identityservicesd connecting to Chinese servers?

[aircat]

Over the last few days, Little Snitch has shown identityservicesd trying to make outgoing connections to server(s) in China. Is this a mistake on Little Snitch's part (I've contacted them), or is this connection attempt location real? Once I saw the location, I blocked these requests.

Hostname is init.ess.apple.com, with several IP addresses listed.

I'm in the US and there's no reason on my part for any connection to Chinese servers.

Sonoma 14.1, btw.

Any ideas? Many thanks.

 

[poorcody]

It's not listed by Apple as one of their servers:

Use Apple products on enterprise networks - Apple Support

Learn which hosts and ports are required to use your Apple products on enterprise networks.

support.apple.com

Seems to be other people are seeing it too recently:

URL init.ess.apple.com -- legitimate? - Apple Community

discussions.apple.com

Maybe a Sonoma 14.1 bug with Apple's content delivery network?

 

[aircat]

Thanks so much, poorcody.

If I'm doing this correctly, some of the IP addresses may be to China Telecom or China Unicom. The addresses, according to Little Snitch:

112.240.57.248
113.5.170.192
124.239.244.193
218.60.20.177
61.161.1.46

 

[TinyMito]

According to my DNS log:

 

[bogdanw]

If you are not using FaceTime and iMessage, identityservicesd can be disabled.

launchctl bootout gui/501/com.apple.identityservicesd

launchctl disable gui/501/com.apple.identityservicesd

About identityservicesd
HackerNoon - What if anyone can be you? by Khaos Tian
https://hackernoon.com/what-if-anyone-can-be-you-973a2267cdda

Black Hat 2019 Towards Discovering Remote Code Execution Vulnerabilities in Apple FaceTime

https://i.blackhat.com/USA-19/Thurs...ecution-Vulnerabilities-In-Apple-FaceTime.pdf

 

[aircat]

Thanks, TinyMito and bogdanw. I rely on Messages, and don't block at this level on iOS device(*). At least two of these servers are indeed located in China (yay Little Snitch for catching this!).

* I know, I know--iOS devices are sieves.

 

[daitarn]

If you are not using FaceTime and iMessage, identityservicesd can be disabled.

launchctl bootout gui/501/com.apple.identityservicesd

launchctl disable gui/501/com.apple.identityservicesd

Now I have sharingd launchd and some other processes that are running at 150% CPU each.

I tried with launchctl enable gui/501/com.apple.identityservicesd but it didn't help, how can I revert this thingy?

Thanks in advance!

 

[bogdanw]

I tried with launchctl enable gui/501/com.apple.identityservicesd but it didn't help, how can I revert this thingy?

If you already run the enable command, just reboot and identityservicesd should start again.

If it still doesn’t, delete /private/var/db/com.apple.xpc.launchd/disabled.501.plist and reboot. That is the file storing the modifications made with launchctl disable.

 

[daitarn]

If you already run the enable command, just reboot and identityservicesd should start again.

If it still doesn’t, delete /private/var/db/com.apple.xpc.launchd/disabled.501.plist and reboot. That is the file storing the modifications made with launchctl disable.

I did a restart, forgot to say that, but everything settled by itself after some 15-20 minutes. I guess the System was shocked by the audacity of disabling one of its components, it will get used to it after some time..It must learn who's the boss first.

Thank you for your fast reply!