Security Researcher Highlights Potential Privacy Concerns on Macs with M1 Chip

BY Mahit Huilgol

Published 13 Nov 2020

Yesterday Apple launched the macOS Big Sur to the general public. The latest macOS arrives with a host of new features. Many users faced issues while downloading and installing macOS Big Sur on their device. A server outage caused the download/install failure, and it also affected the performance of users running macOS Catalina.

Download/install failures are pretty common whenever a new macOS update becomes available. However, it seems like there is more to it than just a server outage. A security researcher has highlighted privacy and security concerns that will primarily affect Mac’s powered by Apple Silicon.

Initially, macOS users faced slow download times and frequent download failures. At the same time, some encountered an error while installing macOS Big Sur. Apple’s website was down, and other services like iMessage, Apple Maps, Apple Pay, and Apple Card faced outages. That’s not all; apps and other features on macOS Catalina started becoming sluggish after a failed update attempt.

Jeffrey Paul, a security researcher, has published his findings and highlights security and privacy issues in his blog post.

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.

It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.”

Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings:

Date, Time, Computer, ISP, City, State, Application Hash

Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.”

Most of us might be thinking, “Who cares?” Well, the security analyst answers this question in length.

Well, it’s not just Apple. This information doesn’t stay with them:

These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables.

These requests go to a third-party CDN run by another company, Akamai.

Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them.”

He quickly points out that an app called Little Snitch allows you to disable all “computer-to-Apple communications.” You can choose to approve or deny each request without affecting Mac’s functionality. To make it challenging to block trackers, Apple has now included the request in the new “ContentFilterExclusionList” on macOS 11. In other words, the requests can no longer be blocked by third-party software or VPN’s.

Security Concerns on new M1 Powered MacBooks.

Apple’s M1 Powered MacBooks feature “cryptographic protections” that allows OS to boot only when the computer can “phone home.” Here is what Paul has to say about new Macs powered by Apple Silicon.

These machines are the first general purpose computers ever where you have to make an exclusive choice: you can have a fast and efficient machine, or you can have a private one. (Apple mobile devices have already been this way for several years.) Short of using an external network filtering device like a travel/vpn router that you can totally control, there will be no way to boot any OS on the new Apple Silicon macs that won’t phone home, and you can’t modify the OS to prevent this (or they won’t boot at all, due to hardware-based cryptographic protections).”

[via Jeffrey Paul]