Patrick Wardle is known as a Mac malware specialist, but his work went further than he realized.
A former employee of the NSA and NASA, he is also the founder of the Objective-See Foundation: A non-profit organization that makes open-source security tools for macOS. The latter role means that much of Wardle’s software code is now freely available for download and decompilation — and some of this code has apparently caught the attention of tech companies using it without his permission.
Wardle will lay out his case Thursday in a presentation at the Black Hat cybersecurity conference with Tom McGuire, a cybersecurity researcher at Johns Hopkins University. The researchers found that code written by Wardle and released as open source has made its way into a number of commercial products over the years — all without the users crediting or licensing him and paying for the work.
The problem, Wardle says, is that it’s hard to prove the code was stolen rather than just implemented in a similar way by accident. Fortunately, Wardle’s skill in reverse engineering software allowed him to make more headway than most.
“I Could Only Think” [the code theft] because I write tools as well as reverse engineer software, which isn’t super common,” Wardle . told The edge in a conversation for the conversation. “Because I’m in both disciplines, it might happen to my tools, but other indie developers might not, and that’s the concern.”
The thefts are a reminder of the precarious status of open source code, which powers vast swaths of the internet. Open source developers usually make their work available under specific licensing terms – but since the code is often already public, there is little protection against unscrupulous developers who decide to take advantage of it. In a recent example, the Donald Trump-backed Truth Social app allegedly removed significant portions of code from the open-source Mastodon project, resulting in a formal complaint from the founder of Mastodon.
One of the central examples in Wardle’s case is a software tool called Supervisionwhich Wardle released in 2016. Oversight was developed as a way to check if macOS applications were stealthily accessing the microphone or webcam, with great success: it was not only effective as a way to Mac malware tracking users but also to discover that a legitimate application like Shazam always listened in the background.
Wardle – whose cousin Josh Wardle created the popular Wordle game – says he built OverSight because there was no easy way for a Mac user to confirm which applications were activating the recording hardware at any given time, especially if the applications were designed to run in secret. To solve this challenge, his software used a combination of analysis techniques that proved to be unusual and thus unique.
But years after Oversight was released, he was surprised to find a number of commercial applications that incorporated similar application logic into their own products — even replicating the same bugs Wardle’s code had.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23937422/DEFCON_slide___OverSight_code_snippet.png)
Three different companies were found to incorporate techniques from Wardle’s work into their own commercially sold software. None of the offending companies are mentioned in the Black Hat talk, as Wardle says he believes the code theft was likely the work of an individual employee, rather than a top-down strategy.
The companies also reacted positively when confronted, Wardle says: All three suppliers he approached reportedly acknowledged that his code had been used in their products without permission, and all ended up paying him directly or donating money to the Objective company. See Foundation.
Code theft is an unfortunate reality, but by drawing attention to it, Wardle hopes to help developers and businesses alike protect their interests. For software developers, he advises that anyone who writes code (open or closed source) should assume that it will be stolen and learn how to apply techniques that can help track down cases where this has happened.
For companies, he proposes to better inform employees about the legal frameworks surrounding reverse engineering of another product for commercial gain. And in the end, he hopes they just stop stealing.