Patrick Wardle: How to break, bypass and dismantle macOS firewall products

“Taking aim at the status-quo of macOS firewalls, researcher Patrick Wardle has made his case for Apple and third-party security firms to beef up their protections,” Tom Spring reports for Threatpost. “At a session here at Black Hat 2018, Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, showed how easy it is to break, bypass and dismantle macOS firewall products.”

“For starters, Wardle pointed out that while macOS does have a built-in firewall, its effectiveness is limited because it only blocks and monitors incoming connections; there’s no processing of outgoing connections, he points out,” Spring reports. “‘That means if a piece of malware does get on your system in some way, even if your Mac firewall is on, it’s not going to filter or block that (outbound) connection,’ Wardle said.”

“Those shortcomings put the spotlight on third-party macOS firewall solutions,” Spring reports. “But, even with those, Wardle uncovered problems. During his talk, Wardle showed that it’s fairly trivial to bypass these firewall products.”

Read more in the full article here.

MacDailyNews Note: As Spring reports, in an effort to encourage development of better host-based macOS firewalls, Wardle released the open-source LuLu firewall earlier this year. The code is hosted on GitHub and he hopes it will be serve as a starting point for more robust macOS firewalls in the future. More info here.

5 Comments

  1. It is good to call this to people’s attention. Picking on existing firewall products is like attacking the low hanging fruit though.

    Security, like most things, is a layered or tiered issue. Firwalls local to your machine address only what is happening on the end node level.

    I particularly find Little Snitch to be of good use. It keeps a constant menubar traffic meter running and you know what your computer is sending or receiving lots of data, even though you aren’t running software that should be doing that.

    It also checks with you before allowing different processes to complete their connections, in the same way LuLu does. I’m fairly certain that it at least matches the capabilities of LuLu and It does keep you aware and in the loop.

In fact many people dislike Little Snitch because it is so effective and bothersome. You find out things though. I remember one odd one, where every time I started the macOS calculator program, it called home to Apple. What the heck was that for? After a little while it stops bothering you so much as you’ve told it what you allow and don’t.

    Still we’re only talking about the end node here, and the best way to address zombie traffic on a network is with a good firewall/router. You want one that logs everything, and allows you a significant amount of control. I like the Synology routers for this. 

You control everything that goes in and out with the router. This means you’re protecting yourself from naughty IOT devices, hacked modems trying to reach into your network, other computers on the network and so on.

    I start off by blocking everything, then sit down and by using my computer determine which protocols and/or ports I wish to allow traffic for. 

Synology Routers also have plugin apps that you can download including things like VPN. This is not a VPN in the sense of you obfuscating your outgoing traffic, but one that allows you to connect remotely as if you are there, on the local network. This allows you to set up many services so that they are only available to people on the local network. Then if you wish to connect, you use the VPN to connect and you for all intents and purposes right there on the network.

    1. they could just buy objective dev, but i’d rather have an outside party making a firewall like this, otherwise you run the risk of the OS maker letting things through that they don’t want you to know about.

      people are too trusting of apple..

Add Your Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.