Black Hat 2018: Patrick Wardle on Breaking and Bypassing MacOS Firewalls

conceptual design with firewall and security of data on the web

A Black Hat talk demonstrates the ease of poking holes in firewalls: How to break, bypass and dismantle macOS firewall products.

LAS VEGAS – Taking aim at the status-quo of macOS firewalls, researcher Patrick Wardle has made his case for Apple and third-party security firms to beef up their protections.

At a session here at Black Hat 2018, Wardle, chief research officer at Digita Security and founder of Mac security company Objective-See, showed how easy it is to break, bypass and dismantle macOS firewall products.

For starters, Wardle pointed out that while macOS does have a built-in application firewall, its effectiveness is limited because it only blocks and monitors incoming connections; there’s no processing of outgoing connections, he points out.

“That means if a piece of malware does get on your system in some way, even if your Mac firewall is on, it’s not going to filter or block that (outbound) connection,” Wardle said.

Those shortcomings put the spotlight on third-party macOS firewall solutions. But, even with those, Wardle uncovered problems. During his talk, Wardle showed that it’s fairly trivial to bypass these firewall products.

In a test of top third-party macOS firewall products, he found that some simply “look for” the name of the whitelisted process. And if the process is recognized (and appears legitimate) the firewall lets the connection through.

“Basically, you could just name your malware the same name of the process,” he said. “The firewall isn’t even looking at the path, just the name.”

In more worrisome findings, other firewalls simply check what domains a process is reaching out to. He points out that an attacker could easily host malicious software or plant a C2 hub on an iCloud domain in order to trick the firewall.

“An attacker could easily exfiltrate data to an iDrive account,” Wardle said. “A firewall would see this traffic and allow it because they fully trust that domain.”

Other bypass techniques for adversaries (when they already have a foothold on a system) include piggybacking on trusted application traffic.

“Today our computers are so connected, that invariably there’s going to be some traffic that’s basically going to be allowed out – even if the firewall is set to be very restrictive,” he said.

That creates an opportunity for an attacker to passively monitor what traffic is allowed by the firewall. “From that it can intelligently choose a variety of ways to surreptitiously utilize either those same trusted protocols for the same trusted processes to piggyback off them,” he said.

Examples include using the trusted DNS protocol in DNS tunneling attacks. On the macOS the DNS requests are handled by a core Apple trusted system daemon. So if malware (or a third-party application) tries to resolve a DNS name, that’s going to be routed through the core Apple daemon on the applications behalf, he said.

“So if there’s a firewall sitting there, it’s going to see that request going through and say, ‘Hey, this is a DNS requests from the daemon, I have to let it go though,'” he explained. “Such bypasses could be easily added to existing macOS malware to allow [attackers] to perform undetected bi-directional network communications – even on systems protected by firewall products.”

Wardle said he’s not trying to pick on firewall-makers, but rather, he’s pointing out their limitations and breaking any preconceived notion that they’re a panacea when it comes to fighting off malware. “You need to know your limitations with any product. You’re are not going to buy a car and expect it to fly,” he said.

he also pointed out that macOS firewalls are several paces behind their Windows counterparts. Windows firewalls are more mature mainly because they have been a bigger target for attackers for so long, he said.

Wardle said he wasn’t aware of any publicly available Mac malware that has any firewall bypasses in them; however, “I would confidently say that advanced adversaries that are developing persistent Mac implants know they are going to have no problem passing these products,” he said.

In an effort to encourage development of better host-based macOS firewall products, Wardle released the open-source LuLu firewall earlier this year. The code is hosted on GitHub and he hopes it will be serve as a starting point for more robust macOS firewalls in the future.

Suggested articles