Tuesday, November 17, 2020

A Hole in the Wall

Callum Booth (via Hacker News):

For all of Apple’s talk of being privacy-first, often its marketing speak doesn’t match up with what it’s actually doing. And the latest example? Well, it’s Apple apps on Big Sur bypassing firewalls and VPNs.

Norbert Heger:

It is your right to know where your computer connects to. To whom it talks. It’s your right to see these connections. It’s your right to allow them. And it’s your right to deny them.


Three months later we realized, that a number of other Apple services like App Store, Maps or FaceTime also showed this strange behavior of acting invisibly, bypassing the new filter API. So we reported our new findings again on October 1 (FB8762834).


But hiding these connections completely from the user makes no sense. It contradicts the idea of a transparent and trustworthy system and undermines the user’s trust in that system.


In the light of the recent public discussions that this topic has triggered we are extremely confident that Apple stands by their word to give users control over their information and will therefore eliminate this kind of whitelisting in a future macOS update.

Jeff Johnson:

I used Little Snitch to diagnose the “OCSP apocalypse” last week.

It’s essential for network extensions to be able to block all network connections, including connections by Apple.

Patrick Wardle:

In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐

Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔

A: Apparently yes, and trivially so 😬😱😭


Update (2020-11-23): Maxwell Swadling:

Here is what a boot up of a clean Big Sur install looks like (+ ntp and push sockets). The Yahoo API ping is from spotlight asking what currency conversions are, not related to widgets.

And no you can not opt out of your Mac asking Yahoo what the currency conversion rates are.

All APIs are https, some send locale, Siri locale, software version and hardware string to Apple. Which enables Apple to build a pretty good understanding of international market distribution, current usage of each software version, etc.

10 Comments RSS · Twitter

¯\_(ツ)_/¯ If I can’t secure macOS as I have been able to do in the past, then I do not want Big Sur. At all.

If Apple doesn’t allow Catalina installs on Silicon then I can live without Silicon. I already have enough iOS devices.

I’ll make it simple for the MBAs: If I can’t secure it, I don’t want it. At any price point.

I'm reading that pf works to block undesired Apple traffic, which makes sense, since pf is part of macOS since 10.6. It'd be funny if someone whipped up a true GUI pf configurator that handled bandwidth control, etc.

There are already a few front-ends to `pf,` like Murus, that could conceivably be put to good use to block connections that app-level filters can no longer catch, but this comes with multiple undesirable caveats:

① Some VPNs already use `pf` to implement a “kill-switch” on top of macOS’s sometimes unreliable VPN APIs. (Mullvad just published a blog post to that effect, to name but one.) Such apps would need to be overhauled to deal with user-defined filters on top of their own. Considering the relative complexity of `pf` and the small market share of macOS 11, users would probably face a choice, in the short term at least, between reliably securing their VPN and firewalling their machine, which is hardly ideal — unless they happened to be `pf` experts themselves and to know enough to manually merge all the required configuration files. The same would be true if Objective Development were to add a `pf` module to Little Snitch to patch the holes.

② `pf`acts at the IP level and is not a replacement for an app-level firewall. It could conceivably be used to block 17.0. 0.0/8, but that would lead to a near-Victorian collapse of the machine, a far cry from preventing FaceTime from phoning home, for example, or disabling AirDrop. The functionality of Little Snitch is by no means easy to recreate using packet-level firewalls.

③ We can only use `pf`on Big Sur because Apple allows us to. I am sure they have good reasons to ship and maintain `pf` for the time being, but we cannot assume it will be here forever: if Apple feels entitled to whitelist their own processes at the application level, they probably feel the same at whatever level. There is nothing to say they cannot customise `pf` further than they already have to whitelist their IPs, for example, independently from the configuration files — or remove it altogether in the name of safety.

Sadly, `pf,`while a valid short-term contender for an emergency patch, does not appear to be a long-term solution. The only solution is to send a clear message to Apple about this being a red line the community will not let them cross without a fight. Considering there are probably nine of us in the world caring about this, I am not holding my breath unless a powerful organisation builds an anti-trust or GDPR case around this — which can conceivably be done, with time, effort, and money considering Apple is introducing security risks and giving their own system processes an “unfair” advantage.

I saw an Apple engineer state on HN that Apple apps bypassing the firewall is a bug (https://news.ycombinator.com/item?id=25114679) . I do wonder where the bug is and what it says of the filtering code, but still, maybe it’ll get fixed.

A bug? I don't see how it can be a bug. There's literally a "ContentFilterExclusionList" key in the Info plist of the NetworkExtensions framework with a list of Apple executables. This is the metaphorical smoking gun. https://twitter.com/lapcatsoftware/status/1327972847315267584

LittleSnitch exempts LittleSnitch from LittleSnitch. The author is right, but he's also a flaming hypocrite.

@Gwash How do you mean? Little Snitch does prompt me to allow the connection when it tries to do a software update, for example.

You can definitely block the Little Snitch Helper and Little Snitch Software Update processes in Little Snitch.

@Juri: In that case, I have so many questions.

That user's bio doesn't say anything about Apple. Just "all comments are my own personal opinions". Is there anything to lead us to believe that *Apple* believes this is a bug?

They've known about this for at least a couple months. Besides the Little Snitch devs, I've also filed a bug report, and gotten no response. Why are they responding to other more trivial and difficult bugs, but not that one?

How could it be a bug when there's a file with a "ContentFilterExclusionList", if Apple's intent is not to let these applications bypass the firewall? Is the bug "we wrote a feature and don't think we should have"?

Some bloggers have reported success by simply editing this file. If Apple believes this is a bug, can't they fix it themselves in 2 minutes?

What does Quinn say? If there's one unofficial-official voice of Apple QA, it's Quinn, not "xenadu02".

@Jeff Johnson

You cannot. Little Snitch definitely exempts itself, for example in order to try and find cracked registrations.

Leave a Comment