Why is Control Center on Monterey listening to port 5000 and port 7000? I have used these ports for years for local development, but now find them in use by Control Center. Is this worth filling a Feedback about?
Why is Control Center on Monterey listening on ports?
This is apparently due to the new AirPlay functionality. Control Center stops listening to those ports when I turn off “AirPlay Receiver” in the “Sharing” System Preference:
The good news is that this appears to fix issues with the HomePod Mini's connectivity and voice delay issues when using the speaker for Mac Mini.
Is it possible to configure the port that the AirPlay Receiver listens on?
Definitely worth filling feedback about.. this is going to break a lot of Flask apps that listen on 5000 by default. Not sure why apple chose such a popular port.
Why port 5000? This is a very common web development port. Just another layer on top of the things that apple does to make web development as difficult as possible.
Agreed... It has broken a lot of my development configurations as well.
The Remote Audio Output Protocol, AKA AirTunes, AKA AirPlay, has been using port 5000 since the year 2004. This is nothing new. All AirPlay receivers including AirPort Express and Apple TV use port 5000. If you've ever used Airfoil on your Mac (Airfoil Speakers was released in 2008), that also uses 5000 for the same reason. AirPlay receiving is new to macOS Monterey, but AirPlay itself is very old, predating Flask and these other web development environments. No, Apple is not trying to make web development difficult.
It seems that port number 5000 was never officially registered with IANA, and has many more conflicts. Can we kindly ask Apple to register their service ports and use IANA assigned ports in the future? https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Just found out about this, while running the docker example-voting-app and failing because port 5000 is used, so I run: lsof -nP +c 15 | grep LISTEN
and there it was ControlCenter with ports 5000 and 7000 being used.
Who thought this would be a good idea? Now I have to chose between using Airplay or being able to work 🤦
so glad I found this, thanks
Unfortunately port 7000 was used to hack my iMac Apple Silicon 2 days ago, to control over my app, updated Xcode from unknown source and also changed Viber messenger. The hack thing was almost invisible, performed via previously hacked wifi router. So I decided to restore my system. I performed power button holding to enter my system options. I erased whole ssd and tried to load fresh new system. Well it does not go well, as the update server was unreachable - strange seemed to me. Than I realized that hackers have done something to my system options to force me not to revive or restore whole MacOS. I had to perform terminal destroy disk keys operation, ( terminal> xartutil --erase-all ) than I have found my iMac like diskless/bricked. I used Apple Configurator 2 to get my system back online and here I'm restored and healthy. Port 7000 is definitively dangerous to listen on while bad guys nearby... I almost forgot - my MacOS firewall was set to "blocking all incoming connections". So it seems there is still a way how to enter my MacOS.
This answered two of my questions on port usage, A, but and B, why my Control Center had been receiving incoming connections. However, I like Digitec have tried resetting my mac due to a previously hacked router issue, and just end up setting up another OS in a different partition somehow, and I am not new to this by any means. Files I can't access and the directory is a mess. So, Digitec, what can I do to avoid bricking and having to use the Apple Configurator 2 to revive? Any options there to make this a little easier and less time-consuming?
Back to the Port Issue, I don't understand why this Airplay Feature would use an insecure port AND have control center access on as a privacy setting by default. I've never seen this in my Preferences pane, which made me think that hackers could also access my accessibility settings which have never been set up in this version of OS on my Macbook, but I see now that there are enough options pre-set for a hacker to control my computer right there from the control center, and it's allowing incoming connections by default. Is this a design flaw we think?
To see what is or is not listening on port 5000, use this command at a Terminal window near you.
lsof -Pn | grep LISTEN
On the right you'll see TCP *:5000 (LISTEN) usually listed once for each IP version, and on the left is the name of the program that's sucking on the port, which is ControlCe if its AirPlay. If nothing is using that port, then it won't be listed.
Funny thing just happened: I turned off AirPlay Receiver, started my service on port 5000, turned AirPlay Receiver back on, it is now happily listening on port 54842 in addition to port 7000 on which it was also listening before.
This worked for me for docker registry 2.7 couldnt start as was its default port 5000. def control panel listening due to air play check mark
future reference "sudo lsof -i :5000" will give you port listening on 5000
Thanks for sharing the comprehensive info. Instead of making any change I guess I just avoid using PORT range(5000,7000) for dev and debug.
I've also captured traffic that is malformed coming into my brand new Mac Apple Silicon. Port 7000 was open and bound to ControlCenter. The traffic I've captured (PCAP) respembles the airplay protocol RTSP. using a blist00 tag followed by a payload.
Interestingly, the attack traffic (dport 7000) has TCP options set. They are 12 bytes. 0101 and then 10 more bytes for an array of two timestamps. I'm pretty sure this is part of the attack payload.
Thank you.
Can we democratically vote to have whoever made the decision to occupy port 5000 fired? Or at least punched in the gut.
NB In Ventura they have moved the setting to "General | Airdrop and handoff". Because of course that is the first place I think of when looking for "Airplay receiver"...
Plus one above. This is seriously stupid Apple on so many levels - firstly using a known developer port is dumber than a rock. Secondly constantly changing the setting locations under cryptic naming conventions is idiotic as well. Do your Product managers really have such a skewed sense of intuitive organizational structure? Here is an idea -> try alpha sorting by service and functional category (General has no meaning at all lose it). See: https://en.wikipedia.org/wiki/Categorization Here is an example
Communication
Internet Accounts
Messages
Phone
etc.
Hardware
Displays
Energy Saver
Storage
Media Airplay Audio Players Video etc.
Network Bluetooth Firewall Thunderbolt USB VPN Wifi etc.
Operating System About Date & Time Desktop & Dock Screen Saver Wallpaper etc. Language & Region Login Items Sharing Sofware Update Start Up disk Time Machine
User Preferences Accessibility Appearance Control Center (have the ability to alpha sort anything and everything and frankly create and or rename categories) Focus Login Password Privacy and Security Screentime Siri & Spotlight etc.
I think you get the idea. This would be a meta organizational standard with a location design pattern, not some random organization stragegy that "seems" to make sense when in reality it does not, and also does not scale at all. the layout changes from OS iteration to OS iteration and makes solution finding nearly impossible as many search results are returned, one for each new change, that do not apply (as happened here). The fact that this is not more obvious a problem is unbelieveable and the same patteren repeats over and over with the Apple development model. C'mon folks do more research on optimal organizational construct logic, patterning, searchability, optimization, and scaling over time. And don't use known development ports for propietary service your users may or may not chose to use.