What is the likelihood of a brand new iMac having been compromised in China?

[Brawdy14]

I'm surprised it's taken this long for anyone to mention it, but, it's trivial to put a third party application onto a brand new Mac, out of the box, without user intervention.

All it takes is one reseller to mistype a serial number into Apple Business Manager and the machine will, on first boot, connect to someone's MDM service, pull down a configuration profile, and do its thing.

In the past, we've deployed systems have have been mistakenly attributed to other organisations' DEP instances, and our employees have been greeted by internal tools on the desktop for a company they don't work for. It's not unheard of, but it's certainly a lot more likely than a refurb system ending up in a new machine's box, or someone doing a interception of your friend's machine.

Sadly as the machine is now gone, there's no way to tell if that was the case, but I'd bet a dollar that was the cause.

I was fascinated to read your post, 'matdotcx'. I had never heard of ABM or MDM service until today. ?

Can you think of any reason why anyone would wish a new computer to have ClamXav installed upon it?

Btw, the machine in question is NOT gone. It is owned, still, by 'Joe C' in South Carolina. Most folk think he should ask Apple to exchange it for a new one. Is it still possible to ascertain evidence of what transpired? Post #38 refers.

What are your views, please?

 

[matdotcx]

I was fascinated to read your post, 'matdotcx'. I had never heard of ABM or MDM service until today. ?

Can you think of any reason why anyone would wish a new computer to have ClamXav installed upon it?

Btw, the machine in question is NOT gone. It is owned, still, by 'Joe C' in South Carolina. Most folk think he should ask Apple to exchange it for a new one. Is it still possible to ascertain evidence of what transpired?

What are your views, please?

Your OP said…

"The outcome was that it was returned to Apple for a full refund."

If that's not the case, then the easiest way to tell would be to ask Apple if it were ever enrolled into the Device Enrolment Program; they should only need the serial number.

There's no easy way for an end user like Joe to know the machine's status for sure, as even when the machine is in Apple Business Manager, it may not be assigned to a MDM service, and will for all intent and purpose, look stock.

If the machine was in DEP (now called ABM) at any point, they should know, and see the provisioning for it through the portal. The likelihood of AppleCare's consumer arm being able to tell you however, is slim; this is usually handled by AppleCare Enterprise and most of the consumer folk won't have the context to puzzle it out, because it's not something they'd use - can't really blame them.

On the off-chance that the machine is still enrolled, and still has live profiles, then they can be seen (and sometimes removed) by looking in System Preferences, and looking for the "Profiles" PrefPane.

Additionally;

Can you think of any reason why anyone would wish a new computer to have ClamXav installed upon it?

It's super common in most organisations for a computer to have some sort of AV product. In many cases it's required for compliance reasons. While ClamX isn't a super common one outside of non-profit or the open source community, it's still a totally reasonable tool to see.

 

[Brawdy14]

It's super common in most organisations for a computer to have some sort of AV product. In many cases it's required for compliance reasons. While ClamX isn't a super common one outside of non-profit or the open source community, it's still a totally reasonable tool to see.

Thank you once again for your very comprehensive post. I'm afraid I don't understand what is meant by "outside of non-profit or the open source community" - would you please clarify for this old fella who is simply a 'home user', not a computer buff?

Did you mean to say "it's still a totally reasonable tool to use?"

 

[matdotcx]

Sure thing - ClamX is mostly used in organisations that are small or non-profit because it's both easy to use, and dirt cheap.

It's also strictly an antivirus product, and won't do advanced things like DLP, or data loss protection. That's when your AV product would keep an eye out to see if your employees are doing things like, copying vast amounts of data to external drives, say. This is why in most for-profit places that use Macs (say, like, Meta, VMware, Microsoft, etc) you'll see AV products like McAfee, SentinelOne, Carbon Black EDR, and others.

Just different levels of tools for different use-cases, really. ClamX does one or two things well, and is cheap, and easy to use, but it's suitable for MegaCorp Conglomerates with tens of thousands of users and systems.

 

[SpotOnT]

I'm surprised it's taken this long for anyone to mention it, but, it's trivial to put a third party application onto a brand new Mac, out of the box, without user intervention.

All it takes is one reseller to mistype a serial number into Apple Business Manager and the machine will, on first boot, connect to someone's MDM service, pull down a configuration profile, and do its thing.

In the past, we've deployed systems have have been mistakenly attributed to other organisations' DEP instances, and our employees have been greeted by internal tools on the desktop for a company they don't work for. It's not unheard of, but it's certainly a lot more likely than a refurb system ending up in a new machine's box, or someone doing a interception of your friend's machine.

Sadly as the machine is now gone, there's no way to tell if that was the case, but I'd bet a dollar that was the cause.

Well that is interesting. How do you check for that? Or say you buy a “new” Mac off of eBay. How would you know/control this behavior?

Edit: Just saw your post above, answering this question. Please ignore me.

 

[GrumpyCoder]

The only thing that makes sense to me, is somehow, somewhere a returned device got incorrectly added to new stock. But even that doesn't make very much sense, since how could the software be on there if you were creating a brand new user account.

Because occasionally Apple is adding returned products back to new stock. I spoke to Apple years ago about this when I was providing full industry solutions including Apple hardware. Every now and then, maybe due to low stock, production issues, wrong orders, etc. returned end user-hardware will find it's way to regular new stock and being sold as such. Normally this should be wiped, sometimes it isn't. In any case it's wrapped again. I've even had the cases where I received MBPs with foreign keyboard layouts by mistake.

With all the recent 14" vs 16" returns people are doing, many have received theirs from somewhere outside of China, some shipped from continental US. Guess where these are coming from? It doesn't mean that every one shipped from within the US is used, but chances are some are indeed used and found the way back to regular sales.

 

[Joe C]

Hello Joe

Are you the same fellow as the one who posted here? https://www.mac-forums.com/threads/...le-store-get-on-my-brand-new-2021-mac.369271/

If so, did you manage to persuade Apple to provide you with a brand new replacement iMac?

Most folk here think will think you are 'spinning a line'!

Hello, B. Yes, I am the same Joe C. who posted to the MacForum several months ago about the same episode. Apple Support worked with me for several weeks, first benumbed by my report and what they found via remote monitoring of my Mac in use, then manually deleting a bunch of ClamXAV files (which helped a bit temporarily), finally by remotely stripping my 500GB Flashdrive and doing a full reinstall of the OS and my apps. I managed retrieval of my datafiles from iCloud storage, reformatted my G-Drive Time Machine backup drive and started it over from zero.

That seems to have done the job. My Mac has been fast and flawless since -- possibly until last week, when it started again to take upwards of a minute to boot from switch on to PW screen (normally a 20 second wait) and, at the PW screen, failed to recognize its Magic Keyboard. This has happened several times in the past week, although not consistently. A hard reboot was required, which cleared the problem, typically (but not always) on the first try.

This is exactly how the problem first manifest itself with ClamXAV installed; it then quickly progressed to near unusability.

This time around, I am monitoring the state of charge in both the Magic Keyboard and the Magic Trackpad more carefully than I did the first time. It may be that a charge state below 80% precipitates the problem. Both peripherals are fully charged; if the problem recurs before either falls to 80% charge (particularly the KB), I will contact Apple Customer Relations and request a replacement Mac. I'll let you know how it goes.

No, I am not "spinning a line." (That means "pulling the wool over your eyes," right? Two great countries separated by a common language....-)

 

[antiprotest]

Depends on who you ask. Since you ask on this forum, the answer is that Apple products made in China will have a 0% chance of being compromised, and you will be attacked from all sides if you disagree. We can't vouch for other brands though, since, you know, they are made in China.

 

[haddy]

Of course unicorns exist. The question is are these tiny unicorns living inside iMacs? Or it could be those damn lizard people living inside the hollow earth.

I have this wonderful 2020 iMac and of course there is a whole family of lovely little unicorns living inside. They are very instructive telling me what to do and what not to do in the most kindest manner possible.

 

[Unregistered 4U]

Depends on who you ask. Since you ask on this forum, the answer is that Apple products made in China will have a 0% chance of being compromised, and you will be attacked from all sides if you disagree, while we can't vouch for other brands.

OR 100% chance of being so well compromised that, even hundreds of years into the future no one will have been able to find out exactly how compromised they were. Crafty! /s

 

[Brawdy14]

In post #54 'matdotcx* says "ClamX does one or two things well, and is cheap, and easy to use, but it's suitable for MegaCorp Conglomerates with tens of thousands of users and systems."

Does anyone agree?

(I'm fairly sure he meant "it's NOT suitable").

 

[Freeangel1]

I have seen news coverage of either Dell or Lenovo PC's shipped from China to the USA with Spyware installed and sold as a new computer.

Never a Mac.

Lenovo Laptops Shipped With HTTPS-Breaking Spyware... Intentionally - IGN

Certain Lenovo laptops shipped with adware pre-installed, but that's only the start of the potential security risks.

www.ign.com

 

[Brawdy14]

I have seen news coverage of either Dell or Lenovo PC's shipped from China to the USA with Spyware installed and sold as a new computer.

Never a Mac.

Lenovo Laptops Shipped With HTTPS-Breaking Spyware... Intentionally - IGN

Certain Lenovo laptops shipped with adware pre-installed, but that's only the start of the potential security risks.

www.ign.com

Thanks, 'Freeangel1:'

An interesting video at the link you provided. ?

 

[SpotOnT]

I have seen news coverage of either Dell or Lenovo PC's shipped from China to the USA with Spyware installed and sold as a new computer.

Never a Mac.

Lenovo Laptops Shipped With HTTPS-Breaking Spyware... Intentionally - IGN

Certain Lenovo laptops shipped with adware pre-installed, but that's only the start of the potential security risks.

www.ign.com

Oh gosh, companies have been shipping stuff with spyware forever. Even some Sony music CDs in early 2000s had viruses on them.

Those were all by design and as ordered though. I think the OP was talking about a bad actor secretly adding something to the computer that Dell, Lenovo etc weren’t aware of and didn’t intend to be on there.

 

[Joe C]

Depends on who you ask. Since you ask on this forum, the answer is that Apple products made in China will have a 0% chance of being compromised, and you will be attacked from all sides if you disagree. We can't vouch for other brands though, since, you know, they are made in China.

HA! Thanks very much, Anti, for a singularly honest answer!-)

 

[GrumpyCoder]

I have seen news coverage of either Dell or Lenovo PC's shipped from China to the USA with Spyware installed and sold as a new computer.

You realize this was put there intensionally by Lenovo, right? This wasn't done by evil chinese spies, it was the manufacturer who made that choice. And if they would have manufactured it in the US it would have been the same. This has nothing to do with China.

 

[DCIFRTHS]

You realize this was put there intensionally by Lenovo, right? This wasn't done by evil chinese spies, it was the manufacturer who made that choice. And if they would have manufactured it in the US it would have been the same. This has nothing to do with China.

Or maybe they just got caught...

 

[Brawdy14]

HA! Thanks very much, Anti, for a singularly honest answer!-)

Bearing in mind your experience, Joe, do you now have ANY anti-malware product installed on your iMac?

In post #52 this was suggested:-

" ..... ask Apple if it were ever enrolled into the Device Enrolment Program; they should only need the serial number.

There's no easy way for an end user like Joe to know the machine's status for sure, as even when the machine is in Apple Business Manager, it may not be assigned to a MDM service, and will for all intent and purpose, look stock"

Is this something that you have now done? If not, it's worth a shot, in my opinion.

May I also ask if you ever did as I suggested in post #47?

There can be nothing worse than that little seed of uncertainty about one's computer. ?

 

[Brawdy14]

What were the ways it failed to behave as expected?

AndyMacAndMic made an incorrect assumption back in post #6

He assumed, as many here have done, that my friend's new 27 inch iMac was that very same one which 'Joe C' has been telling folk about. It was not. Joe is in the USA, my friend and I live in the UK.

Sadly, I cannot answer your question because it was Apple Support which 'threw in the towel' whilst trying to sort things out for my chum. Apple Support recommended that he repackage the computer and they organised the collection of same and organised the repayment of the full purchase price.

My friend is still using his original iMac. I waved my magic wand over it and it's now running smoothly.

 

[AndyMacAndMic]

AndyMacAndMic made an incorrect assumption back in post #6

He assumed, as many here have done, that my friend's new 27 inch iMac was that very same one which 'Joe C' has been telling folk about. It was not. Joe is in the USA, my friend and I live in the UK.

Can you point to a quote in post #6 where I assumed all those things you claim? 'Joe C' was not even mentioned when I wrote post 6. Please don't falsify history here to fit your own narrative.

 

[Brawdy14]

Can you point to a quote in post #6 where I assumed all those things you claim? 'Joe C' was not even mentioned when I wrote post 6. Please don't falsify history here to fit your own narrative.

"I am not going to put any more energy in discussing some highly improbable and unfounded conspiracy theories about China compromising new Mac computers. If this all sounds confrontational to you so be it."

That is what you said. I am not falsifying anything.

 

[AndyMacAndMic]

"I am not going to put any more energy in discussing some highly improbable and unfounded conspiracy theories about China compromising new Mac computers. If this all sounds confrontational to you so be it."

That is what you said. I am not falsifying anything.

That is what I said. But what is the correlation with 'Joe C' and you living in the UK (your claim in Post #69)? It seems you are making the story up as we go along. Maybe your narrative fits in your reality, but certainly not in the verifiable world.

 

[Brawdy14]

That is what I said. But what is the correlation with 'Joe C' and you living in the UK (your claim in Post #69)? It seems you are making the story up as we go along. Maybe your narrative fits in your reality, but certainly not in the verifiable world.

Perhaps you aren't familiar with the history behind my question.
It is set out clearly here:-

How did 3rd party apps not available on The Apple Store get on my brand new 2021 Mac?

A couple of months ago I ordered a new (not refurbed) 2021 24-inch M-chip Mac online directly from Apple. It arrived about a month later via FedEx. When it arrived, it had ClamXAV and a related disk cleaner installed on the Desktop. It also crashed a lot! I have never seen a Mac do this. The...

www.mac-forums.com

Have you read, in this thread, at post #36? That is where 'Joe C' says this .....

I live in the U.S. I ordered my 2021 24-inch M1 Mac from the Apple Store Online. It was delivered by FedEx a few weeks later. It arrived with ClamXAV anti-virus and a related disk cleaner on the desktop. Needless to say, performance with ClamXAV installed was terrible; the machine crashed every 15 minutes. A strip-and-reinstall of the OS and s/ware appears to have cured the problem. Apple Support says it is impossible for a new Mac to have been shipped from the warehouse with ClamXAV or any other unauthorised third-party s/ware on the machine.

So, might an Apple device be subject to tampering in the factory in China? If you have an answer, please provide a reference to supporting evidence. It seems to me it is possible, but my "evidence" is circumstantial and one instance only. If there are other, similar instances, perhaps we might might come to find a pattern.

I do not doubt Joe's word. Do you?

 

[AndyMacAndMic]

Have you read, in this thread, at post #36? That is where 'Joe C' says this .....

I do not doubt Joe's word. Do you?

Your claim is that I made a wrong assumption in post #6 about something written in post #36.

Can you explain how that is possible when post #36 was not even written when I wrote post #6? I am capable of a lot of things, but predicting the future is not one of them.

Your logic and your timeline leave a lot to be desired. I am out.
Any further discussion is like talking to a brick wall in an alternate universe. Have a happy live in your reality.

 

[Weaselboy]

Moderator Note:

I don't think we are covering any new ground here. Thread closed.