It is generally thought that a computer fresh from the factory is pretty much as secure as it gets, before software is installed and it is connected to the internet. However that might not be the case with Apple’s Mac computer as security researchers have discovered a bug that could allow Macs to be hacked even before the user logs in for the first time.
The bug was discovered by Jesse Endahl and Max Bélanger, the former being the chief security officer of Mac management firm Fleetsmith, and the latter who is a staff engineer at Dropbox. According to Endahl, “We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time. By the time they’re logging in, by the time they see the desktop, the computer is already compromised.”
This bug is said to take advantage of Apple’s Device Enrollment Program and the Mobile Device Management platform. These are tools that allows companies to customize a Mac from Apple that is then shipped directly to the company, but the flaw would allow hackers to put malware onto the computers remotely, meaning that the computer is already compromised even before the user takes it out of the box and turns it on.
The good news is that it appears that Apple has addressed the issue when they were notified by the researchers. The vulnerability was patched in macOS High Sierra 10.13.6, but devices shipped with an older build could still be vulnerable to it.