 6 Making It Sneakier

50. 7. COUNTERMEASURES

51. • Detections are very specific to side channel being targeted.

    • Unless we know about some particular channel, randomly trying to detect something is not going to work. • General observation: is <device> behaving funny? • Channels like these require software side component. • Monitoring on end user devices. Countermeasures 7 Detection

52. • Keep an eye on all your hardware. • Keep

    an eye on supply chain. • Keep an eye on what is being executed on devices (back to security monitoring) • Have policies to block execution of suspicious blobs. Countermeasures 7 Prevention

53. ध न्य वाद THANK YOU