←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source
Show context
eptcyka ◴[20 Oct 20 16:14 UTC] No.24839101[source]
Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?

replies(22): >>24839205 #>>24839226 #>>24839281 #>>24839287 #>>24839352 #>>24839401 #>>24839503 #>>24839892 #>>24840087 #>>24840150 #>>24840234 #>>24840673 #>>24840752 #>>24841372 #>>24841670 #>>24842254 #>>24842446 #>>24843973 #>>24843982 #>>24845295 #>>24845368 #>>24847526 #
thewebcount ◴[20 Oct 20 16:21 UTC] No.24839205[source]
Oh wow! This probably explains why every now and then when I wake my MacBook Pro from sleep it says no keyboard is connected! I thought I had some hardware problem on a basically brand new machine. Glad to hear it's only a stupid software problem!
replies(2): >>24839272 #>>24880735 #
dmd ◴[20 Oct 20 16:26 UTC] No.24839272[source]
If you're using Cisco Anyconnect, blame that for that particular keyboard issue.
replies(8): >>24839337 #>>24839388 #>>24839439 #>>24839500 #>>24840392 #>>24840759 #>>24842173 #>>24910269 #
dylan604 ◴[20 Oct 20 16:29 UTC] No.24839337[source]
Why not blame the idiotic decision to make this network check just to wake up?
replies(1): >>24839658 #
eptcyka ◴[20 Oct 20 16:54 UTC] No.24839658[source]
I think the threat model here is that someone might've swapped out your keyboard to one that's spying on you, whilst you're out at a conference enjoying the more social aspects of such gatherings. At the same time, if you were to not be connected to a network, this kind of verification wouldn't do anything.
replies(2): >>24839845 #>>24840429 #
mulmen ◴[20 Oct 20 17:57 UTC] No.24840429[source]
Huh? When I’m out socializing there’s no spying to do. But as soon as I get back I will just log in and the spying begins.

I’m so accustomed to flaky peripherals with Apple products I wouldn’t even be alarmed at the behavior.

replies(1): >>24840777 #
johnmaguire2013 ◴[20 Oct 20 18:29 UTC] No.24840777[source]
I think you misunderstand.

The idea is that if your keyboard is replaced with a keyboard that has modified (hacked) firmware, your computer will refuse to let you use it.

To do this, it must obtain a cryptographic attestation from the keyboard firmware, proving that it has not been modified. Further, to avoid replay attacks it must include the current time in the message it signs. NTP is used by macOS to determine the current time, so as to verify the signature provided by the keyboard.

So, if NTP is slow to respond or time out, you are stuck waiting for your Mac to verify your keyboard's signature.

replies(5): >>24840891 #>>24841322 #>>24841492 #>>24842000 #>>24842664 #
Dylan16807 ◴[20 Oct 20 21:44 UTC] No.24842664[source]
> Further, to avoid replay attacks it must include the current time in the message it signs.

Use a counter...?

replies(1): >>24843413 #
johnmaguire2013 ◴[20 Oct 20 23:38 UTC] No.24843413[source]
I'm not trying to defend Apple here, just explain the mechanism to the parent.
replies(1): >>24843607 #
Dylan16807 ◴[21 Oct 20 00:06 UTC] No.24843607[source]
Oh, okay. You said "must" so I was wondering if there was another important factor.
replies(1): >>24848935 #
1. johnmaguire2013 ◴[21 Oct 20 15:44 UTC] No.24848935[source]
Sorry, that wasn't the best word choice. Certainly a counter is another viable way of performing that check. (And obviously comes with its own set of trade-offs which I'm not interested in performing value judgments on!)