Security for OCLP (OpenCore Legacy Patcher)

[houser]

@houser My answer is that it doesn't matter whether I know or can provide the steps for an exploit. This is a good discussion and could be very interesting, but I think it's one that needs a new thread (where I'd be happy to participate).

In the world of computer security, it is never safe to assume that one is safe if one cannot think of an exploit.

Understood. I do see your point and am just trying to educate myself and get a new point of reference at least
The ideas you present are familiar to me and are valid for a sealed MacOS too.
Which to me means the enlarged attack surface is what can be discussed in an other thread down the road.
I would certainly be interested. Many thanks again.

 

[deeveedee]

Which to me means the enlarged attack surface is what can be discussed in an other thread down the road.
I would certainly be interested. Many thanks again.

You are welcome. it is similar to the tradeoff one makes when deciding to buy a new car or continue to drive their old car that does not have air bags and anti-lock brakes. Read this.

Here's a tradeoff example from an old Readers Digest "Laughter the Best Medicine" that I remember reading:
A skydiver is about to jump out of an airplane without a parachute. His buddy asks, "Why no parachute?" The skydiver answers, "Because the straps will wrinkle my new shirt." The skydiver is making a tradeoff.

 

[5T33Z0]

I could be wrong, but Ventura 13.6 doesn’t need any Wi-Fi patches, with the latest OCLP 1.0.1: right (question for the experts)…?

It's only relevant to Sonoma and newer. Because during the early stages of macOS Sonoma development, kexts and frameworks responsible for using older Wi-Fi Cards were removed, leaving the Wi-Fi portion of commonly used BT/Wi-Fi cards in a non-working state.

The following Wi-Fi card chipsets are affected:

• "Modern"cards:
  • Broadcom:BCM94350 (incuding BCM94352), BCM94360, BCM43602, BCM94331, BCM943224
  • Required Kexts: IOSkywalkFamily, IO80211FamilyLegacy, AirPortBrcmNIC, AirportBrcmFixup, AirPortBrcmNIC_Injector.
• "Legacy"cards:
  • Atheros: AR928X, AR93xx, AR242x/AR542x, AR5418, AR5416 (never used by Apple)
  • Broadcom: BCM94322, BCM94328
  • Required Kexts: corecaptureElCap, IO80211ElCap, AirPortAtheros40 (for Atheros only)

Re-enabling the affected cards requires applying root patching with OCLP to restore the necessary framework (and settings?) for either category of cards. Ventura doesn't require root patches for Wi-Fi. If you want to know which patches are applicable to your Mac, run OCLP, click on the "Post Install root Patch" button and you see a list of availabe/applicable patches for your Mac and Version of macOS.

 

[deeveedee]

@houser and @5T33Z0 - I understand why there are questions about Wi-Fi patches before Sonoma. Ball of Neon (a Dev) posted here that Wi-Fi patches are not new to Sonoma. Within the context of our OCLP Security discussion, Wi-Fi patches are new to Sonoma and are not required prior to Sonoma. If there is anything that we're stating that is incorrect, I think a Dev will need to clarify for us.

 

[deeveedee]

@houser Your questions were excellent and stimulated thought that leads to another example for how exploits evolve.

Let's say that you are a hacker who is monitoring this thread (they definitely are). You realize that the hack that you have developed to exploit OCLP's Sonoma Wi-Fi root patching may now have limited success as more people are aware of the vulnerability (and may choose to stay with Monterey or Ventura instead of upgrading to Sonoma).

The smart hacker will adapt their exploit. Since OCLP is breaking the macOS seal to install graphics root patches (e.g., patches for non-metal NVidia Tesla), the hacker may, to the extent possible, modify their exploit or create a new exploit to capitalize on the graphics root patches and the broken macOS seal. This new hack that is now able to exploit OCLP vulnerabilities in Big Sur, Monterey and Ventura may have less potential than the exploit of Sonoma Wi-Fi root patches, but it may still be a successful, fruitful hack.

Not only do we need to be aware of potential current vulnerabilities, but we need to assume that there is at least one VERY intelligent, clever, sophisticated hacker who adapts their hacking strategy to the evolving attack surface. ... and we need to expect that this clever hacker is not posting their exploit in our list of known OCLP exploits.

EDIT: @houser, your desire to list known OCLP exploits is natural. Most users believe that if they can't think of any exploits (and if no one else in their trusted circle can think of any exploits), they are safe from hacks. It is actually a better approach to ask how OCLP protects from and responds to exploits. In the same way that I don't expect or need users to list the known OCLP exploits, I don't need or want Devs to specify and itemize their methods to thwart exploits. I'm only asking here for clear warnings about the potential vulnerabilities. I'm not asking for the vulnerabilities to be patched / closed (and I don't believe they will be) or for anyone to stop using OCLP because of the vulnerabilities. At the risk of sounding like a broken record, I'm just asking for transparency so that users in this forum and the many users who never visit this forum have a clear understanding of the risks that they KNOWINGLY accept when they use OCLP to patch their unsupported Mac.

 

[Sven G]

… About Wi-Fi in Sonoma with OCLP, one could also think: are other approaches possible, in order to use the built-in - not an external dongle - Wi-Fi with Sonoma, without patching Ventura drivers…? For example, would it be possible to port (open source?) Linux drivers to macOS? Probably not (for example, the HPLIP printing frameworks and utilities were never ported, even if it could have been an excellent achievement), because of differences in how the respective driver systems work: but, at least theoretically, it’s maybe worth a thought…

 

[5T33Z0]

But one could also think: are other approaches possible, in order to use the built-in - not an external dongle - Wi-Fi with Sonoma, without patching Ventura drivers…? For example, would it be possible to port (open source?) Linux drivers to macOS? Probably not (for example, the HPLIP printing frameworks and utilities were never ported, even if it could have been an excellent achievement), because of differences in how the respective driver systems work: but, at least theoretically, it’s maybe worth a thought…

As far as porting drivers from Linux is concerned, there's a kext called AppleIGC for Intel I225/I226 Ethernet NICs. I am using it on my Hackintosh. But I don't know if such an endeavour is possible for Wi-Fi.

 

[deeveedee]

@Sven G @5T33Z0
We have created another thread for this Wi-Fi discussion so that we don't clutter this one with Wi-Fi solutions.

Also, I hope that Devs are looking at ways to eliminate the Wi-Fi root patches in a way that emulates the way others have enabled Intel Wi-Fi. All of us need to accept that if the Devs do develop an alternative Wi-Fi solution that it is likely to make compromises (e.g., maybe no Airdrop).

 

[deeveedee]

… Anyway, if the Wi-Fi extensions are always taken from the latest Ventura release and regularly updated in OCLP, personally (YMMV) I don’t see too many reasons to be excessively concerned

We were already told by a Dev here that what you claim is NOT the case (which is why this is still a concern):

This is not as simple as it sounds. Updating kexts/frameworks that we've downgraded is a much bigger endeavor than most people think it is. There are a few reasons for this:

• Future updates may change/break things - this is why certain kexts/frameworks are pinned to point releases in the middle (ie. 11.3) as this was the latest working version
• If we update something, we now have to test on every single model that makes use of it, and version compatibilities also come into play
• Some of these downgraded kexts/frameworks are patched as well
• Some kexts/frameworks depend on other kexts/frameworks, and those kexts/frameworks could have the same issues

We can't backport security fixes either, Apple doesn't release the source code for frameworks and kexts. This is why pushing out any kind of security update is not simple at all.

Then there's kexts that were dropped that we add back, which we can't do anything about as Apple has simply stopped updating them.

Because of everything mentioned above (security is already compromised to begin with), updating kexts/frameworks has not been a priority for us. We will take a look to see what we can update without breaking things, but it's definitely not going to be quick.

This is a good time to remind everyone why this thread was created. There ARE security issues with OCLP. The OCLP Developers are some of the best developers I've ever seen, but they are a small group with limited resources. The OCLP Security concerns listed and discussed in this thread are inevitable because devs are human, humans make mistakes and the team is too small for us to expect rapid responses and fixes. And even if there are no mistakes, the security issues exist, because there may be no way to patch macOS for unsupported Macs without compromising security.

We are not attacking anyone and we won't help by sympathizing with anyone. We're creating awareness so that OCLP users are making informed decisions. This thread is exposing and discussing the real security concerns with OCLP so that users can make their own tradeoffs between features/capabilities and computer security.

EDIT: ... and just because, after my review of OCLP, I have decided the security risks are too great and that I will not use OCLP on my Mac that I use to access my bank records, trade stocks, use my Apple Developer account or do anything that requires secure credentials (include access my Facebook page), that does not mean that someone else shouldn't decide to accept the risks of using OCLP for their own purposes. We all have our own risk tolerance which is why the use of OCLP remains an individual, INFORMED, EDUCATED decision.

 

[Sven G]

^^^ Ooops: sorry, had almost forgotten about that (or, rather, I tend to be too optimistic, perhaps); so, I edited my post.

 

[deeveedee]

@Sven G No worries. If the 'Original poster' of this OCLP Security thread forgets that OCLP has computer security vulnerabilities, then we need this thread and warnings in OCLP app and documentation even more than I expected.

 

[Dilli]

I am indeed impressed by this thread with impact on security of patching. @deeveedee your comprehension analysis is indeed a time consuming research and well appreciated. Kudos for that.
On other hand I thank the developers too for creating the best tool for bringing a dead mac alive.
I am not passing any judgement but agree that security should equally be given importance. Cheers✌️

 

[deeveedee]

Explanation of Wi-Fi Security Vulnerabilities and the "Attack Surface"

I'm reluctant to post more information in this thread, because I don't want to clutter it and I think that Dev responses are going to be more important than mine. I'm also being extremely careful to review my posts (and posts of others) to make sure they are factual/accurate, because I know there are many (not just Devs, but also their well-deserved fans and supporters) waiting to pounce on any inaccuracies with the hope of dismantling arguments and damaging credibility. Note that none of the computer security concerns in this thread have been successfully challenged or disputed, let alone disproven. The computer security concerns in this thread are valid, undisputed and are not opinions.

After reviewing comments in this thread and in other threads, it has become apparent to me that most readers don't understand what is meant by "attack surface" and "security vulnerabilities." I'm not going to take the time to rehash these concepts which are well-defined and easily searched. What I will do is help to understand why I am less concerned about OCLP post-install patches for Big Sur, Monterey and Ventura (no Wi-Fi root-patches) than I am about Sonoma OCLP Wi-Fi root-patches. Warning: it is very possible that even with my extensive experience, I am being naive in assuming that other root-patches have a smaller attack surface than the Wi-Fi root patches. I do think it's a reasonable assertion.

Wi-Fi root patches have a greatly expanded attack surface (much more than graphics root patches). In addition to the vulnerability that exists because trusted framework in the secure dataflow is breached and modified (it's software and software has bugs), if Apple detects a Wi-Fi security flaw that needs an emergency repair or a Standards Body finds a flaw that needs a Wi-Fi architecture mod, these issues will NOT be addressed by Apple on the OCLP-Patched Mac running Sonoma. And if the Devs find an OCLP bug that exposes a Wi-Fi security vulnerability, they can't be expected to respond as quickly as Apple. The Devs will need time to learn about the bug, figure out a fix, implement the fix, test the fix on all OCLP-supported Macs and then deploy the fix via an updated version of OCLP. Then the user will need to fetch and apply the OCLP update and then manually apply new OCLP root-patches. Even if the Devs close the hole after a few days or a week or a month (that's ambitious), there is a window of opportunity for the hacker (who already knows about the vulnerability if the Devs know about it and who is already working to exploit it for criminal gain or malicious intent).

Wi-Fi may be the most likely avenue into a PC or Mac for a hacker (it's debatable, but it's certainly near the top). It is a likely medium through which a hacker at a coffee shop, an airport or a fast-food restaurant will gain access to the unsuspecting user. And that's if you connect to a "legitimate" Wi-Fi hotspot. If you inadvertently connect to the hacker's fake Wi-Fi hotspot, forget about it.

Anyone who claims that the vulnerabilities exposed by OCLP's Wi-fi root-patches can be "fixed" with application layer security (even something as well-known and trusted as SSL or something as irrelevant as Gatekeeper) has no idea what they are talking about and by making such statements, they only reveal their own ignorance (not a bad thing, they just aren't qualified to make the claim).

EDIT: I have not reviewed T1 patches. I cannot comment on these patches and cannot determine their vulnerability relative to Wi-Fi root patches.

EDIT2: I have already stated that you should not believe me and you should not trust me. Do your own homework to substantiate (or disprove) claims made in this thread. Search for and read articles like this. If you find information that contradicts any claims or statements in this thread, please post this information so that we can keep this thread factual and accurate and so that we can make corrections if necessary. As long as we keep this thread fact-based and not opinion-based, it will remain helpful to all who are concerned about computer security when using OCLP. Thank you.

 

[deeveedee]

Place-holder for new content

 

[TehFalcon]

Definitely one of the weirder threads I've read in years on MR.

I use OCLP on some work Mac's and security hasn't even crossed my mind with it. Generally macOS (especially the newest version at any given time) isn't a target, and good network level security, common sense, and macOS's Gatekeeper pretty much eliminates any security risk someone is going to have on an OCLP patched Mac.

Specifically being worried about the wifi kext's getting updates is pretty weird too because even Apple very very rarely updates them.

 

[deeveedee]

Definitely one of the weirder threads I've read in years on MR.

I use OCLP on some work Mac's and security hasn't even crossed my mind with it. Generally macOS (especially the newest version at any given time) isn't a target, and good network level security, common sense, and macOS's Gatekeeper pretty much eliminates any security risk someone is going to have on an OCLP patched Mac.

Specifically being worried about the wifi kext's getting updates is pretty weird too because even Apple very very rarely updates them.

I was going to take the time to respond, but then I realized there is no way you read this thread before making that statement. Either that, or you came to this thread with a prepared statement (more likely).

Read this. If I knew that there was such a thing as a macrumors "demi-god" I would have used that as my example instead of "macrumors god." No offense, but if you think that Wi-Fi works in Sonoma because the Devs replaced kexts, you need to do some homework (or read this thread).

EDIT: If tldr, read this.

EDIT2: Your post prompted me to add this. Please read this.

 

[TehFalcon]

I was going to take the time to respond, but then I realized there is no way you read this thread before making that statement. Either that, or you came to this thread with a prepared statement (more likely).

Read this. If I knew that there was such a thing as a macrumors "demi-god" I would have used that as my example instead of "macrumors god." No offense, but if you think that Wi-Fi works in Sonoma because the Devs replaced kexts, you need to do some homework (or read this thread).

EDIT: If tldr, read this.

EDIT2: Your post prompted me to add this. Please read this.

I did read the thread and it's a weird post because these security concerns really are unfounded.

Security by obscurity is the average persons #1 defense. All your attack methods are assuming the attacker is going to specific attack you and KNOW that you are using an outdated mac with OCLP in very specific scenarios (like a coffee shop as you say even though these attacks really just don't happen in the real world).

My comment about wifi kexts was a broad response to your assumption that Apple would actually update them and their frameworks, this very rarely is the case.

Are you being specifically targeted? Where are the reports of OCLP patched macs being specifically targeted? All these security concerns really would comprise of a very targeted attack, that even if the mac was left on its original outdated OS would be vulnerable to (assuming it's a pretty old mac that requires a lot of the root patches).

In the end, anyone using OCLP probably doesn't care about the security, they just want to keep their mac alive for a bit longer which is totally fine. Anyone who is security conscience isn't going to be doing this.

 

[deeveedee]

In the end, anyone using OCLP probably doesn't care about the security,... Anyone who is security conscience isn't going to be doing this.

Great. Then you and all the others who don't care about computer security should ignore this thread.

I'll state again that you can't have read this thread (I'm giving you the benefit of the doubt). You're asking questions that have already been answered here.

EDIT: I admit that I was joking when I referred to a "macrumors god" in this post. It never occurred to me that such a rating actually existed. To ensure accuracy, I have modified this post to include "macrumors demi-god." I'm going to voluntarily flag this post - that was a snarky comment.

EDIT2: In the interest of total transparency, I do not know TehFalcon and I do not believe they know me. This is the first we're "meeting" and "talking" as far as I know. I did not pay TehFalcon to ask questions or make statements that further substantiate and reinforce the claims and statements being made and discussed in this thread.

EDIT3: I have already stated that you should not believe me and you should not trust me (and if I ask you to believe me and trust me, that's when you should NOT believe me and trust me). Do your own homework to substantiate (or disprove) claims made in this thread. Search for and read articles like this. If you find information that contradicts any claims or statements in this thread, please post this information so that we can keep this thread factual and accurate and so that we can make corrections if necessary. As long as we keep this thread fact-based and not opinion-based, it will remain helpful to all who are concerned about computer security when using OCLP. Thank you.

 

[plunger]

I think you’re 100% on the money deeveedee. I’ve stopped using OpenCore about 12 months ago because of security concerns.

 

[deeveedee]

I think you’re 100% on the money deeveedee. I’ve stopped using OpenCore about 12 months ago because of security concerns.

The main point of this thread (so far) is that the OCLP app needs warnings (as discussed here) that are not buried in documentation.

The use of Open Core Legacy Patcher (OCLP) (which uses Open Core, but is not the same as Open Core) is definitely a personal preference. I have no problems or concerns with Acidanthera's Open Core (when used properly) and I use Open Core with confidence. My only concern about Dortania's OCLP within the context of this thread, is that the OCLP "Sales Pitch" and documentation convey and imply security (that could easily be assumed to be data security) when that is absolutely NOT the case.

The unsuspecting user who reads OCLP documentation and sees statements like "Built with Security in Mind" and "Experience macOS just like before" could easily assume that their data, digital identity and private credentials are just as safe on an unsupported, OCLP-patched Mac as on a Mac that is fully supported by Apple. As discussed and shown in this thread, that assumption would be incorrect and could place an unsuspecting user at risk depending on their use cases for their unsupported, OCLP-patched Mac.

As dhinakg (one of the main OCLP developers) notes in the last sentence here, "the likelihood that we can bring things up to the level of security that unpatched Macs have is slim, as there are too many things out of our control."

I estimate that OCLP could easily enjoy a life of 4 more years during which time many Intel-Mac owners would learn about and start using OCLP. As OCLP gains popularity and is adopted by Intel-Mac users who do not frequent MacRumors, those users are likely to use OCLP without taking necessary precautions to limit their potential exposure to data security vulnerabilities.

The OCLP app needs warnings (as discussed here) that are not buried in documentation.

EDIT: I think it's worth noting some of the issues (like Photos app crashes) that users are experiencing after upgrading OCLP from 1.0.1 to 1.1.0. The most noteworthy issue for me is that developers are human, humans make mistakes, software has bugs. It's not unreasonable to expect that there will be mistakes made and bugs introduced in the Wi-Fi post-install patches (and other post-install patches). It's also not unreasonable to expect that some bugs could expose and/or create exploitable security vulnerabilities (not all bugs result in easily-noticed app crashes). Given the small size of the OCLP developer team (two main developers at the time of this post), bugs could go unnoticed for long periods and when finally discovered, fixes to these bugs could take time (weeks or months) to fix, test and deploy. It's the nature of software and the difference between using an app developed and supported by a small (albeit capable) group and an unpatched macOS on a Mac that is fully supported by Apple and rigorously tested/certified by third-party labs.

EDIT2: The Photos app crash with OCLP 1.1.0 was resolved with a fix to OCLP post-install patches.

 

[deeveedee]

By now, I was hoping to see some signs that OCLP messaging and documentation would do more to transparently communicate and disclose OCLP security issues to the unsuspecting user. Instead, the OCLP messaging seems to be going the other way with the elimination of the "hobby project" description on the OCLP donate page.

Currently, a new OCLP user still sees messaging that claims "Built with security in mind" and "Experience macOS just like before" and now traces of the "hobby project" description are being erased. OCLP Devs are doing an amazing job of making OCLP easier to install with more "automatic" installation and update capabilities, which will most certainly lead to expanded OCLP adoption.

As OCLP adoption expands to Intel-Mac owners who do not review this thread, there is currently nothing that clearly and transparently warns them that their unsupported Macs running new versions of macOS are less secure than a Mac that is fully supported by Apple.

 

[Dilli]

Maybe they have changed their strategy.

 

[JustAnExpat]

I read this entire post/thread.

DISCLAIMER: I have never used OCLP before. I understand the principles and ideas behind it, and I support the project.

1. All information security needs to meet the balance of confidentiality, optimized integrity (where information is not changed while in transit), while still being available.

2. Every single computer system has flaws where the information can be revealed or modified. Violating information system controls - which is what OCLP does - increases the amount of flaws where information can be revealed to attackers.

3. The days of "I'm able to hack into your system with three clicks of the mouse" is long gone. A successful attack requires a user to perform some action to allow an attacker to acquire information on the machine.

4. Developers should be aggressively transparent on what their software can, and can not, do for security.

THEREFORE....

1. OCLP's developers should make it clear that OCLP should not be used in production environments, where external compliance (i.e. SOX 404) must be maintained, or where security must be maintained. This alert should exist in two places:
a. At downloading the patcher. It should be the top line in the GitHub.
b. A secondary warning during the start of the install.

2. Users should implement best practices (use a strong passphrase, use private browsing, use a VM with a patched version of Linux/ Windows 10) whenever accessing information they want to keep private (like bank account information, etc).

3. Users must use best practices to keep information secure. This includes not to open suspicious attachments, not to use their root password if a document asks for it, for a user to establish two accounts on the computer, etc.

I suggest implementing a warning that OCLP is not secure and not to use in a production environment, and maybe provide a link to NIST SP 800-12 for users to read - or another appropriate document. NIST SP 800-12 can be found at https://csrc.nist.gov/pubs/sp/800/12/r1/final

 

[JustAnExpat]

Currently, a new OCLP user still sees messaging that claims "Built with security in mind" and "Experience macOS just like before" and now traces of the "hobby project" description are being erased. OCLP Devs are doing an amazing job of making OCLP easier to install with more "automatic" installation and update capabilities, which will most certainly lead to expanded OCLP adoption.

I think you're being disingenuous with your claim. On the linked website, it states:

"For many machines, you're just as secure as a supported Mac.". Unless there is something specific they aren't mentioning, I believe it's true. On https://dortania.github.io/OpenCore-Legacy-Patcher/SONOMA-DROP.html#issues

it states that T1 security chip is not supported. Logically, that reduces security.

Is there anything specific that's flawed with OCLP?

 

[deeveedee]

@JustAnExpat Thank you for joining the conversation. As you recognized in your first post, this thread is requesting messaging transparency and clarity from OCLP Devs - specifically that messaging and warnings clearly state that an OCLP-patched Mac is not as secure as a Mac that is still fully supported by Apple (and thus does not need OCLP patching).

I won't rehash the security concerns common to all OCLP-patched Macs (partially disabled SIP, broken APFS Seal, root-patches that are not 3rd-party certified ...) since you have thoroughly read this thread. Nor will I rehash the security concerns for older OCLP-patched Macs that include the inability to apply Apple's Rapid Security Responses. Read this thread again for details on these OCLP security issues and read this post again for the messaging requests being made of the developers.

We have one of the primary developers admitting in this thread that "the likelihood that we can bring things up to the level of security that unpatched Macs have is slim" and yet you offer a quote where Devs are claiming "For many machines, you're just as secure as a supported Mac." At the very least, these two statements are in conflict. I would challenge anyone to provide the "many machines that are just as secure as a supported Mac" and would submit to you that the statement "you're just as secure as a supported Mac" is misleading and just plain false.

Again, all OCLP-patched Macs require SIP to be partially disabled, the APFS seal to be broken and uncertified root-patches to be applied to macOS. For all but the most limited of use cases, despite your quote that "many machines are just as secure as a supported Mac" there are no OCLP-patched Macs that are just as secure as a supported Mac.

I have worked hard to make sure that my posts are not opinions and are backed by facts. You have provided the quote "For many machines, you're just as secure as a supported Mac." It is only logical to ask that you (or someone) provide this list of OCLP-patched Mac models that are just as secure as supported Macs.