Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug Desktops (Apple) Privacy Apple

Apple Lets Some Network Traffic Bypass Firewalls on MacOS Big Sur (arstechnica.com) 113

"Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs..." reports Threatpost. "While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn't appear to have happened."

"Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure...

Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change.

Apple has yet to explain the reason behind the change.

This discussion has been archived. No new comments can be posted.

Apple Lets Some Network Traffic Bypass Firewalls on MacOS Big Sur

Comments Filter:
  • "Feature" (Score:5, Funny)

    by DivineKnight ( 3763507 ) on Saturday November 21, 2020 @09:50PM (#60752640)

    "Feature"

    • Apple looks out for its users' privacy the way a big brother would.

    • Monopoly abuse.

    • Windows has a similar feature with Service Hardening Rules, which take precidence over (most) user configured firewall rules and exists to keep Windows secure, even if an end user wants to do something silly, like allow all traffic both ways or "disable" the firewall altogether. macOS is likely aiming for a similar approach now from a security standpoint and needs hardcoded overrides for certain services to be able to do it.

      For example, their firewall allows one to automatically allow connectivity for s
  • Between offloading firewall CPU consumption to defend against external penetration attempts, to having the ability to prevent apps from phoning home, wouldn't it make sense to just get a hardware firewall? Maybe there's a market for one that acts as a Wi-Fi firewall/relay, and you could build it into one of those lithium-ion battery packs.

    • A hardware firewall is great. What would the outbound firewall rules look like for this sort of problem? If the "special" Apple apps and services are bypassing software firewalls and VPNs over 80/443, for example, then you're pretty well fucked unless you start getting into deep packet inspection and stuff like that. But there again, if you don't know what you're looking for, you're pretty well fucked there, too, right?
      • by Bert64 ( 520050 ) <bert@slashdot.fir e n z e e . c om> on Saturday November 21, 2020 @10:46PM (#60752730) Homepage

        If you know you're using a vpn, then the firewall doesn't need to allow anything other than access to the vpn endpoints.

        • Yup, pretty simple. Block everything not routed through vpn. Better yet, use linux instead
        • Most VPN's are split. Traffic to the remote internal network goes to the VPN, traffic to YouTube, Slashdot, and Gmail, and other "public" Ineternet sites goes derectly through your local cable modem to those sites without the VPN involved. _Very_ few VPN's route all traffic through the VPN for performance reasons.

          • by bn-7bc ( 909819 )
            That might be corp vpns not the vpns beeing flogged to “most people” you know the kind to get around geo blocking etc, or a” hide your traffic from your ISP” these have the default route via the vpn or else they would not work for those purposes. Correct me if I’m but those are not exactly un common
            • The "get around geo-IP"and "hide your traffic VPN's are not rare, but I don't think they're the most common. They also expose your traffic to the intermediat4e VPN, which is its own security issue. We could discuss the prevalence of security agency stolen SSL certificates, for example: I find it very difficult inteed to believe that major CDN and cloud providers, such as Google Cloud and Amazon Web Services, do not hand over customer's private SSL keys on demand of law enforcement, or even provide man-in-th

              • by bn-7bc ( 909819 )
                well yea those scary Patriot act warrants. ok I know slashdot is a mainly US site but umless either the costumer is in the US or the vpn terminates there The patriot act is not enforcable IIRC so that warrant can just be ignored. but I'm not a legal professional so if you are and feel the need to correct me, I would appreciate it.As for the relative distribution of vpn types, you might be right, but it is kind of hard to say as there are few complete agregate stats to go by, but yea with covid-19 and the i
                • Patriot Act warrants are scary partly because they exist despite the US's generally good reputation as a nation of law and of legal transparancy. If you're overseas, the vulnerabilities enforced by US federal policy affect your hardware and leave it vulnerable to both your government and the US government. If you think backdoors are not federal policy, do look up the various Cisco backdoors published over the last decade.

                  https://www.tomshardware.com/n... [tomshardware.com]

                  And in either the US or other nations, the intelligenc

    • I've proposed a few times here a hardware firewall which acts simaler to an anti-virus program, only to stop forced update and telemetry traffic.

      It's a fairly obvious idea, and somebody *has* to be working on something like this.

      Wow, it wasn't that long ago when we only had to worry about basement hackers and hostile nations putting malware on our computers. :(

      • While this would be a stop-gap solution, it would only be effective if you knew the IP addresses (both IPv4 and IPv6) of every server that the favored Apple apps might use. Building such a list might be difficult at best, and you could never be sure if you had every IP address, especially if Apple could add new ones at any time.
        • Like an anti-virus program, it would have a list of known offenders that the user can download updated versions of. Heuristics, another common anti-virus tool, can be applied here too.

          Having something like this on the market which is well advertised will have the side benifit of helping to crush the whole "Trusted [those with the gold] Computing" nonsense, and inform the public that because somebody has a title, or a badge, does not automatically make that person "Trustworthy".

          Yes, in light of events of 202

        • by bn-7bc ( 909819 )
          depends on how you deffine an Apple app. If it is an app made by apple, and with the backend hosted by apple it shuld be possible, just get a list of apple related ASNs and their associated prefixes, that shuld not be to many. If on the other hand you mean any app you get from the app store, or even any app running on the device (not the same thing on osx- at least for now), that is a rather more difficult job
    • Why didn't this ever become a thing? It seems like it makes sense, an actual firewall independent of the system's OS.

      I seem to remember ages ago a hardware firewall as an add-in card, sort of the way the old Voodoo video cards worked, where you looped your NIC through it with a short cable. The card's hardware interface was mostly for power from the slot.

      I'm kind of surprised this didn't become a thing, especially with multi-port network cards where the NIC ports could be assigned specific security zones

      • You can have it with a "VPN router" and it doesn't have to be installed inside your PC, which was never a good idea from a maintenance standpoint anyway.

  • Software firewalls (Score:5, Insightful)

    by rtkluttz ( 244325 ) on Saturday November 21, 2020 @10:09PM (#60752676) Homepage

    Software firewalls are a fucking joke anyway. The whole idea of a firewall running on the machine that may get compromised was the butt of many jokes in security circles for good reason. I don't even turn the damn things on and only trust firewalls running somewhere else. I carry a pocket firewall with me when I travel.

    • Software firewalls are a fucking joke anyway. The whole idea of a firewall running on the machine that may get compromised was the butt of many jokes in security circles for good reason. I don't even turn the damn things on and only trust firewalls running somewhere else. I carry a pocket firewall with me when I travel.

      You would be a fool to turn off the stateful firewall on a machine just because it's behind another firewall. I hope that pocket firewall of yours isn't just running static settings.

    • by Bert64 ( 520050 )

      In many cases a firewall is pointless security theatre anyway..

      To stop inbound connections?
      Your client machine only usually makes outbound connections, it shouldn't have any listening services by default so there is nothing to connect to.
      On those instances where you do want inbound connections, you have extra hassle to enable firewall rules in addition to explicitly turning on the program that listens for inbound connections. This can inconvenience games, voip, etc, and encourages the use of third party ser

      • You obviously didn't read why Apple users are using Little Snitch in the first place.

      • Very rarely are firewalls used to block outbound except in corporate environments... In most end user scenarios, everything is allowed out.
        Then it is not a firewall, at least not in the sense what that word is supposed to mean in internet jargon.

      • by AmiMoJo ( 196126 )

        Most machines have listening services on by default because users expect to e.g. be able to share files easily. They expect their iPhone to be able to talk to their iTunes seamlessly. Their TV box to be able to stream files from their Plex server. Admins like the convenience of RDP, rather than having to walk down to the server and plug in a keyboard, mouse and monitor.

        Aside from anything else a basic firewall that limits inbound connections to ones coming from your LAN subnet save a lot of computing resour

        • by Bert64 ( 520050 )

          None of these services are, or need to be enabled by default.
          If the user intends to use these services, then they will explicitly turn them on. Especially if someone has gone to the additional effort of setting up something like a plex server - the key is in the name "server".
          Having a firewall actually breaks the seemless nature of these services, as in addition to turning on the service they also have to create an allow rule. If the service does this on its own then its somewhat defeating the point of havi

      • by MooseOnTheLoose ( 645550 ) on Sunday November 22, 2020 @06:01AM (#60753442)

        Very rarely are firewalls used to block outbound except in corporate environments... In most end user scenarios, everything is allowed out.

        That is not correct with regard to Mac users, at least not the "very rarely" part. There is a rater popular program called Little Snitch for which many Mac users pay good money, in order to be able to send and approve/disapprove traffic going out of their systems. This change by Apple breaks Little Snitch and similar programs, at least with regard to traffic to Apple servers. Even if you don't want to block traffic to Apple's servers 100% of the time, there might still be times where you would want certain programs to not have the ability to connect (such as anything that sends out your Apple login while you are using an insecure public connection), and Little Snitch was great for that until Apple did this.

        I know of at least one Mac user that has been buying Macs since the days of the Power PC but has said he will never buy another unless Apple either reverses this or the developers of Little Snitch figure out a workaround that makes their product work again for those connections (apparently they are working on it).

        For me, this just makes me feel like Apple is trying to take over ownership of MY computer. I paid good money to Apple to PURCHASE a computer, not lease one or rent one, and Apple should not be trying to basically install malware to block the effectiveness of security-related software that I want to run. Maybe you feel that such software does nothing useful, but that is your opinion which which I strongly disagree. But I am more concerned about the arrogance of Apple trying to subvert the functioning of that software. If a third party did this we'd all be properly labeling it as malware but because some people seem to think Apple can do no wrong (obviously I'm not one of them) they are willing to overlook this intrusive behavior in MacOS Big Suck.

    • by bferrell ( 253291 ) on Saturday November 21, 2020 @11:51PM (#60752882) Homepage Journal

      All firewalls are software firewalls

      • Perhaps best to cascade firewalls from different vendors.

        If you chain a Cisco firewall with a Huawei firewall, sure, each may allow some traffic through.

        But unless they collude they will probably block each other's backdoors.

        • Better to apply the same strategy, but one of the firewalls is written by you, and then collusion between both firewall makers becomes a tad unlikely.
        • That is also adding points of failure in your local network. And it adds an hour to the time dealing with your local network vendor on every call, proving painfully that the problem is, indeed, their fault.

      • As a Security Eng for a large telco who works with Palo's as gateway walls ... your ether full of shit or sorely lacking.

        • As someone who has been working with networks for over 35 years, performing network analysis since before TCP/IP was in wide distribution, I would offer that you are should familiarize yourself with the basic text on the topic, TCP/IP Illustrated Volume 1, before you stick your foot further into your mouth.

          A firewall is a "computer" with routing rules and MAYBE multiple interfaces.

          period.

          • Wow, network people... it's all software, no it's hardware, no they're all computers.

            Sure, and some have specialized hardware tailored to their role, like content addressed memory, packet filtering logic in silicon, whatever. Those are hardware solutions, and they are almost entirely implemented with software solutions driving the hardware, and whatever, end the debate and call everything a computer, fuck it all.

            The OP's point was about having a dedicated firewall separate from the things it was meant to p

      • Technically correct, but also needless hairsplitting. It's quite obvious what OP meant: a firewall running on dedicated hardware independent of the devices whose traffic it's filtering.

    • The whole idea of a firewall running on the machine that may get compromised was the butt of many jokes in security circles for good reason.

      Maybe if you're the NSA or securing corporate network entry, but back in the real world we don't let perfect be the enemy of good. Software firewalls have done more to improve security than any other single security concept by giving us an additional layer between Mallory and the hundreds of pieces of software with open ports and potential security holes that Bob is running on his machine.

      Is it perfect? Fuck no, but then neither is any hardware firewall. But only a complete moron who doesn't belong anywhere

    • by AmiMoJo ( 196126 ) on Sunday November 22, 2020 @05:48AM (#60753428) Homepage Journal

      Software firewalls have some major benefits over firewalls running on other machines. The main one is that they can operate on a per-app basis. If an app has no reason to need internet access you don't give it internet access. If it only needs to talk to one specific IP address that's all it gets.

      Restricting on a per-app basis mitigates a lot of attacks. Even if the app gets compromised it can't download further payloads, it can't exfiltrate data, and the fact that it even tried can set off alarm bells.

      • Exactly. This is a very good and concise explanation of why these types of firewalls are important. In fact this is why I wish Linux developers would make a more serious effort to develop such a firewall for Linux users (I know about OpenSnitch and also the OpenSnitch fork that is actually still being developed, but both appear to be one-off projects that are not an official part of any Linux distro).
      • by dnaumov ( 453672 )

        Software firewalls have some major benefits over firewalls running on other machines. The main one is that they can operate on a per-app basis. If an app has no reason to need internet access you don't give it internet access. If it only needs to talk to one specific IP address that's all it gets.

        Restricting on a per-app basis mitigates a lot of attacks. Even if the app gets compromised it can't download further payloads, it can't exfiltrate data, and the fact that it even tried can set off alarm bells.

        Application-aware hardware firewalls have been around for ages.

    • by andy55 ( 743992 )

      I carry a pocket firewall with me when I travel.

      Any recommendations on brands or models?

  • This shit again? (Score:3, Informative)

    by Milliway ( 6079924 ) on Saturday November 21, 2020 @10:44PM (#60752728)
    Seriously, this same story keeps getting brought up. This is at least the 4th time in the past week or so. If your firewall is using content filtering API the apps can phone home. If you switch to a packet filtering products the apps can't phone home. https://mullvad.net/en/blog/20... [mullvad.net] https://apple.slashdot.org/sto... [slashdot.org] https://apple.slashdot.org/sto... [slashdot.org] https://apple.slashdot.org/sto... [slashdot.org] https://apple.slashdot.org/sto... [slashdot.org]
    • What the heck? From your first link :

      "Itâ(TM)s worth noting that Big Sur and its predecessors are built to assume that they can talk to Apple at any time, but when we donâ(TM)t allow it, a few unwanted side effects pop up. For example, the keyboard sometimes takes longer to wake up from sleep mode"

      I don't know why nor how to write software that makes "prompt resume from sleep" continent upon phoning home.

      • by mattr ( 78516 )

        Maybe it's trying to verify authenticity of keyboard. Like what if you have a usb keyboard mail ordered from China with a keylogger built into it. While I agree in theory, if you are talking about the keyboard I think I would like it to be checked.

        • And you really think that someone who designed a keyboard with a keylogger built in would not also make it appear as much like a legitimate name-brand keyboard as possible, including masquerading as a genuine Apple keyboard?
          • In order to comply with the Apple secure validation protocol, a keylogger keyboard must set the evil bit to 1, obviously.

      • Goodness, I can picture dozens of ways to do this. Most of the legitimate ones involve phoning home at wake-up time to get driver updates for the hardware, which may have been replaced or re-arranged during powerdown. Many illegitimate ones involve reporting to the mothership the status and location of your hardware.

  • and they were perhaps hoping no one would notice?
  • There is a real issue here. Okay, I can understand Apple wanting to have some control even if the users installs a broken VPN. But, this is not the way.

    It is very reasonable to have a personal VPN (at home on a static IP, or from a co-location hosting provider), and have your phone in your local LAN, even while you are roaming. In fact this is not too difficult to do.

    However that assumes the OS on your devices adheres to your settings.

    (Note to Apple: Just show a notification like "something is wrong with yo

    • At first glance, this seems like this could be a real-world security problem for many people living under oppresive governments, given that communications apps may not be behaving in the manner a reasonable person would expect.

      I guess the solution is to avoid Apple's apps.

      • I think it would be really difficult to find and disable all Apple apps in MacOS, particularly those that may be hidden from the user and that run in the background.
  • Undocumented exemptions are just as much a part of the fabric of the operating system as any other feature.

  • by the_B0fh ( 208483 ) on Saturday November 21, 2020 @11:55PM (#60752888) Homepage
    It's a freebsd kernel, with pf. You can always run pf to absolutely block whatever traffic you want. No user land frameworks can block kernel level pf firewall.
    • No dumb dumb. its not freebsd. Its Darwin.

    • First, you should install OpenBSD, then you can use pf.
    • macOS's pf implementation is weird. I agree you can do what you state, but first you have to rip out all the dynamic pf rule handling macOS has enabled by default.

      • Err, what are you talking about? All it does is set up some anchors. Here's my pf.conf

        /etc/pf.conf
        scrub-anchor "com.apple/*"
        nat-anchor "com.apple/*"
        rdr-anchor "com.apple/*"
        dummynet-anchor "com.apple/*"
        anchor "com.apple/*"
        load anchor "com.apple" from "/etc/pf.anchors/com.apple"

        /etc/pf.anchors/com.apple
        anchor "200.AirDrop/*"
        anchor "250.ApplicationFirewall/*"

        Here's what pfctl -s all shows
        # pfctl -s all
        No ALTQ support in kernel
        ALTQ related functions disabled
        TRANSLATION RULES:
        nat-anchor "com.apple/*"
    • It's a freebsd kernel

      Mac's kernel has as much in common with Freebsd as Windows 10's does with Windows 95. Mac isn't freeBSD, it was just based upon it some 19 years ago.

      • I believe you mean "as much as Windows 10's kernel does with VMS". Windows 10 used the NT kernel, which had much of its structure lifted by David Cutler and his kernel crew from DEC when they were hired by Microsoft.

        • No I mean Windows 95, don't underestimate how different the Mac kernel is now compared to the old BSD kernel. Darwin was sufficiently different from the base kernel back 19 years ago.

          Mind you these days the Windows 10 kernel probably has equal amounts in common with VMS and the old 9x kernels. It's been through so many re-writes and had entire stacks thrown out over the years.

      • You are right, I should have said "based on freebsd".

        https://developer.apple.com/li... [apple.com] has a note mentioning FreeBSD and "BSD" is all over the place.

  • Just filter on an off-box parent device

  • Can we just take in the irony for one moment, of this heap of shit being called Big Sur? Anybody who's ever been there, or even read about the place should get what I'm saying.

  • Who is the bright spark in Apple Marketing who came up with that idea? He should be promoted - to get him away from where he can do more damage.
  • This is serious (Score:4, Insightful)

    by dwywit ( 1109409 ) on Sunday November 22, 2020 @03:26AM (#60753266)

    It changes the situation from "cautiously trusted" to "untrustworthy"

    I won't be surprised to see lawsuits about it.

    • I won't be surprised to see lawsuits about it.

      I would. I mean this has been standard practice for MS for over 10 years now in their firewall, why would Apple get sued for something "normal" in the computing world?

      • They override some DNS names in the hosts file, what part of windows ignores the defender firewall though?

        • They override some DNS names in the hosts file, what part of windows ignores the defender firewall though?

          This thread was about lawsuits? So legally, any part that Microsoft feels like?
          Technically? Any part Microsoft feels like?
          In practice? IDK, ask Microsoft.

        • They override some DNS names in the hosts file, what part of windows ignores the defender firewall though?

          Any rules blocking their update servers or block the defender service itself. That's a basic built in security measure to prevent malware creating rules that prevent new malware definitions being downloaded.

    • It changes the situation from "cautiously trusted" to "untrustworthy"
      I won't be surprised to see lawsuits about it.

      Slashdot ate your sarcasm tag

      Yes, surely there will be lawsuits over how the system-provided interface for third party application firewalls doesn't do what third party developers want - block applications that shipped with the system, get out your monopoly busting hammers, Apple haters. *yawn*

  • Remember how Microsoft was slammed left and right about phoning home even when you tell it not to? Did that change Windows dominance? Not one bit. If one company got away with it, there is no incentive for other companies to be the good guys
    • Except that if Apple acts like Microsoft, what incentive remains to pay the "Apple Tax" on Apple-branded equipment? If MacOS is going to adopt the bad parts of Windows then might as well just run Windows and save money!
  • Not your firewall
    Not your computer
  • While Apple should had been constant on how all traffic leaves it system, and doing this for some Apps is just bad for security and in design. I do want to bring up, that most people should have an external firewall outside your PC. Heck even a cheap wireless router has many basic firewall features built in, enough to keep you relativity safe. Unlike back in my College days, where every student got an Open External IP Address that was wide open to the internet.

  • I assume Apple did this because there was some malware vector using VPNs and they think this was a good idea to protect users against themselves. But that's one step too far. It's not iOS, people can hurt themselves on macOS and that's how it should be ... trying to limit them like this just produces unexpected behaviour, which can also hurt them.

    Maybe Apple should make an iOS for Mac where they can just outright limit users by app certification, rather than try to limit users by this kind of roundabout und

  • by AndyKron ( 937105 ) on Sunday November 22, 2020 @09:37AM (#60753764)
    Pay no attention to that code behind the curtain. It just works.
  • Well, that does it.

    Might as well drag along a nice dual-port Raspberry Pi configured as a LTE-MiFi for your traveling portable gateway/VPN/Wireguard/router to carry all of your networkable Apple products.

    I really don't see any way around this at this point.

  • Firewall will be continually neutered until you stop using it to stop Apples own antics.

    The very thing many warned about when you trust a vendors tool to block their other tool expecting they can't just add "exceptions" later. Same problem as "updates" you can't turn off.

    Too much "trust".

One good suit is worth a thousand resumes.

Working...