At a Black Hat 2018, Patrick Wardle, research officer at Digita Security and founder of Objective-See (Mac oriented security company), demonstrated how it is relatively easy to bypass macOS firewalls.
The main problem is that effectivenes of macOS firewalls is limited because it block/monitors only incoming connections while there is no monitoring over outgoing network traffic, Wardle stated at a BlackHat convention.
“That means if a piece of malware does get on your system in some way, even if your Mac firewall is on, it’s not going to filter or block that (outbound) connection,” Wardle stated.
While testing third-party firewall products for macOS, he found that most of them are letting whitelisted procesess to do whatever they are design to do, regardless of potential security problems. In the particular case of third-party macOS firewalls, if firewall software recognizes the process (that appears legitimate) the firewall let it through.
“Basically, you could just name your malware the same name of the process,” Wardle explained. “The firewall isn’t even looking at the path, just the name.”
“An attacker could easily exfiltrate data to an iDrive account,” Wardle said. “A firewall would see this traffic and allow it because they fully trust that domain.” “Today our computers are so connected, that invariably there’s going to be some traffic that’s basically going to be allowed out – even if the firewall is set to be very restrictive,” he explained for the article. “From that it can intelligently choose a variety of ways to surreptitiously utilize either those same trusted protocols for the same trusted processes to piggyback off them, so if there’s a firewall sitting there, it’s going to see that request going through and say, ‘Hey, this is a DNS requests from the daemon, I have to let it go though,’” he stated. “Such bypasses could be easily added to existing macOS malware to allow [attackers] to perform undetected bi-directional network communications – even on systems protected by firewall products.”
Experts are not aware of any publicly known or prsent malware that could bypass macOS firewalls.
