Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?

Oh wow! This probably explains why every now and then when I wake my MacBook Pro from sleep it says no keyboard is connected! I thought I had some hardware problem on a basically brand new machine. Glad to hear it's only a stupid software problem!

> wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard

... and what if your network is down? You can't even use your keyboard?

I should've clarified - it only does this if there is a default route. Funnily enough, whilst the firewalls in the original twitter post would possibly fail to catch this traffic, PF will block it just fine.

If you're using Cisco Anyconnect, blame that for that particular keyboard issue.

Holy cow, you just explained a load of weird keyboard behavior I was seeing after waking from sleep.

Having a default route does not mean the internet is reachable.

Why not blame the idiotic decision to make this network check just to wake up?

I wish Apple agreed.

But on the other hand, there are use cases where checking for the existence of a default route is the best heuristic.

> but is it really that hard to document these behaviors?

I imagine it is, given the bureaucracy of a big company. Apple's documentation has long been really dreadful, mostly nonexistent and where it does exist, usually incomplete and even wrong. I've assumed it was because the code itself is developed by isolated groups while the documentation presumably has to touch all sorts of people (publishing, translation, language checks, ...) in a kind of Conway's law.

However, hard or not, writing comprehensive documentation is quite doable. I have never been a fan of the Windows programming model but I have long admired not just MS's documentation but the amount of effort and commitment they obviously put in.

Apple cares about some things but in this regard it appears they simply don't give a shit.

Probably why the other discussed function exists:

> Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

So if the default route doesn't exist yet since it's still checking for internet, it would let you use the keyboard. DHCP probably runs every time the NIC is turned on (like from sleep), and they could just disable this function if you've set a static default route (since they may not be able to reach their NTP server on that route).

It's any VPN software that is always-on.

Unrelated but has anyone often had Chrome going on cpu usage rampage and unresponsive fairly frequency on 'wakeup from sleep'? It's almost certain to happen if the chrome has been updated and waiting to be restarted.

The default route verification is separate from the keyboard issue. I don't know exactly what is going on here, but in the above post what I mean by the system applying a default route is that the route isn't propagated to the system configration's dynamic store and whatever macOS uses for netlink, i.e. the route doesn't show up in `route monitor` until the check finishes. However, I do believe it would still be used at some level, either on the T2 or in the kernel to do the NTP stuff.

Or Wireguard.

The absurdity of sitting in front of a frozen keyboard and trackpad for up to a minute before I can unlock the screensaver on a 2k machine has driven me spare. And now has driven away from these astounding lemons.

This is the last Apple laptop for me.

Ugh, Cisco AnyConnect, had my MDM policy erroneously install the 32-bit version of it and removing it required finding a shell script in /opt/cisco and running to deregister it before I could install the updated version. So much fun!

Apple touted the T2 chip as the bee's knees in security. Now, we have a vulnerability that cannot be defended against. However, Apple went all in on the security of this T2 chip so that you cannot replace the SSD (besides the method to manufacture). I appreciate the desire at making a device difficult for a bad actor to get to your data, but they epicly failed and ultimately only made an user-hostile device. Oh, and the laptops with these chips also had the world's worst keyboard. Absolute trash.

This mindset probably explains why I have such issues with Apple products when my connection to the internet goes down, but the internal network infrastructure (including DNS server) are perfectly fine.

I think the threat model here is that someone might've swapped out your keyboard to one that's spying on you, whilst you're out at a conference enjoying the more social aspects of such gatherings. At the same time, if you were to not be connected to a network, this kind of verification wouldn't do anything.

Additionally charging on the left side ports makes the T2 chip overheat and crashes the machine on occasion.

I don't believe this is ever the case. What happens if you legitimately installed a new keyboard? Will Apple just... prevent you from using it?

do you have a source for the keyboard part? I experience odd delays in typing and this would definitely explain that.

The T2 has its own OS, so that makes sense.

> Apple's documentation has long been really dreadful

Developer docs for most of their libraries are usually just the method name in a large font and the parameter types and that's it.

Hmm is this also why I can't use my bluetooth mouse at the login screen?

I have a 2017 MBP. There are several keycaps that that are no longer physically connected to the key, so if I tilt the laptop 4 or 5 keys fall off. I have been dealing with it by using an external Apple keyboard (with added benefit of having 10-key and full sized arrow keys). Since it's on a desktop in this config, I have it set to never sleep so luckily I have not seen this unwakeable fuck up.

I'm seeing this weird keyboard behaviour on wakeup with my 2012 MBP running Catalina too

When I had the authenticate with watch option enabled, and for some reason the watch lagged, the Mac didn't allow me to log in with my password or finger.

Makes one wish Woz’s Apple was still around (and yes I know Jobs tried as hard as he could to put a monkey wrench into that at the time)

T2 is a nightmare for people who want to reinstall. I reinstalled a machine for someone and it was a mess of 2fa and other nonsense.

The other odd delays are from gatekeeper checking each command you run via the network.

check out their captive portal detection. It's a mess of apple-specific garbage.

The new keyboard is no longer horrible beyond index. Unfortunately, it's merely adequate, which at least in my book is unacceptable for any $1k+ laptop, let alone $3k+.

What if you have a model with ports only on the left-hand side? Does it crash it as well?

Would certain go a long way to explain why waking my MBP up after going AFK involves an affair that requires me to undock it from my vertical stand, entering password, and awkwardly trying to place it back into the stand, reconnecting peripherals while slapping the BT keyboard endlessly so it doesn't go back to sleep after login.

Quite annoying.

Huh? When I’m out socializing there’s no spying to do. But as soon as I get back I will just log in and the spying begins.

I’m so accustomed to flaky peripherals with Apple products I wouldn’t even be alarmed at the behavior.

I mean that's what a default route is supposed to mean, right? That this machine can route to any address. It might not get there because of a firewall, or because nothing is at a given address but you're at least claiming to know what to do with a packet destined for anywhere.

Mine doesn’t.

I was trying to figure out how my routing table was set up on my iPad and I found out that iOS doesn't expose any interface to routing tables, at any level of privilege. Very frustrating.

> Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

When did they start doing this? I'm still using High Sierra on my 2018 MBP work laptop, because the keyboard and trackpad was freezing for anywhere up to 5 minutes or more with Mojave after a wakeup (usually after a long sleep). Downgrading to High Sierra fixed it, but fighting with the machine was such a pain I haven't dared touch it since.

I'm wondering if you're describing the problem I was having, but could never figure out.

Happens with the built-in, first-party VPN client as well. Definitely not just a Cisco issue.

I think you misunderstand.

The idea is that if your keyboard is replaced with a keyboard that has modified (hacked) firmware, your computer will refuse to let you use it.

To do this, it must obtain a cryptographic attestation from the keyboard firmware, proving that it has not been modified. Further, to avoid replay attacks it must include the current time in the message it signs. NTP is used by macOS to determine the current time, so as to verify the signature provided by the keyboard.

So, if NTP is slow to respond or time out, you are stuck waiting for your Mac to verify your keyboard's signature.

> reconnecting peripherals while slapping the BT keyboard endlessly so it doesn't go back to sleep after login.

https://www.cru-inc.com/products/wiebetech/mouse_jiggler_mj-...

REALLY?

Okay, I'm going to test this.

I noticed odd hangings and cpu hitting high temps on a MBP 2018' w/ dell usb C dock on left side, meanwhile right side is fine but I had to reboot randomly and sometimes it will just crash.

And this is a MBP on a laptop stand.

> I appreciate the desire at making a device difficult for a bad actor to get to your data

That's what FileVault is for. I don't understand what's the problem T2 is trying to solve by its existence. Being able to use something else to read the data from a drive you pulled out of your computer, after decrypting it with your password, is a feature, not a bug. T2 is a regression, not an improvement in security. You can't call it a security product if you keep the master key, which Apple does.

I was thinking of an external keyboard. That might be the cause of confusion.

I'm not sure. I have a 2019 mbp 16 with a dodgy logic board and while it crashes even without charging on the left it definitely crashes more often when charging on the left. I'm stuck in limbo because I need my machine for work. Will take it in when I have a break.

Some threads https://discussions.apple.com/thread/250905859

https://forums.macrumors.com/threads/2019-16-inch-macbook-pr...

> Apple's documentation has long been really dreadful, mostly nonexistent and where it does exist, usually incomplete and even wrong.

Anyone want to tell him about Microsoft's Azure or .NET documentation?...

It's the same all over.

Apple has a three year warranty which means yours may have run out or is about to run out.

If you still have time, get your keyboard replaced for free: https://support.apple.com/keyboard-service-program-for-mac-n... (it also means they have to replace your mobo and battery due to brilliant Apple engineering).

It doesn't fix the problem, but it resets the clock until they fall off again. In Texas, it was <48 hours between dropping my Macbook off at the Apple shop and receiving it on my doorstep.

Plus don't talk about display. Its has serious flaw. Like most macbook 2017 have lines on bottom due to apple placing controller in tcon board. What a trash .

Are the Apple Stores in your area even open to take the laptop in? I have delayed my attempt to get my keyboard looked at because of Covid.

Yeah, I am talking of the old windows mfc doc that came printed on paper.

The big question is will they extend the warranty by the number of months the Apple Stores were closed due to pandemic lock down? My keycaps didn't start misbehaving until about April.

I think that’s a reasonable assumption for applications to make. I think that’s a less reasonable assumption for your keyboard to make.

I never had mine crash, but if I charge on the left hand side, the temp of the laptop increases to the point of needing the fan. Charging on the right hand side does not cause this problem. I had never paid attention to what side I was charging on until earlier this year when someone posted about it. After trying the right hand ports, I could see a difference.

Docks on the left side, or similar devices which provide both power and send data, seem to be particularly problematic. On advice of my employer's IT department I went from "spinning up new VMs in VirtualBox reliably leads to thermal excess, CPU throttling, and total system shutdown" to a system that actually works -- just by moving the dock connection to the right side.

It's a little funny because the advice used to be you should use the left-side USB-C ports first because they were faster (both for data and charge, IIRC?)

In Berlin everything is pretty much open (loosely enforced indoor mask and social distancing mandates). They’re not trying to eliminate the virus here like they do in Singapore or Australia. They track 3 values and depending on the scores they escalate or ease restrictions.

> Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

I had the same thing happening to me but Apple changed the complete keyboard under their extended keyboard warranty programm (even though it was out of Apple Care already).

48 hours is pretty optimistic. At least for the 2016 model they can't just change the keycaps but they'll have to change the whole bottom case. This took a few weeks for me since I had to send it to a certified repair center.

Yeah if you want to wipe a laptop, make sure you unlink your user account first. It's Apple's theft protection, same as with their phones. It'll want to see a successful login with the Apple ID.

So they introduce a major usability breaker (consider opening up your macbook on a plane with no internet access) to prevent a really obscure security issue that requires an attacker to replace the entire system's top case without you noticing. Nice.

At least give the user the ability to turn that off.

Have found success with pressing hard on stuck keys to unstick them.

Another reason why I'm going to stick with Linux for the foreseeable future.

I just wish the font rendering situation on Linux was better though. Text (in browsers) just looks so bad on Linux compared to both Windows and mac.

I am at MB Pro #3 in as many years. We replace around 2 percent of or colleagues' machines per week. Some because of the keyboard (they go into repair and are rotated back) some because they stop working from one moment to the next (also into repair, but only once, after that if it happens again they're scrapped). All three of my MB Pro devices were in repair once because they stopped working costing me one additional day of setup of a temp device. And also one day for setting them up again after they came back. When they died for good another day for a temp replacement until the newly ordered one arrived and it was another day of setup. So I am currently quite well versed in setting up a MB Pro and have it scripted as far as I can thanks to homebrew and the like.

But replacing 2.5k every year with additional repairs in the 700 Euro range isn't viable.

Sadly we are primarily a Mac shop and I have to say that Keynote is by far the best piece of presentation software I know of. But none the less. The hardware is currently unacceptable imho.

One of the value props was the inability to reset and resell if it were lost or stolen. Now that it’s cracked there is more of an incentive to not try and find the owner.

As for actual data security you are probably right

What? I have to test this. I have my 4k monitor also providing power. Being a lefty I always plug it into the left side. Need to test this. Thanks for the information.

If I was an attacker I would simply hook into the key matrix. The extra obfuscation in firmware is just user-hostile and stupid.

On one of the older MacBookPros, the left hand USB port was USB3 while the one on the right hand side was USB2

MS docs were great, but after they took down MSDN and let the "community" maintain them on Github, it's been going downhill.

I just followed your link, and had an interesting experience. Of all of the Apple Stores and Authorized Repair they do not appear to be accepting repairs. Everyone of them tell me: "This location has no available reservations. You can check another location now, or check this location again tomorrow."

Can't even get far enough to see if the repair would be covered. Good job Apple

Is the crack in hardware or software? Any links on it? I thought the iPhones at least could not be reset by thieves?

I think this is probably wrong. I don’t know what the interface is, but on my iPad running 14.0.1 this app shows a Routing Table that looks okay to me. https://networktools.he.net/

That's how typical Apple "magical/just works" features are implemented, i.e. very ugly behind the curtain.

Documenting means revealing the edge cases and the limitations, which engineering knows is the best kind of documentation. But marketing people are invested in the "magic".

Marketing people have too much sway at Apple.

Yes it was with specific models, but it's got nothing to do with the T2 chip. https://apple.stackexchange.com/questions/363337/how-to-find...

What happens if you have networking turned off or your WiFi isn't configured for the local network?

No, it's fine, just needs a bit of tweaking: https://aswinmohan.me/posts/better-fonts-on-linux/

So I'm not the only one?! Holy I thought I was going crazy, dropping out of the VPN meant a ten second freeze until a couple of weeks ago. Do you have any additional sources?

> your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard.

Holy shit, this is why my macbook sometimes won't let me log in for like 15 seconds on my shitty cellular hotspot connection? Absurd. Apple software has fallen so far from just 10 years ago.

The keyboard thing is new to me, wow that sucks. The other one sounds like a workaround for captive portals. I think there is some documentation on that wrt Safari and the built in networking, but it was mostly a workaround needed to deal with wifi hotspots that intercept dns until you pay/subscribe, and it causes safari to look hung - so they had to make it clear it wasn’t their browser hanging since it couldn’t make SSL connections.

A demo of the T2 hardware exploit on iMacs can be found here: https://blog.t8012.dev/plug-n-pwn/

From what I could find, the encryption keys of the T2 are still secure but the OS running on it is not. Wiping the SSD and/or repairing another might be enough to resell the device without any locks but I'm not 100% sure about that.

> Apple went all in on the security of this T2 chip so that you cannot replace the SSD

That's not a security thing, really. It's easy enough to layer encryption on a normal SSD. It's their desire to make it some kind of do-everything auxiliary chip, which has the end result of weakening security.

I also have 2019 MBP16 and i am using a dock/charging on the left side - i think the system froze once in a year so i don't seem to have this issue.

> Further, to avoid replay attacks it must include the current time in the message it signs.

Use a counter...?

> The mini operating system on the T2 (SepOS) suffers from a security vulnerable also found in the iPhone 7 since it contains a processor based on the iOS A10.

> ..Using the checkm8 exploit originally made for iPhones, the checkra1n exploit was developed to build a semi-tethered exploit for the T2 security chip, exploiting a flaw. This could be used to e.g. circumvent activation lock, allowing stolen iPhones or macOS devices to be reset and sold on the black market.

> Since sepOS/BootROM is Read-Only Memory for security reasons, interestingly, Apple cannot patch this core vulnerability without a new hardware revision.

Crouching T2, Hidden Danger (2020-10-05) https://ironpeak.be/blog/crouching-t2-hidden-danger/

It's ok, the T3-based MacBook Air is due out next month.

Before 2019 if you use the factory standard keyboard Apple will just prevent you from using it (butterfly).

Cool, can you reference some docs or any communication from Apple re the captive portal workarounds?

It feels rather heavy handed as there are ways other systems have worked around this that don't hijack routes.

Per the grandparent...

> At the same time, if you were to not be connected to a network, this kind of verification wouldn't do anything.

I'm not trying to defend Apple here, just explain the mechanism to the parent.

Oh, okay. You said "must" so I was wondering if there was another important factor.

Great... Well, that explains the crappy response on some bad connections.

I really wish Apple executives were forced to use their computers on crap wifi. Who am I kidding, I would imagine Tim Cook hasn't used a Mac in years.

> I don't understand what's the problem T2 is trying to solve by its existence.

watch the 2 security briefings that Apple delivered at black hat. i think they are 3 years apart and each touched on different aspects. i might be misremembering and T2 is covered in just one of them.

T3 vs USB3, not USB3 vs USB2.

> One of the value props was the inability to reset and resell if it were lost or stolen.

It's sure one of those nice to have features, but there's no good reason why it has to be mandatory like it is. All in all, having a device purposefully retain some information when you factory reset it is user-hostile.

The "lost or stolen" argument also hardly holds for desktop computers like Mac Pro or Mac Mini or iMac, yet they still have T2s in them.

It seems like this is a feature designed to shrink the "used" market for Apple products -- and not a user benefiting feature.

OS is a weird design. It lets the machine belong to Apple/MS/Google not we, so they could update whatever they want or query to their website secretly. You can't even stop them because once you installed you agreed for all. You don't have choices to partially agree. It makes me feel like when you have a cecal surgery, the doctor also took out your foreskin for auto-updating.

I'm working from home now, and in my company we use Tunnelblick for vpn into corp network. VPN has time-based OTP so it never gets saved.

Sometimes when my MBP goes to sleep it loses wifi connection and VPN disconnects. When it wakes up, Tunnelblick asks for password, but it doesn't restore routes (I guess?). Basically no internet until I either enter password or click disconnect. At that moment I'm typing in my OS password and pressing Enter.

What then happens is that it waits for ≈30 seconds and then logs me in, as if it made a network request and waited until it timed out.

Could it be related to the issue you're describing?

That is exactly what happens if you use VPN clients.

The machine is basically frozen at login until some timeout hits.

But one of the things about Apple products that makes people okay with the exorbitant pricing is the resale value. I thought Apple themselves realized this?

Every device up to the iphone X has been cracked btw so the factory reset protection can be bypassed.

This is the worst. So many people seem to forget their apple ID password but remember their screen unlock password. I saw a case recently where someone had an attacker get access to their apple account as well as everything else. I was able to do a fresh install of their windows laptop but I was unable to reset the persons iphone because the attacker had changed the apple id password.

I have also seen many android devices bricked by the same anti theft protections.

> The "lost or stolen" argument also hardly holds for desktop computers

Why ? People's houses get broken into all the time.

And probably 99.999% of laptops never leave a person's house.

> For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard.

Aha so this is why I need to put my MacBook back to sleep after waking on a spotty WiFi connection or when it was previously connected to vpn which timed out during sleep!

Thank you!

What's the DNS name and type that gets looked up?

Online documentation. For some reason the qualification is necessary because their header files have a bunch of information that whatever script or tool that generates the webpages doesn’t catch.

Yep we have a whole box full of perfectly good phones and that's just for one office :(

However Apple does unlock them if you can prove ownership. You need an invoice with serial number. It's a lot of hassle but it works. The reason for that box is that we didn't get serial numbers on the invoices for a long time :(

It's another one of those things that are supposedly for the benefit of the consumer but also really supports the company's bottom line by having to buy a new product. I'm always a bit dubious of their motives. I do see the benefit of such features. But they should have some kind of workaround for unlocking it. Such as a card with a QR code that you get with the phone and keep on file or something. Because theft isn't the only way you can get locked out. And since the fappening Apple is really difficult with resetting passwords, in some cases people just can't make it happen.

Android is even tougher but our local carrier can send them for repair to unblock them. Also, Samsung KME overrides the lock, which makes sense because it proves the device is company owned. I wish Apple DEP could do this too.

Did you buy the stock spec or custom?

You actually just helped me diagnose a really annoying bug I've been having lately. When I wake up my Mac from sleep mode the keyboard and mouse are unresponsive for a up to a few minutes in some extreme cases, sometimes I even have to hard reboot. I found online that it was related to VPNs trying to restore their connection but I could never find the link between the keyboard and the VPN.

It was also compounded by the VPN setting I use to disable all traffic until it successfully reconnects. Meaning whether my computer works or not is dependent on my VPN providers reliability.

Now that I know Apple thinks I need an internet connection to wake up my laptop securely I'm quite pissed by this. Brand new $4k laptop is a paperweight if my VPN can't connect.

I don’t work for Apple, you might ask their developer support.

A quick search for Captive Network Assistant shows it’s not documented.

Sorry, that wasn't the best word choice. Certainly a counter is another viable way of performing that check. (And obviously comes with its own set of trade-offs which I'm not interested in performing value judgments on!)

That's the same for the 2017 model that I had to fix. I got a new mobo + battery. Convenient because my battery was in dire need to servicing.

I heard it would take weeks and even had a backup laptop ready, so it surprised me when it came <2 days later. It was my original laptop too (had all my data and the same dent).

Oh well, the new models don't have this issue anymore. What a fuck up.

I said OLDER MBPs. This was before TB3 was even a thing

How old are the phones? Everything up til the X can be hacked now to bypass that I was told. If the company has no use for them you could probably make a huge profit unlocking all of them.

Can you provide some links?

No, they want both you and the potential pre-owned Mac buyer to buy a new device each.

omgggg it's not just me?! I thought it was bad hardware. this is both good and bad news; at least I can sort out a way to mitigate this now.

Stock with i9, 16GB RAM, Radeon 5500m, 1TB SSD

Oh my gosh this explains so much.

I blame Apple though for their terrible software.