Dear Geeks To Go,
What kind of attack allows someone to have almost real time access to everything I'm doing on my Mac or iPhone, even after a format / factory reset? (Installed High Sierra from a bootable USB after erasing HDD and factory reset iphone), have had a VPN installed, Firewall enabled (Stealth Mode from the start), no location services allowed etc. and AVG antivirus running nonstop since the fresh install?
Steps taken in the last month (macbook pro):
- Used ChkRootKit and RootKit Hunter to search for RootKits (pretty sure the log is all clear for both) - None found
- Installed AVG and did full system scan (nothing found). Same for Avast (nothing found)
- Created a USB installer of OSx High Sierra and did a fresh install after fully wiping 'erase' the mac SSD (about 3 weeks ago now)
- Turned on Firewall and fully encrypted the HDD (FileVault 2) straight away along with other key security 'lockdowns' such as not allowing Siri and turning off location services
- Enabled 'Stealth Mode' and 'block all incoming connections' within the firewall options straight away.
- Installed AVG antivirus and VPN straight away before first connection to ANY networks (I used my campus Wifi to do the OSx updates straight after the fresh install) with its WPAII protected login
- The only internet access is done via my tethered iPhone running the latest iOS (12.1) and with the iphone app version of the VPN running OpenVPN protocol on UDP. (Same protocol used on Mac at earliest opportunity straight after clean install)
Steps taken (iPhone):
- Factory reset about the same time as the High Sierra clean install (only connected the phone to freshly installed osx after phone reset (factory reset)
- Performed all the key security lockdowns recommended such as disable location services / system services / usb accessories
- Installed VPN app and Avast virus scanner almost immediately after factory reset
Even after all these measures nothings changed and I know the remote viewing is still occuring, almost in real time. The closest explanation I have thus far been able to research was the MDM Apple bug reported at a hacker conference per here, but this was patched in the version of High Sierra I used to do the fresh install 10.13.6 so it can't be this, but may be something similar?
The only thing I can think I might have missed, and you may be able to think of many more given that I'm not a network security expert, is that in spite of all the corrective action already mentioned above, I did make a note of the following possible oversights since the fresh install:
- One time I didn't have the VPN on for an hour or so whilst I was tethering at home (internet via iPhone (USB only btw)
- I had not marked the 'Ask to Join Networks' button in the WIFI options tab of my iPhone till a few days ago per this. Apparently this means that with Wifi turned on, as soon as this network (or an imitation network of the same name) was available it would attempt to join which could become relevant if they were using a Wifi pineapple. Apparently these imitate the Wifi network taking advantage of the automated 'join when network available' option that all iPhone's have enabled by default, and which I had left unchecked for a couple weeks now till I read that article.
- I have had my iphone and macbook Wifi turned on at campus using the campus Wifi (WPAII) on a few occasions since the fresh install, and with that 'ask to join network' functionality left as is on the iphone (unchecked), and then once I did find I had left the iPhone Wifi turned on after arriving home where the hackers (they live nearby) could have used some kind of Pineapple like attack.. Having said all this I do recall that when connecting to that campus Wifi for the first time after the fresh install I authorised some kind of certificate, so wouldn't that prevent a Pineapple like attack?? Particularly given the possibility that they were in/around the campus and connected to the university Wifi network at the same time I was doing the fresh install of high sierra and subsequent Wifi connection to get it fully updated.
- I have reused the same computer account login password as before the format/fresh install of High Sierra
What is the likelihood that I'm the victim of a Pineapple (Hotspot Honeypot) as described above? Would it fit with the observation that they know when I'm turning my iPhone on before the iOS has even loaded to the passcode screen?
If they have those physical addresses of the phone and mac from an earlier breach whilst I was running the older OSx El Capitan, does the fact I'm using the same user account login mean there's the potential for them to run terminal commands remotely and thus turn off those firewall etc. settings I put on after the clean install? Would something as simple as changing the user account password at least protect my mac given the above? (am guessing not). Can High Sierra be rooted and have the firewall etc. turned off etc. via terminal commands issued remotely? which I notice always seem to require the account password to execute.
One quick additional query: Is OpenVPN on UDP a solid VPN protocol to be using for my iphone and mac?
Thanks in advance for your help. I'm looking forward to getting my privacy back as this has been ongoing for a number of months now and quite possibly a lot longer than I've been aware of..
Attached is the Activity Monitor log if this is of any help. I don't see anything untowards but then I'm not a Jedi level geek as yet.... You will also see I've been running Little Snitch and for a brief while I even tried Wireshark, but the latter has really been difficult to use. I have seen a few denied incoming connections on Little Snitch but they've always been associated with ExpressVPNd (my VPN used constantly since the fresh install)
Edited by Trespassed, 27 November 2018 - 10:06 PM.