search

objective-see / ReiKey

Malware and other applications may install persistent keyboard "event taps" to intercept your keystrokes. ReiKey can scan, detect, and monitor for such taps!
GNU General Public License v3.0
326 stars 36 forks source link

1.4.2 on Catalina: airportd #15

Open eloudsa opened 3 years ago

eloudsa commented 3 years ago

Hi

On Catalina (10.15.7), ReiiKey identified airportd as passive listener.

Did you notice this?

image

jab3rd commented 3 years ago

Seeing this on my machine too, as of yesterday, running macOS Catalina v10.15.7 and ReiKey 1.4.2. I'm not aware of anything that might have changed to produce this.

Here's another report from Feb 11, 2021, and https://www.reddit.com/r/techsupport/comments/lhq3ja/macos_keylogger_or_basic_mac_binary/

chrickers commented 3 years ago

This just popped up on my machine too, although I ticked "Ignore Apple programs".

stefanschmidt commented 1 year ago

Running macOS Catalina 10.15.7 and ReiKey 1.4.2.

What's Your Sign? reports /usr/libexec/airportd as validly signed by Apple but it is listed by ReiKey even though "Ignore Apple Programs" is checked.

airportd-whats-your-sign
checktext00 commented 9 months ago

Hi, I also have this issue and would really like to figure out a reason. It shows up even when "Ignore Apple Programs" is checked, and it's validly signed by Apple's "Software Signing" certificate (see certificate details in VirusTotal). I've also listed its entitlements, maybe "com.apple.private.SkyLight.event.monitor" has something to do with it, but I only found one unhelpful result online. Here's more info about the file and I've uploaded it online if anyone wants to take a look, thanks

airportd mirror 1 airportd mirror 2

macOS Catalina 10.15.7 ReiKey 1.4.2

edit: someone mentioned here it's not flagged on macOS Mojave

airportd (VirusTotal)

location: /usr/libexec/airportd

MD5: 209E17E5DDBE6060D278ED3D31634396 SHA1: 6F66E79C1443B3CF415499E1C7CE6CDF006692D9 SHA256: B6C656B4E2B4F41602E26863CB21272D9C4988F27ECF826ED6819BA26229F783

entitlements:
{
    "com.apple.locationd.effective_bundle" = 1;
    "com.apple.private.SkyLight.event.monitor" = 1;
    "com.apple.private.dark-wake-network-reachability" = 1;
    "com.apple.private.security.nvram.wifi-psks" = 1;
    "com.apple.private.wifid.host.network" = 1;
    "com.apple.private.wifid.interface.management" = 1;
    "com.apple.private.wifivelocity" = 1;
    "com.apple.security.network.server" = 1;
    "com.apple.symptom_diagnostics.report" = 1;
    "com.apple.wifi.bypass-location-services" = 1;
    "com.apple.wlan.authentication" = 1;
    "keychain-access-groups" =     (
        "com.apple.cfnetwork"
    );
}

tags: airportd, keyboard events taps, detected event tap, all processes, passive listener