Black Hat 2018: Patrick Wardle on Breaking and Bypassing MacOS Firewalls

A Black Hat talk demonstrates the ease of poking holes in firewalls: How to break, bypass and dismantle macOS firewall products.

LAS VEGAS – Taking aim at the status-quo of macOS firewalls, researcher Patrick Wardle has made his case for Apple and third-party security firms to beef up their protections.

At a session here at Black Hat 2018, Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, showed how easy it is to break, bypass and dismantle macOS firewall products.

For starters, Wardle pointed out that while macOS does have a built-in application firewall, its effectiveness is limited because it only blocks and monitors incoming connections; there’s no processing of outgoing connections, he points out.

“That means if a piece of malware does get on your system in some way, even if your Mac firewall is on, it’s not going to filter or block that (outbound) connection,” Wardle said.

Those shortcomings put the spotlight on third-party macOS firewall solutions. But, even with those, Wardle uncovered problems. During his talk, Wardle showed that it’s fairly trivial to bypass these firewall products.

In a test of top third-party macOS firewall products, he found that some simply “look for” the name of the whitelisted process. And if the process is recognized (and appears legitimate) the firewall lets the connection through.

“Basically, you could just name your malware the same name of the process,” he said. “The firewall isn’t even looking at the path, just the name.”

In more worrisome findings, other firewalls simply check what domains a process is reaching out to. He points out that an attacker could easily host malicious software or plant a C2 hub on an iCloud domain in order to trick the firewall.

“An attacker could easily exfiltrate data to an iDrive account,” Wardle said. “A firewall would see this traffic and allow it because they fully trust that domain.”

Other bypass techniques for adversaries (when they already have a foothold on a system) include piggybacking on trusted application traffic.

“Today our computers are so connected, that invariably there’s going to be some traffic that’s basically going to be allowed out – even if the firewall is set to be very restrictive,” he said.

That creates an opportunity for an attacker to passively monitor what traffic is allowed by the firewall. “From that it can intelligently choose a variety of ways to surreptitiously utilize either those same trusted protocols for the same trusted processes to piggyback off them,” he said.

Examples include using the trusted DNS protocol in DNS tunneling attacks. On the macOS the DNS requests are handled by a core Apple trusted system daemon. So if malware (or a third-party application) tries to resolve a DNS name, that’s going to be routed through the core Apple daemon on the applications behalf, he said.

“So if there’s a firewall sitting there, it’s going to see that request going through and say, ‘Hey, this is a DNS requests from the daemon, I have to let it go though,'” he explained. “Such bypasses could be easily added to existing macOS malware to allow [attackers] to perform undetected bi-directional network communications – even on systems protected by firewall products.”

Wardle said he’s not trying to pick on firewall-makers, but rather, he’s pointing out their limitations and breaking any preconceived notion that they’re a panacea when it comes to fighting off malware. “You need to know your limitations with any product. You’re are not going to buy a car and expect it to fly,” he said.

he also pointed out that macOS firewalls are several paces behind their Windows counterparts. Windows firewalls are more mature mainly because they have been a bigger target for attackers for so long, he said.

Wardle said he wasn’t aware of any publicly available Mac malware that has any firewall bypasses in them; however, “I would confidently say that advanced adversaries that are developing persistent Mac implants know they are going to have no problem passing these products,” he said.

In an effort to encourage development of better host-based macOS firewall products, Wardle released the open-source LuLu firewall earlier this year. The code is hosted on GitHub and he hopes it will be serve as a starting point for more robust macOS firewalls in the future.

Suggested articles

Discussion

  • Lawrence on

    I think most common users understand these days that nothing is secure on a connected device anymore. They have either accepted the fact or simply don’t care, taking a c’est la vie attitude. I think being aware of where you are on the Internet and thinking before clicking contributes more to an individual’s security than firewalls or AV software installed.
  • Joe on

    I'm not sure that this point of view has much value. Windows firewall is not much better in its default configuration to prevent outbound traffic and it is such a pain to try to configure manually that almost nobody at home does it. Does Windows prevents a rogue app from using components of other allowed apps to send data? Anyway, I have long abandoned the idea of trying to use a two-way firewall as trying to understand and allow process by process while Windows keep changing and adding new processes is not great or that useful if you don't have any malware in. Yes, defense in layers is great, but sometimes you need to be reasonable. I wouldn't say Windows is a two-way firewall in practice for most users so I am a bit surprised about this "shocking" fact that MacOs isn't.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.