A new thread, for the discussion of OpenCore Legacy Patcher’s security issues…
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security for OCLP (OpenCore Legacy Patcher)
- Thread starter Sven G
- Start date
- Sort by reaction score
Thank you! Some OCLP feature requests that I'd like to see implemented:
For those who don't understand the purpose of the warnings, think of them this way:
Assume you're not really knowledgeable about automobiles. Your friend has just spent years of effort and much of her own funds to restore an automobile and she offers the automobile to you for free. The offer of the fully-restored, brandnew-looking used automobile gives you the choice between buying a new car or accepting your friend's free gift. Because of the date it was manufactured, the automobile does not have airbags and antilock brakes. It would be nice if your friend warned you about these missing safety features, so that you could make an informed decision between the used car and a new car. It would also be nice to have an occasional reminder about the brakes and air bags, so that you remember the reduced safety in critical situations.
And if you don't know the "friend" very well (and even if you do), it is perfectly acceptable to ask her why she is giving you a free car and if it is possible to add the airbags and anti-lock brakes.
- Data security warnings* presented by OCLP GUI during OCLP upgrade, Build and Install Open Core and post-install patching
- User-configurable (enable / disable) data security warnings* when a Mac boots OCLP-patched macOS
- Modification of OCLP GUI that permits selectively enabling / disabling Wi-Fi post-install patches
- When "Disable Reporting" is unchecked in the OCLP GUI, provide ability to view OCLP-generated analytics before they are submitted to OCLP Developers (similar to the way crash reports can be viewed before being submitted to Apple)
- Change wording in GitHub so that it doesn't imply that official OCLP releases are secure. As currently worded, the developer comments suggest that users should not use nightly builds because they are not safe. The unaware user may assume this to imply that the official OCLP releases are perfectly safe (from a data security / digital identity perspective)
- Enable RSRs (Apple's Rapid Security Responses) on older OCLP-Patched Macs that are currently unable to receive RSRs
For those who don't understand the purpose of the warnings, think of them this way:
Assume you're not really knowledgeable about automobiles. Your friend has just spent years of effort and much of her own funds to restore an automobile and she offers the automobile to you for free. The offer of the fully-restored, brandnew-looking used automobile gives you the choice between buying a new car or accepting your friend's free gift. Because of the date it was manufactured, the automobile does not have airbags and antilock brakes. It would be nice if your friend warned you about these missing safety features, so that you could make an informed decision between the used car and a new car. It would also be nice to have an occasional reminder about the brakes and air bags, so that you remember the reduced safety in critical situations.
And if you don't know the "friend" very well (and even if you do), it is perfectly acceptable to ask her why she is giving you a free car and if it is possible to add the airbags and anti-lock brakes.
Last edited:
My concerns with my OCLP-patched Mac started here , here, here and here after I started analyzing the nature of the root-patching to fix Broadcom Wi-Fi in Sonoma. Like most everyone else, prior to my Wi-Fi patching concerns, I was a huge OCLP/Dev cheerleader, advocate and supporter (including a donation). My concerns were not because I assumed that the Devs had malicious intent, but because software mistakes can be made and are likely. Without 3rd-party computer security verification and testing, there is no way to be assured of OCLP's (or any software's) data security. No way - I don't care what anyone says or how much you like the developer who created the solution for you.
Most of the biggest computer security exploits (ransomware, stolen identities, hacked e-mails...) are not because of intentional software hacks but because of software bugs that leave exploitable vulnerabilities. And if you watch the news, I don't have to tell you that there are plenty of malicious hackers who are eagerly looking to exploit those unintended vulnerabilities in your home PC or Mac. Even Apple has security-related bugs in their macOS releases, which is why they implemented RSRs (Rapid Security Responses) to provide quick security patches for macOS. If a company like Apple can make mistakes, then so can any software developer or development team. And depending on which Mac you own, if it's patched with OCLP, you can't receive Apple's RSRs - another security issue with OCLP.
At significant risk to relationships with Devs and MacRumors peers, I decided to voice my concerns. I appreciate the professional and courteous responses from Ball of Neon (an OCLP Dev) here , here , here , here , here and here.
Until the OCLP GUI supports selectively enabling/disabling Wi-Fi post install patches, I have posted one method that can be used to manually disable the Wi-Fi patches here. *
NOTE: If you decide to allow OCLP to inject Wi-Fi post install patches, understand that you are accepting the following risks:
Most of the biggest computer security exploits (ransomware, stolen identities, hacked e-mails...) are not because of intentional software hacks but because of software bugs that leave exploitable vulnerabilities. And if you watch the news, I don't have to tell you that there are plenty of malicious hackers who are eagerly looking to exploit those unintended vulnerabilities in your home PC or Mac. Even Apple has security-related bugs in their macOS releases, which is why they implemented RSRs (Rapid Security Responses) to provide quick security patches for macOS. If a company like Apple can make mistakes, then so can any software developer or development team. And depending on which Mac you own, if it's patched with OCLP, you can't receive Apple's RSRs - another security issue with OCLP.
At significant risk to relationships with Devs and MacRumors peers, I decided to voice my concerns. I appreciate the professional and courteous responses from Ball of Neon (an OCLP Dev) here , here , here , here , here and here.
Until the OCLP GUI supports selectively enabling/disabling Wi-Fi post install patches, I have posted one method that can be used to manually disable the Wi-Fi patches here. *
NOTE: If you decide to allow OCLP to inject Wi-Fi post install patches, understand that you are accepting the following risks:
- Your Mac is rooted and you are allowing uncertified 3rd-party software (OCLP's patches) to be installed at the most sensitive layers of your macOS. If there are any software bugs in the root-patch, these bugs could expose your data, your private credentials and your digital identity to hackers.
- The OCLP post-install patches for Wi-Fi are derived/extracted from an older version of macOS where Broadcom Wi-Fi framework was still supported by Apple. This means that the older Wi-Fi framework being used to patch your modern macOS is "frozen in time" and is not receiving any Apple updates. There will be no attempt by Apple to maintain the security of the Wi-Fi framework, because it is no longer supported by Apple. If hackers discover a security vulnerability in the Wi-Fi Framework, Apple will not be fixing it.
- If a vulnerability is discovered by OCLP Devs and they are able to patch it, it is unreasonable to expect the Devs to communicate the vulnerability and then to patch it in a timely manner (even though they are software gods). They are unpaid volunteers doing this on their own time and at their own expense (despite donations). During the response time (time for Devs to learn about the bug and then the time for it to be fixed and then the time for you to apply the OCLP update), your OCLP-patched Mac may be vulnerable to exploits, allowing a hacker enough time to learn about and exploit the vulnerability. And I want Devs to be able to take vacations as much as anyone (they deserve it!), but not when I'm waiting for a security patch to OCLP.
BTW: I get that one could argue that, since the Wi-Fi framework is extracted from Ventura, it is still getting updates from Apple. Ok - we still have to wait for OCLP Devs to extract the framework from Ventura and release an OCLP update with the new framework. And that only lasts as long as Apple is still supporting Ventura.
Last edited:
Some of you will get this...
I'd like to make a request of everyone who is monitoring this thread and also to all those who are not monitoring this thread (and please don't feel obligated if you don't want to do this). If your OCLP-patched Mac is hacked, please notify OCLP Devs and then post an alert in this OCLP Security thread, so that the rest of us can take corrective measures until an OCLP update is available. Thank you.
References
I'd like to make a request of everyone who is monitoring this thread and also to all those who are not monitoring this thread (and please don't feel obligated if you don't want to do this). If your OCLP-patched Mac is hacked, please notify OCLP Devs and then post an alert in this OCLP Security thread, so that the rest of us can take corrective measures until an OCLP update is available. Thank you.
References
- Movie: "Lucky Number Slevin" - If you want to know how criminals "play the long game," watch this movie. Criminals, including hackers, can begin to lay the groundwork for a crime well in advance of the actual crime.
- Movie: "A Few Good Men" - "You said he was in danger, I said, 'Grave danger?' You said, 'Is there any other kind?'"
- Sam Bankman-Fried (FTX) criminal trial. SBF started laying the groundwork for his crimes in 2019
- Search for "How Vulnerabilities Hide in Plain Sight" and consider that hackers "play the long game." A hacker can introduce seemingly innocuous code that looks harmless on the surface. This code can be a puzzle piece in a multi-step hack.
- Search for Stuxnet Virus
- Search for Trojan Horse
- Search for Bernie Madoff
- Search for dangers of using public Wi-Fi to find articles like this
- Song "Online" by Brad Paisley: "Hey, I'm so much cooler online" - Believe it or not, no one is fact-checking MacRumors user profiles
Last edited:
But if the patched Sonoma Broadcom Wi-Fi framework is taken from Monterey or Ventura, it should still receive updates and thus be good to go for one or two years respectively, if synced regularly in OCLP - right…? Or am I missing something obvious?
@Sven G
See this note in post
When you are running Sonoma, the only way to get the Wi-Fi framework updates is via OCLP (not via Apple). Also read this in my post...
EDIT: @Sven G If we really love and care about the Devs and we are hoping for their well-being and sanity, then it would be best for us to accept the security risks to our private data and digital identities while they enjoy some relaxation during their well-deserved vacations.
See this note in post
When you are running Sonoma, the only way to get the Wi-Fi framework updates is via OCLP (not via Apple). Also read this in my post...
EDIT: @Sven G If we really love and care about the Devs and we are hoping for their well-being and sanity, then it would be best for us to accept the security risks to our private data and digital identities while they enjoy some relaxation during their well-deserved vacations.
Last edited:
The Devs are great folks who have worked miracles to create OCLP. It is amazing - thank you Devs!!!
I know that OCLP is a small project and the Devs are doing this of their own free will, on their own time and at their own expense. God-forbid something were to happen to the Devs, who assumes support for OCLP and continues the security updates to OCLP?
And if the Devs are on vacation or, God-forbid, something happened to them, how do we know and can we be alerted in time to ensure that we can take protective measures while we're not receiving OCLP security updates?
I know that OCLP is a small project and the Devs are doing this of their own free will, on their own time and at their own expense. God-forbid something were to happen to the Devs, who assumes support for OCLP and continues the security updates to OCLP?
And if the Devs are on vacation or, God-forbid, something happened to them, how do we know and can we be alerted in time to ensure that we can take protective measures while we're not receiving OCLP security updates?
Last edited:
“OCLP Security” 🤣 What security? It’s insecure by default. You are trusting some unknown people over the Internet to make unnamed changes to your Mac, while lying about SIP. My impression was always that OC/OCLP developers are paid by Apple to make everything obscure and harder, starting with the idiotic way of defining kexts in the config file.
If you want to run macOS on unsupported hardware, stop using OCLP and document in separate threads for each unsupported Mac what changes are needed to make it work. This is the way.
If you want to run macOS on unsupported hardware, stop using OCLP and document in separate threads for each unsupported Mac what changes are needed to make it work. This is the way.
You're welcome to contribute:
github.com
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
github.com
You're doing that via a regular Mac also, they're anonymously called Apple Inc., the difference is precisely trust. You trust them. OCLP's code can be reviewed, Apple's can't. You might think this is easy, but it isn't. It's just a question of trust who and what to rely on.
Interesting news:
github.com
Security - Enable vaulting by default by Jazzzny · Pull Request #1110 · dortania/OpenCore-Legacy-Patcher
This PR enables OpenCore's secure vaulting feature: This is done with a modified version of the CreateVault script package, with custom-built binaries for openssl, strings, and RsaTool. All bi...
github.com
It is a matter of trust. I can't argue with that. The Devs are nice people and have the best of intentions. According to their own admission, OCLP is a "small project" that grew beyond their expectations. It was never anticipated nor was it designed to accommodate the scope of all Intel Mac owners.
At least Apple has the resources to justify a bit more trust. See this.
EDIT: It is also important to remember that Apple submits macOS to 3rd party FIPS-certified labs that perform rigorous data security and penetration testing. The certificates accompany each SEALED release of macOS. When a macOS vulnerability is discovered, Apple has the option to release a RSR (Rapid Security Response). OCLP is never subjected to such 3rd party testing by certified labs and we shouldn't expect it to be. It is a "hobby" as some have labeled it (and a very good one). OCLP Devs are gods, but they don't have the resources to manage a RSR system for OCLP in a way that adequately protects the users of OCLP. And because of the limitations of some older Macs, those older Macs patched with OCLP can't even receive Apple RSRs.
Computer security is not about whether you like and trust the Devs. And we're not going to fix that by praising the Devs, protecting the Devs from criticism, donating to the OCLP project or erecting a statue in honor of the Devs.
Last edited:
When you know enough about computer security, the reality makes the conspiracy theories look like child's play.“OCLP Security” 🤣 What security? It’s insecure by default. You are trusting some unknown people over the Internet to make unnamed changes to your Mac, while lying about SIP. My impression was always that OC/OCLP developers are paid by Apple to make everything obscure and harder, starting with the idiotic way of defining kexts in the config file.
If you want to run macOS on unsupported hardware, stop using OCLP and document in separate threads for each unsupported Mac what changes are needed to make it work. This is the way.
Cherry picking an out-of-context phrase to make your point ignores the rest of the post and is misleading. Do better to preserve your credibility in this thread. This OCLP Security thread is not telling people to stop using OCLP. This thread is about making users aware of the security limitations of OCLP and about requesting changes that make the end user aware of the security limitations. And maybe even prompting changes that close some of the security holes.
Well, OCLP is Open Source. And as such, it's pretty easy to check the source code to figure out which info is transmitted. I am not a programmer but looking into the "analytics_handler.py" file might provide the answers:
github.com
OpenCore-Legacy-Patcher/resources/analytics_handler.py at main · dortania/OpenCore-Legacy-Patcher
Experience macOS just like before. Contribute to dortania/OpenCore-Legacy-Patcher development by creating an account on GitHub.
github.com
After you examine the source of each new release, just give us your confirmation that that rooted macOS with its injected, reviewed, third-party code isn't vulnerable to any exploits that we don't know about and we'll trust you. Thanks.Well, OCLP is Open Source. And as such, it's pretty easy to check the source code to figure out which info is transmitted. I am not a programmer but looking into the "analytics_handler.py" file might provide the answers:
OpenCore-Legacy-Patcher/resources/analytics_handler.py at main · dortania/OpenCore-Legacy-Patcher
Experience macOS just like before. Contribute to dortania/OpenCore-Legacy-Patcher development by creating an account on GitHub.
Please read the previous posts before jumping to the conclusion that the security vulnerabilities are limited to a review of the source code.
EDIT: Posting here is a clever way to promote your own github repo.
An observation that I think will help this thread... We don't know each other's credentials and we don't know who each of us is. For all we know, one of us is a Dev masquerading as an average OCLP user who has come here to defend the Devs and OCLP. Maybe even a Dev soliciting donations. Maybe one of us is even a hacker who wants to make sure that the vulnerabilities remain unaddressed and unknown. And maybe as a hacker, you have come here simply to clutter this thread with off-topic posts to obstruct attempts at generating awareness and identifying potential fixes.
While this is a free and open forum, contributions to this forum would be most constructive if they have a few facts and are not pure opinion pieces.
Also, none of us should assume that one's MacRumors "rating" makes us any more credible than another. As far as I know (correct me if I'm wrong), the only difference between a newbie and a "macrumors god" (or a "macrumors demi-god") is the number of posts.
Similarly, no one should assign more weight to a post with more likes than one with less or no likes. Users who have no computer security background can just as easily "like" a post as those who do. And users with a hidden agenda can attempt to manipulate public opinion with "likes" and "dislikes." This is not an opinion piece. The facts should speak for themselves.
As much as some would like to make this thread out to be an OCLP-attack-piece, it is not that at all. This is about making OCLP better and safer for all who will use it.
Please refrain from personal attacks. Let's stick to facts and constructive suggestions. Personal attacks say more about the attacker than the attacked and they only serve to damage the credibility of the attacker and of the attacker's post. Thank you.
If you can't help yourself and you must make personal attacks, please refrain from doing it publicly in this thread and use private messaging.
While this is a free and open forum, contributions to this forum would be most constructive if they have a few facts and are not pure opinion pieces.
Also, none of us should assume that one's MacRumors "rating" makes us any more credible than another. As far as I know (correct me if I'm wrong), the only difference between a newbie and a "macrumors god" (or a "macrumors demi-god") is the number of posts.
Similarly, no one should assign more weight to a post with more likes than one with less or no likes. Users who have no computer security background can just as easily "like" a post as those who do. And users with a hidden agenda can attempt to manipulate public opinion with "likes" and "dislikes." This is not an opinion piece. The facts should speak for themselves.
As much as some would like to make this thread out to be an OCLP-attack-piece, it is not that at all. This is about making OCLP better and safer for all who will use it.
Please refrain from personal attacks. Let's stick to facts and constructive suggestions. Personal attacks say more about the attacker than the attacked and they only serve to damage the credibility of the attacker and of the attacker's post. Thank you.
If you can't help yourself and you must make personal attacks, please refrain from doing it publicly in this thread and use private messaging.
Last edited:
So, you didn't mean what I quoted? Well, I thought as much, that's why I quoted it.
Well, you are the one raising security concerns, so you should at least review the source code of OCLP and every relevant kext involved instead of accusing the devs of sacrificing security for the sake of compatibility. Because If you trace back to the origin of OpenCore you know that Security has always had top priority during development.
So if you have Security concerns, just create an Issue Report for OpenCore on github and start a dialog with the actual devs instead of scattering bits and pieces of info all over the place. A little tip for that: you should bring some real proper evidence to the table in this case and skip your usual "I have wriiten something about it here, here, here and here, go read it" routine. Because it's disrespectful to the devs and a waste of their time!
PS: Unlike you, I don't promote anything here.
I am. I know how intelligent you are, so I'm surprised you didn't raise them first.
EDIT: Since this thread was started, my OCLP-Security requests to Devs are all summarized in a single post. Please feel free to ignore any background posts (intended to be reference material) where I may attempt to simplify the post with references to "here, here and here." Thank you.
EDIT2: It would be best not to make assumptions. You have no idea whether I've read the OCLP source code. Since I was one of the first to propose modifying OCLP source over at InsanelyMac, does it seem to you as though I'd be one not to review the source code? Someone else in this forum assumed that I'm not a Software Developer or a Unix Admin or a Math major (or a computer security expert). Those were also incorrect assumptions.
Please read this.
Last edited:
You are comparing a trillion-Dollar software and hardware company, that sells billions of devices, to a software project started and maintained by members of a Russian warez forum. Good luck convincing anyone of the equivalency in trust.
Apple Open Source https://opensource.apple.com/
https://opensource.apple.com/releases/
Anyway, I’m not on this forum to debate anyone or anything. I try to learn and help, if I can https://forums.macrumors.com/thread...river-for-amd-rx-580-card-how-to-fix.2399853/
I'd like to keep this fair and balanced and would hope that posts are self-evident or fact-checked. Do you have any evidence of the "Russian warez" claim? I'll delete this post if you can provide evidence of your claims in your post. Thank you.
EDIT: Without evidence, this sounds more like an angry, personal attack than a fact. Personal attacks won't further our cause here.
EDIT2: I am respectfully asking everyone else who visits here to refrain from commenting on the Russian warez claim. I don't believe it to be the case and would like to completely delete this from this thread if it is not true. Thank you. NO PERSONAL ATTACKS - PLEASE. Thank you. Unfortunately, personal attacks say more about the attacker than the attacked. ... as does "liking" personal attacks.
Last edited:
One of my asks of the Devs here is to add data-security warnings to OCLP. There has been confusion about why I would make this feature request. I thought of an analogy that might help to understand my request:
Assume you're not really knowledgeable about automobiles. Your friend has just spent years of effort and much of her own funds to restore an automobile and she offers the automobile to you for free. The offer of the fully-restored, brandnew-looking used automobile gives you the choice between buying a new car or accepting your friend's free gift. Because of the date it was manufactured, the automobile does not have airbags and antilock brakes. It would be nice if your friend warned you about these missing safety features, so that you could make an informed decision between the used car and a new car. It would also be nice to have an occasional reminder about the brakes and air bags, so that you remember the reduced safety in critical situations.
And if you don't know the "friend" very well (and even if you do), it is perfectly acceptable to ask her why she is giving you a free car and if it is possible to add the airbags and anti-lock brakes. It is also perfectly acceptable for you to expect a response from her.
Assume you're not really knowledgeable about automobiles. Your friend has just spent years of effort and much of her own funds to restore an automobile and she offers the automobile to you for free. The offer of the fully-restored, brandnew-looking used automobile gives you the choice between buying a new car or accepting your friend's free gift. Because of the date it was manufactured, the automobile does not have airbags and antilock brakes. It would be nice if your friend warned you about these missing safety features, so that you could make an informed decision between the used car and a new car. It would also be nice to have an occasional reminder about the brakes and air bags, so that you remember the reduced safety in critical situations.
And if you don't know the "friend" very well (and even if you do), it is perfectly acceptable to ask her why she is giving you a free car and if it is possible to add the airbags and anti-lock brakes. It is also perfectly acceptable for you to expect a response from her.
Last edited: