Why is Control Center on Monterey listening to port 5000 and port 7000? I have used these ports for years for local development, but now find them in use by Control Center. Is this worth filling a Feedback about?
The good news is that this appears to fix issues with the HomePod Mini's connectivity and voice delay issues when using the speaker for Mac Mini.
Is it possible to configure the port that the AirPlay Receiver listens on?
The Remote Audio Output Protocol, AKA AirTunes, AKA AirPlay, has been using port 5000 since the year 2004. This is nothing new. All AirPlay receivers including AirPort Express and Apple TV use port 5000. If you've ever used Airfoil on your Mac (Airfoil Speakers was released in 2008), that also uses 5000 for the same reason. AirPlay receiving is new to macOS Monterey, but AirPlay itself is very old, predating Flask and these other web development environments. No, Apple is not trying to make web development difficult.
It seems that port number 5000 was never officially registered with IANA, and has many more conflicts. Can we kindly ask Apple to register their service ports and use IANA assigned ports in the future? https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Unfortunately port 7000 was used to hack my iMac Apple Silicon 2 days ago, to control over my app, updated Xcode from unknown source and also changed Viber messenger. The hack thing was almost invisible, performed via previously hacked wifi router. So I decided to restore my system. I performed power button holding to enter my system options. I erased whole ssd and tried to load fresh new system. Well it does not go well, as the update server was unreachable - strange seemed to me. Than I realized that hackers have done something to my system options to force me not to revive or restore whole MacOS. I had to perform terminal destroy disk keys operation, ( terminal> xartutil --erase-all ) than I have found my iMac like diskless/bricked. I used Apple Configurator 2 to get my system back online and here I'm restored and healthy. Port 7000 is definitively dangerous to listen on while bad guys nearby... I almost forgot - my MacOS firewall was set to "blocking all incoming connections". So it seems there is still a way how to enter my MacOS.
This answered two of my questions on port usage, A, but and B, why my Control Center had been receiving incoming connections. However, I like Digitec have tried resetting my mac due to a previously hacked router issue, and just end up setting up another OS in a different partition somehow, and I am not new to this by any means. Files I can't access and the directory is a mess. So, Digitec, what can I do to avoid bricking and having to use the Apple Configurator 2 to revive? Any options there to make this a little easier and less time-consuming?
Back to the Port Issue, I don't understand why this Airplay Feature would use an insecure port AND have control center access on as a privacy setting by default. I've never seen this in my Preferences pane, which made me think that hackers could also access my accessibility settings which have never been set up in this version of OS on my Macbook, but I see now that there are enough options pre-set for a hacker to control my computer right there from the control center, and it's allowing incoming connections by default. Is this a design flaw we think?
To see what is or is not listening on port 5000, use this command at a Terminal window near you.
lsof -Pn | grep LISTEN
On the right you'll see
TCP *:5000 (LISTEN) usually listed once for each IP version, and on the left is the name of the program that's sucking on the port, which is
ControlCe if its AirPlay. If nothing is using that port, then it won't be listed.
I've also captured traffic that is malformed coming into my brand new Mac Apple Silicon. Port 7000 was open and bound to ControlCenter. The traffic I've captured (PCAP) respembles the airplay protocol RTSP. using a blist00 tag followed by a payload.
Interestingly, the attack traffic (dport 7000) has TCP options set. They are 12 bytes. 0101 and then 10 more bytes for an array of two timestamps. I'm pretty sure this is part of the attack payload.