Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security for OCLP (OpenCore Legacy Patcher)
- Thread starter Sven G
- Start date
- Sort by reaction score
Great point. Excellent thread! Security is important a never ending battle.
My 2 OCLP Macs are desktops. A MacMini 2014 7,1 and iMac 27" Late 2015 17,1. Sonoma 14.4.1/OCLP 1.4.2.
They are always at home with my LAN and WIFI behind a firewall (Firewalla Gold+) and blocked from ingress WAN.
This being said what if any is my threat exposure with OCLP on a home network?
A big thanks to the OCLP Developers for keeping my trusty old macs out of the landfill. And thanks to all the knowledgeable people here on MR!
@Subarctic5216 I'm not trying to be alarmist, but I want you to understand the worst-case scenario, so that you can act according to your own risk tolerance and security posture...
Apple has wisely implemented multiple layers of security in macOS. These layers include SIP, a sealed APFS Volume and SecureBoot. Even Apple knows that it is foolish to rely on a single security measure, because software and hardware inevitably have flaws that can be exploited.
In order for OCLP to work its magic, it must defeat/disable these security measures to permit unauthorized frameworks and kernel extensions to be injected into macOS (e.g., graphics extensions and Wi-Fi frameworks). With this compromised security, your Mac may be more vulnerable to exploits introduced by websites that you visit, software that you download and USB thumb drives that you insert - even if you are on your home network.
Only you know how careful you are to avoid these potential exploits and only you know what additional measures you take to ensure the security of your Mac. But no matter how careful you are to recognize the phishing e-mail that you receive, if you fall into a trap only once with inadequate security protections, you could inadvertently allow a hacker to exploit a security vulnerability. Use your judgment to determine how much personal / private information you store on an OCLP-patched MAC, what websites you visit with an OCLP-patched Mac and what secure / private credentials you employ on an OCLP-patched MAC -- regardless of whether the OCLP-patched Mac is on your home network or a public Wi-Fi hotspot.
You should also be aware that, depending on the nature of the exploit, a PC or Mac on a private network can be used as a gateway for hackers to other PCs or Macs on that private network. Again, not to be alarmist, but to make sure you understand the worst-case scenario.
Since OCLP-patched Macs are not subject to any third-party security certifications (which are resource intensive and expensive), there is no way to know the extent to which an OCLP-patched Mac is vulnerable to hacker exploits. "It works, therefore it must be ok" is not a wise security assessment.
Apple has wisely implemented multiple layers of security in macOS. These layers include SIP, a sealed APFS Volume and SecureBoot. Even Apple knows that it is foolish to rely on a single security measure, because software and hardware inevitably have flaws that can be exploited.
In order for OCLP to work its magic, it must defeat/disable these security measures to permit unauthorized frameworks and kernel extensions to be injected into macOS (e.g., graphics extensions and Wi-Fi frameworks). With this compromised security, your Mac may be more vulnerable to exploits introduced by websites that you visit, software that you download and USB thumb drives that you insert - even if you are on your home network.
Only you know how careful you are to avoid these potential exploits and only you know what additional measures you take to ensure the security of your Mac. But no matter how careful you are to recognize the phishing e-mail that you receive, if you fall into a trap only once with inadequate security protections, you could inadvertently allow a hacker to exploit a security vulnerability. Use your judgment to determine how much personal / private information you store on an OCLP-patched MAC, what websites you visit with an OCLP-patched Mac and what secure / private credentials you employ on an OCLP-patched MAC -- regardless of whether the OCLP-patched Mac is on your home network or a public Wi-Fi hotspot.
You should also be aware that, depending on the nature of the exploit, a PC or Mac on a private network can be used as a gateway for hackers to other PCs or Macs on that private network. Again, not to be alarmist, but to make sure you understand the worst-case scenario.
Since OCLP-patched Macs are not subject to any third-party security certifications (which are resource intensive and expensive), there is no way to know the extent to which an OCLP-patched Mac is vulnerable to hacker exploits. "It works, therefore it must be ok" is not a wise security assessment.
Very insightful info.
These security issues you mentioned are another reason to be proactive and cautious everywhere all the time. I am.
Thanks for the clarifications about my particular configuration and not just WiFi.
Hopefully I can move up to Apple Silicon some day. The end of Intel support is not far off.
~Cheers
It’s not alarmist at all. Many of the worst hacks ever start from the exploitation of a single weakness from one client or server. That gets them onto your network to start exploiting other vulnerabilities across all other devices connected to your network.
The information you are putting up here is critically impotyttgj
Were you hacked as you were finishing your statement? 🤣
EDIT: Please forgive my feeble attempt at humor and thank you for the feedback.
Last edited:
I have been reading through this thread and other threads over the internet and all I can find is warnings, The attacker could and could and could and no evedance that an attack has happened due to disabling SIP, I may be wrong but it seems that disabling SIP is not a big deal and not as dangerous as we are made to think.
If you don't care, then this thread isn't for you. The point of this thread is that OCLP documentation and in-app messaging does not even have any warnings. Prior to this thread, the documentation said "you're just as safe as with a fully-supported Mac." The documentation was revised as a result of a request in this thread. This thread isn't telling anyone not to use OCLP - it's just making sure that users understand what macOS security features are disabled/defeated by OCLP in order to enable unsupported versions of macOS.
Following your logic, there is no reason that Apple implemented SIP, sealed APFS volumes and Secure Boot. Also, to cherry-pick SIP and ignore the other disabled/defeated Apple security measures is a bit naive.
Read this.
Last edited:
As with all subjects it's all about your risk and your subjective evaluation of risk, which makes it very challenging to decide as people generally like a nice and clear 'yes or no' answer.
It's unlikely that using OCLP and the disabling of the additional security measures to allow that will on its own lead to the compromise of your Mac. Given the niche usage of OCLP it's also unlikely that someone would go to the effort of building an exploit that assumes it's present*
Would I use OCLP to extend the lifespan of a Mac that is no longer receiving Apple security updates to allow it to get patches via installing a support OS? Yes - I would evaluate that having the applications patched is less risk than having SIP disabled.
Would I do it if I was in a job that someone might be targeting me for? No - I would want a full secure stack ( and cost of hardware replacement to achieve that).
*This may well change if AI-driven tools that allow the building of easy exploit chains become viable and used - security through obscurity was aways unwise, but it may well become untenable if exploits become more automated and personalised [/opinion piece]
I think you need to cool the pace and be less aggressive defending you thoughts, also try to refer to other resources than your posts to make them trust worthy.
No offense, best regards.
Good point and well noted, thank you.
Last edited:
No offense taken. If I were stating opinions, then I would need other sources. Let me know which of the facts that I've stated are incorrect.
This thread is 5 months old. The points stated in the thread haven't changed. Please forgive me for the aggressive pace. I tend to get frustrated when users who haven't read the entire thread state their unfounded, unsubstantiated opinions to offer rebuttal to the facts stated here.
Last edited:
Based on what? While you "qualify" this statement later in your post with "Would I do it if I was in a job that someone might be targeting me for? No," it is not possible to make a blanket statement about the likelihood of a compromise without knowing the use case. ... and even then, it is not possible without extensive penetration/vulnerability testing.
Exactly. The information presented here is only to inform and allow OCLP users to make informed decisions based on their risk tolerance and use cases.
I am an OCLP donator and user. I think what the OCLP devs have achieved is incredible. I remain disappointed that OCLP documentation neglects to disclose the Apple security measures that are disabled/defeated by OCLP. This thread is one of the only sources that discloses OCLP security issues for the interested user.
Last edited:
While tempting to make black and white statements about security, making blanket statements like this does not help and is probably what agitates the OCLP fans who feel compelled to defend OCLP and the Devs. In matters of security (especially where there are not tests/certifications by accredited entities), it is best to state the potential vulnerability and then for users to make informed decisions based on their risk tolerance and their use cases. OCLP has its place and can extend the useful life of Macs for many users whose use cases are not compromised by a combination of all or some of disabled SIP, disabled Secure Boot, broken APFS seal and injection of a modified Wi-Fi framework that is no longer updated by Apple.