Last month, we in Texas had a major ice storm that knocked out power statewide. It caused a two-week delay in may neighbor (and friend) getting his new ISP service installed. I offered him my WiFi while he waited. I texted him the SSID and password. He thanked me and we went about our business.
A week later, he informed me that he believed his phone (an android) had a keyylogger on it. Someone had gone in and changed all the passwords to his apps. His phone was also sending messages to select contacts that were gibberish or random alphanumeric strings. I found that stunning, because for the two days preceding that conversation, I had been battling some kind of infection myself.
There were hundreds of 'symptoms,' but the clearest giveaway was when my internet began acting painfully slow. I UNPLUGGED the Wifi router to leave it that way long enough for it to reset, when I noticed something shocking. Despite the cord being disconnected from my router and, therefore, no power running to it, even for as long as ten minutes (no residual power), all my devices were still connected to the internet, via their WiFi interfaces, under the same SSID. I wiped my forehead in confusion. I tested the network connections by going to speediest.net to be sure, and yep, they were still online.
I plugged my WiFi router back in at least 20 times to monitor changes to the available SSIDs. If I had an active internet connect via my SSID but my router had no power, what SSID was my physical router broadcasting? The answer: a different SSID. Someone very nearby had, we believe, spyware on my friend's android phone when I sent him the SSID and passcode. When I did, they got the message. They proceeded to log into my router, change its SSID to something else, then change their router to my former SSID with an identical passcode.
Of course, I, not knowing any better, unwittingly helped them out. I had my WiFi receiver set to automatically connect to my local network. If it spotted my SSID and the passcode worked, it connected. I also did not have a VPN. So, without me knowing, as soon as they made the switch, my computer logged onto their router. My MacBook Pro running Big Sur was prey.
There were a lot of other things happening. If I tried to install an OS update or reinstall the OS from scratch, it would look like it was going through the maneuvers. But the loading screen sliders would roll on by, at hyper fast speed, and when logged back in, nothing would have changed. If I tried to format the hard drive, all the volumes would give me errors. The same would be true when trying to repair the volumes, mount or unmount them, etc. Safe boot was somehow disabled. Hidden volumes were mounted that I could only see from single-user mode. It was nuts.
Moreover, the same behavior existed with my Apple TV. Menu options, such as to 'update and reset', disappeared. The option to deny analytics to Apple disappeared, with or without the beta updates option checked. Passwords were set on my AirPlay that I did not set. The Apple TV's network name was broadcasting twice, on one occasion three times. The list is lengthy.
Spoke to my buddy who, until he went to work for himself recently, was an Apple employee. He finally confirmed that, while he did not know what it was exactly, it appeared that someone had installed a rootkit. So, I get to take my MacBook Pro, Apple TV, potentially even my iPhone -- anything connected to my Wifi during that period -- to the Apple store so they can see what was done to them and whether they can be. salvaged. For now, he was able to erase my entire hard drive and reinstall from a thumb drive. (We installed, as I recall, Catalina on the system using the thumb drive, then upgraded to Big Sur via the App Store.)
I only wish that people would be a bit less dismissive when others, Apple savants or not, raise concerns that their Macs have been compromised. It does happen. There are more and more malicious programs for macOS being discovered every day. And, having just read someone's response to another OP telling them that macOS is a steel vault and antivirus software is both unnecessary and just wastes system resources, felt compelled to share.
This, by the way, is probably a gross oversimplification of how it actually occurred. But the evidence suggests that this was a very simple SSID spoof 'attack.' I now require macOS to ask me to connect to all networks, have Micro Snitch installed, have a paid VPN, etc. Let's see what Apple says.
A week later, he informed me that he believed his phone (an android) had a keyylogger on it. Someone had gone in and changed all the passwords to his apps. His phone was also sending messages to select contacts that were gibberish or random alphanumeric strings. I found that stunning, because for the two days preceding that conversation, I had been battling some kind of infection myself.
There were hundreds of 'symptoms,' but the clearest giveaway was when my internet began acting painfully slow. I UNPLUGGED the Wifi router to leave it that way long enough for it to reset, when I noticed something shocking. Despite the cord being disconnected from my router and, therefore, no power running to it, even for as long as ten minutes (no residual power), all my devices were still connected to the internet, via their WiFi interfaces, under the same SSID. I wiped my forehead in confusion. I tested the network connections by going to speediest.net to be sure, and yep, they were still online.
I plugged my WiFi router back in at least 20 times to monitor changes to the available SSIDs. If I had an active internet connect via my SSID but my router had no power, what SSID was my physical router broadcasting? The answer: a different SSID. Someone very nearby had, we believe, spyware on my friend's android phone when I sent him the SSID and passcode. When I did, they got the message. They proceeded to log into my router, change its SSID to something else, then change their router to my former SSID with an identical passcode.
Of course, I, not knowing any better, unwittingly helped them out. I had my WiFi receiver set to automatically connect to my local network. If it spotted my SSID and the passcode worked, it connected. I also did not have a VPN. So, without me knowing, as soon as they made the switch, my computer logged onto their router. My MacBook Pro running Big Sur was prey.
There were a lot of other things happening. If I tried to install an OS update or reinstall the OS from scratch, it would look like it was going through the maneuvers. But the loading screen sliders would roll on by, at hyper fast speed, and when logged back in, nothing would have changed. If I tried to format the hard drive, all the volumes would give me errors. The same would be true when trying to repair the volumes, mount or unmount them, etc. Safe boot was somehow disabled. Hidden volumes were mounted that I could only see from single-user mode. It was nuts.
Moreover, the same behavior existed with my Apple TV. Menu options, such as to 'update and reset', disappeared. The option to deny analytics to Apple disappeared, with or without the beta updates option checked. Passwords were set on my AirPlay that I did not set. The Apple TV's network name was broadcasting twice, on one occasion three times. The list is lengthy.
Spoke to my buddy who, until he went to work for himself recently, was an Apple employee. He finally confirmed that, while he did not know what it was exactly, it appeared that someone had installed a rootkit. So, I get to take my MacBook Pro, Apple TV, potentially even my iPhone -- anything connected to my Wifi during that period -- to the Apple store so they can see what was done to them and whether they can be. salvaged. For now, he was able to erase my entire hard drive and reinstall from a thumb drive. (We installed, as I recall, Catalina on the system using the thumb drive, then upgraded to Big Sur via the App Store.)
I only wish that people would be a bit less dismissive when others, Apple savants or not, raise concerns that their Macs have been compromised. It does happen. There are more and more malicious programs for macOS being discovered every day. And, having just read someone's response to another OP telling them that macOS is a steel vault and antivirus software is both unnecessary and just wastes system resources, felt compelled to share.
This, by the way, is probably a gross oversimplification of how it actually occurred. But the evidence suggests that this was a very simple SSID spoof 'attack.' I now require macOS to ask me to connect to all networks, have Micro Snitch installed, have a paid VPN, etc. Let's see what Apple says.
