Apple apps on Big Sur bypass firewalls and VPNs — this is terrible

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,603
https://thenextweb.com/plugged/2020...big-sur-bypass-firewalls-vpns-analysis-macos/


Effectively, Wardle says that previous versions of macOS allowed a firewall or VPN to be set up using the Network Kernel Extension. But this isn’t the case in Big Sur.

What Wardle found is that the Mac App Store on the latest macOS bypasses any firewall. For all intents and purposes, its traffic is invisible to firewalls. What’s happening is that Apple apps on Big Sur are beginning to operate outside the user’s control. Which is terrible news.

This story was brought to light on Apple Term, but many assumed it would be fixed when Big Sur was released to the general public. This hasn’t happened.

The question you might be asking next is so what? What’s the issue here?

Well, aside from control over your own system, Apple apps on Big Sur being able to bypass firewalls and VPNs is a huge privacy and security issue. Wardle showed on Twitter how easy it is for malware to exploit this gap:
 

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
51,087

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,234

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,234
$5 Well spent.

I switched to them after PIA was sold to the devil.

I have not been disappointed.

That said, I wish Cloudflare would take a chill pill and stop auto-blocking VPN service IP addresses.

I mean, they might have actually detected real suspicious behavior from people trying to conceal themselves via VPN, but more likely than not that suspicious behavir is probablt just "wow, that's a lot of activity from a single IP address" not realizing that there are a hundred or more people behind it due to the VPN.
 

DukenukemX

Supreme [H]ardness
Joined
Jan 30, 2005
Messages
5,072
I've said it many times before and I'll say it again. If you bought an Apple product then YOU MADE A MISTAKE! Apple is constantly proving me correct in how incorrect you are for buying their products.
 

DukenukemX

Supreme [H]ardness
Joined
Jan 30, 2005
Messages
5,072
https://twitter.com/mullvadnet/status/1328389780279865344

Mullvad on macOS Big Sur: we confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall. Read the details on our blog.

https://mullvad.net/en/blog/2020/11/16/big-no-big-sur-mullvad-disallows-apple-apps-bypass-firewall/

"It’s worth noting that Big Sur and its predecessors are built to assume that they can talk to Apple at any time, but when we don’t allow it, a few unwanted side effects pop up. For example, the keyboard sometimes takes longer to wake up from sleep mode. Or, in certain situations, the Mullvad app takes longer to detect that the computer is online.

However, these issues can only be solved by choosing to leak traffic to Apple. We consider them a reasonable trade-off in order to achieve strict blocking rules."
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,603
That is somewhat worry some that your keyboard may take long to wake up from sleep mode.....key loggers anyone?
 
Joined
Jun 10, 2004
Messages
3,817
I switched to them after PIA was sold to the devil.

I have not been disappointed.

That said, I wish Cloudflare would take a chill pill and stop auto-blocking VPN service IP addresses.

I mean, they might have actually detected real suspicious behavior from people trying to conceal themselves via VPN, but more likely than not that suspicious behavir is probablt just "wow, that's a lot of activity from a single IP address" not realizing that there are a hundred or more people behind it due to the VPN.



What happened to PIA ?
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,234
Joined
Jun 10, 2004
Messages
3,817

TordanGow

[H]ard|Gawd
Joined
May 25, 2015
Messages
1,457
How do they bypass a hardware firewall that is whitelist only for all internet traffic?

My DNS = Internal resolver with the rest of the network dropping all DNS traffic. You either use my resolvers or you don't get DNS.

Devices are fully blacklisted by default for all Internet traffic. If a device needs internet access it gets specfic access to a specific protocol and/or IP block.
 

TordanGow

[H]ard|Gawd
Joined
May 25, 2015
Messages
1,457
TordanGow they could hardcode DNS servers or are just using IPs and go over HTTP/HTTPS so it just looks like web traffic.
Hardcoded dns servers wouldn't work. When it reached my hardware firewall it woukd drop the dns packet as it wasn't from one of my dns resolvers.

For webtraffic to work I'd have to enable access to it. If you plug your device into my network you don't get internet access at all unless I enable it on the hardware firewall. The firewall will drop all packets from every device unless the device is manually permitted.

How is Apple going to get around that?
 

DukenukemX

Supreme [H]ardness
Joined
Jan 30, 2005
Messages
5,072
You could just setup a VPN in your homes router and then Apple can't bypass that. Something like DD-WRT or OpenWRT can do that. Of course the device won't always be home and have that WiFi access.
 
Top