Apple apps on Big Sur bypass firewalls and VPNs — this is terrible

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,258
https://thenextweb.com/plugged/2020...big-sur-bypass-firewalls-vpns-analysis-macos/


Effectively, Wardle says that previous versions of macOS allowed a firewall or VPN to be set up using the Network Kernel Extension. But this isn’t the case in Big Sur.

What Wardle found is that the Mac App Store on the latest macOS bypasses any firewall. For all intents and purposes, its traffic is invisible to firewalls. What’s happening is that Apple apps on Big Sur are beginning to operate outside the user’s control. Which is terrible news.

This story was brought to light on Apple Term, but many assumed it would be fixed when Big Sur was released to the general public. This hasn’t happened.

The question you might be asking next is so what? What’s the issue here?

Well, aside from control over your own system, Apple apps on Big Sur being able to bypass firewalls and VPNs is a huge privacy and security issue. Wardle showed on Twitter how easy it is for malware to exploit this gap:
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,898

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,898
$5 Well spent.

I switched to them after PIA was sold to the devil.

I have not been disappointed.

That said, I wish Cloudflare would take a chill pill and stop auto-blocking VPN service IP addresses.

I mean, they might have actually detected real suspicious behavior from people trying to conceal themselves via VPN, but more likely than not that suspicious behavir is probablt just "wow, that's a lot of activity from a single IP address" not realizing that there are a hundred or more people behind it due to the VPN.
 

DukenukemX

Supreme [H]ardness
Joined
Jan 30, 2005
Messages
5,810
I've said it many times before and I'll say it again. If you bought an Apple product then YOU MADE A MISTAKE! Apple is constantly proving me correct in how incorrect you are for buying their products.
 

DukenukemX

Supreme [H]ardness
Joined
Jan 30, 2005
Messages
5,810
https://twitter.com/mullvadnet/status/1328389780279865344

Mullvad on macOS Big Sur: we confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall. Read the details on our blog.

https://mullvad.net/en/blog/2020/11/16/big-no-big-sur-mullvad-disallows-apple-apps-bypass-firewall/

"It’s worth noting that Big Sur and its predecessors are built to assume that they can talk to Apple at any time, but when we don’t allow it, a few unwanted side effects pop up. For example, the keyboard sometimes takes longer to wake up from sleep mode. Or, in certain situations, the Mullvad app takes longer to detect that the computer is online.

However, these issues can only be solved by choosing to leak traffic to Apple. We consider them a reasonable trade-off in order to achieve strict blocking rules."
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,258
That is somewhat worry some that your keyboard may take long to wake up from sleep mode.....key loggers anyone?
 
Joined
Jun 10, 2004
Messages
3,954
I switched to them after PIA was sold to the devil.

I have not been disappointed.

That said, I wish Cloudflare would take a chill pill and stop auto-blocking VPN service IP addresses.

I mean, they might have actually detected real suspicious behavior from people trying to conceal themselves via VPN, but more likely than not that suspicious behavir is probablt just "wow, that's a lot of activity from a single IP address" not realizing that there are a hundred or more people behind it due to the VPN.



What happened to PIA ?
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,898
Joined
Jun 10, 2004
Messages
3,954

TordanGow

[H]ard|Gawd
Joined
May 25, 2015
Messages
1,483
How do they bypass a hardware firewall that is whitelist only for all internet traffic?

My DNS = Internal resolver with the rest of the network dropping all DNS traffic. You either use my resolvers or you don't get DNS.

Devices are fully blacklisted by default for all Internet traffic. If a device needs internet access it gets specfic access to a specific protocol and/or IP block.
 

TordanGow

[H]ard|Gawd
Joined
May 25, 2015
Messages
1,483
TordanGow they could hardcode DNS servers or are just using IPs and go over HTTP/HTTPS so it just looks like web traffic.
Hardcoded dns servers wouldn't work. When it reached my hardware firewall it woukd drop the dns packet as it wasn't from one of my dns resolvers.

For webtraffic to work I'd have to enable access to it. If you plug your device into my network you don't get internet access at all unless I enable it on the hardware firewall. The firewall will drop all packets from every device unless the device is manually permitted.

How is Apple going to get around that?
 

DukenukemX

Supreme [H]ardness
Joined
Jan 30, 2005
Messages
5,810
You could just setup a VPN in your homes router and then Apple can't bypass that. Something like DD-WRT or OpenWRT can do that. Of course the device won't always be home and have that WiFi access.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,898
Hardcoded dns servers wouldn't work. When it reached my hardware firewall it woukd drop the dns packet as it wasn't from one of my dns resolvers.

For webtraffic to work I'd have to enable access to it. If you plug your device into my network you don't get internet access at all unless I enable it on the hardware firewall. The firewall will drop all packets from every device unless the device is manually permitted.

How is Apple going to get around that?

IPV6 tunneling through IPV4, or some other form of tunneling that completely bypasses any local controls?
 

Lakados

Supreme [H]ardness
Joined
Feb 3, 2014
Messages
4,571
IPV6 tunneling through IPV4, or some other form of tunneling that completely bypasses any local controls?
No that would tag it as an unknown app in the application filtering process and similarly drop the packet.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,898
$5 Well spent.

Especially considering the numbers you can push through them:

1607021533436.png


I've been very impressed.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,258
Hardcoded dns servers wouldn't work. When it reached my hardware firewall it woukd drop the dns packet as it wasn't from one of my dns resolvers.

For webtraffic to work I'd have to enable access to it. If you plug your device into my network you don't get internet access at all unless I enable it on the hardware firewall. The firewall will drop all packets from every device unless the device is manually permitted.

How is Apple going to get around that?
TordanGow for you they wont, but for the other 99.99999% of their users who do not have this set up....they will. You are a very very very small % of people who do this and know how and have the equipment in your network to do it.
 
Top