Firewalls aren’t just for corporate networks. Large numbers of security- or privacy-conscious people also use them to filter or redirect traffic flowing in and out of their computers. Apple recently made a major change to macOS that frustrates these efforts.
Beginning with Big Sur released last week, some 50 Apple-specific apps and processes are no longer routed through firewalls like Little Snitch and Lulu. The undocumented exemption came to light only after Patrick Wardle, a security researcher at a Mac and iOS enterprise developer Jamf, disclosed the change over the weekend.
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.)
Q: Could this be (ab)used by malware to also bypass such firewalls?
A: Apparently yes, and trivially so pic.twitter.com/CCNcnGPFIB
— patrick wardle (@patrickwardle) November 14, 2020
“100% blind”
To demonstrate the risks that come with this move, Wardle—a former hacker for the NSA—demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure. He set Lulu to block all outgoing traffic on a Mac running Big Sur and then ran a small programming script that interacted with one of the apps that Apple exempted. The python script had no trouble reaching a command and control server he set up to simulate one commonly used by malware to receive commands and exfiltrate sensitive data.