Skip to navigation Skip to content

Apple's Big Sur OS Update Allowing Apps to Bypass VPNs

Minute Read

Apple has long been a unique company that pushes the boundaries. They thrive on a culture of out-of-the-box thinking and independent operations. In some cases—like removing jacks or not including chargers under the guise of environmentalism—this presents an inconvenience for buyers. But their latest controversy is turning heads for reasons unrelated to design or ease of use.

MacOS Big Sur and the apps related to this latest release have the ability to bypass firewalls and VPNs. Cybersecurity experts explain that this bypass could pose a real privacy threat to end users. 

MacOS and Security Bypasses

Announced on Twitter (of all places) in October, one user found that some of the Apple apps, operating on the Big Sur OS, could bypass VPN apps and some network extensions. The case that brought it to attention was the Maps app, which could directly access the internet and bypass NEAppProxyProviders and NEFilterDataPRovider.

Ten years ago this may have been an easily overlooked issue, but the reality is that networks, more than ever, are host to sensitive information. This is because the global workforce is largely getting online from home in this day and age. 

In a work-from-home world, everyone from government agency employees to leaders in retail are logging into work or personal devices and getting on company networks. The data transmitted that way has been a huge target for hackers and companies have been diligent about implementing better security measures.

To learn that Apple is allowing these bypasses, as well as making traffic invisible to firewalls, is a cause for concern. Cybercriminals could easily use malware to exploit this situation, getting into the gap between a user’s firewalls and Apple apps. Personal data could easily be sent to remote servers.

This issue was discovered back on October 20 of 2020. By November 14, macOS Big Sur had exited beta and was released to the public, without any indication that the issue had been resolved.

-- Article continues below --Hardware VPN Resource Center

Visit the Hardware VPN Resource Center.

Apple Apps on an Exclusion List

Over 50 Apple apps are part of this exclusion list, which is undocumented but appears to include Apple Maps and FaceTime. So far, informal testing has revealed that only some firewall and VPN solutions for macOS are affected. A differentiating factor is how the services have been implemented. Which layer they are on in the networking stack matters.

Even if it isn’t all apps and even if it isn’t important apps that people use for work, the fact that Apple can bypass any firewall or software VPN solution is dangerous. Users have no easy way of knowing whether or not their internet traffic is being protected.

What About the Network Kernel Extension?

In previous versions of Apple operating systems, a complete macOS firewall could be enabled using the “kext,” or Network Kernel Extension. This was deprecated in lieu of network extensions. Unfortunately, these are the same network extensions that the Apple apps are bypassing in the Big Sur macOS.

The bottom line is that Apple apps are operating beyond the user’s control. Despite its rather rogue reputation, executives at Apple have made efforts to cooperate with other systems and better facilitate safe remote work environments.

Apple, Access and Remote Worker

In September of 2020, Apple Enterprise Management announced the upcoming rollout of Jamf iOS Device Compliance. The goal was to empower IT departments to better manage and secure the Macs, iPhones and iPads that are being used by remote workers. Building a bridge to Microsoft systems, the idea is to provide conditional access and restrict out-of-network activity.  

Even with these efforts, it’s clear that Big Sur macOS represents a vulnerability to end users. If the operating system itself is a possible place for compromise, better solutions than ever need to be obtained. Attila can help.

Solving the Problem with a Hardware VPN

The macOS situation is just another example that highlights the benefits of a purpose-built VPN solution that controls the entire stack, including the low-level OS/kernel. Hardware-based VPNs can help solve this problem.

Because hardware VPNs sit outside of the end user device, and create a layer that lives outside the device operating system, it prevents security flaws like this from causing problems. 

Hardware VPN Buyer's Guide