Why is Control Center on Monterey listening on ports?

Why is Control Center on Monterey listening to port 5000 and port 7000? I have used these ports for years for local development, but now find them in use by Control Center. Is this worth filling a Feedback about?

  • Definitely worth filling feedback about.. this is going to break a lot of Flask apps that listen on 5000 by default. Not sure why apple chose such a popular port.

  • Agreed... It has broken a lot of my development configurations as well.

  • Just found out about this, while running the docker example-voting-app and failing because port 5000 is used, so I run: lsof -nP +c 15 | grep LISTEN

    and there it was ControlCenter with ports 5000 and 7000 being used.

Accepted Reply

This is apparently due to the new AirPlay functionality. Control Center stops listening to those ports when I turn off “AirPlay Receiver” in the “Sharing” System Preference:

  • Thank goodness this seems to fix the issues I was having.

  • This realy helped me, I was trying to kill the process running on port 5000 but it was keeping restarting it self. But after unchecking the AirPlay Reciever checkbox now it is working as expected.

  • So glad I came here -- thought I was going crazy, nothing was working!

Replies

This is apparently due to the new AirPlay functionality. Control Center stops listening to those ports when I turn off “AirPlay Receiver” in the “Sharing” System Preference:

  • Thank goodness this seems to fix the issues I was having.

  • This realy helped me, I was trying to kill the process running on port 5000 but it was keeping restarting it self. But after unchecking the AirPlay Reciever checkbox now it is working as expected.

  • So glad I came here -- thought I was going crazy, nothing was working!

The good news is that this appears to fix issues with the HomePod Mini's connectivity and voice delay issues when using the speaker for Mac Mini.

Is it possible to configure the port that the AirPlay Receiver listens on?

  • While you're running your application on 5000, you can go back in System Preferences and turn AirPlay Receiver back on. For me it changed it from 5000 to 49936. Now you should be able to just keep it on.

  • You got it right bro. thank you.

Add a Comment

Why port 5000? This is a very common web development port. Just another layer on top of the things that apple does to make web development as difficult as possible.

  • This is ridiculous. And i doubt us users can change the ports since it's shipped with Monterey. Might downgrade unless there's a fix for this

  • For sure it sucks, but it's not something worth downgrading for. Just turn off AirPlay receiver in system preferences -> sharing, or change the port you use for your development server. It shouldn't be difficult.

  • this can easily be fixed with: export FLASK_RUN_PORT=xxxx or flask run --port=xxxx or what ever your app server uses to change the default.. I choose 8000 since that is also what Django uses as a default and I am probably not going to run both at the same time for development.

Add a Comment

The Remote Audio Output Protocol, AKA AirTunes, AKA AirPlay, has been using port 5000 since the year 2004. This is nothing new. All AirPlay receivers including AirPort Express and Apple TV use port 5000. If you've ever used Airfoil on your Mac (Airfoil Speakers was released in 2008), that also uses 5000 for the same reason. AirPlay receiving is new to macOS Monterey, but AirPlay itself is very old, predating Flask and these other web development environments. No, Apple is not trying to make web development difficult.

It seems that port number 5000 was never officially registered with IANA, and has many more conflicts. Can we kindly ask Apple to register their service ports and use IANA assigned ports in the future? https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Post not yet marked as solved Up vote reply of Miga Down vote reply of Miga

Who thought this would be a good idea? Now I have to chose between using Airplay or being able to work 🤦

so glad I found this, thanks

  • Yes. This issue was making me go crazy for a long time now ! So glad to have found this post here. Issue has been resolved by unchecking as said above.

Add a Comment

Unfortunately port 7000 was used to hack my iMac Apple Silicon 2 days ago, to control over my app, updated Xcode from unknown source and also changed Viber messenger. The hack thing was almost invisible, performed via previously hacked wifi router. So I decided to restore my system. I performed power button holding to enter my system options. I erased whole ssd and tried to load fresh new system. Well it does not go well, as the update server was unreachable - strange seemed to me. Than I realized that hackers have done something to my system options to force me not to revive or restore whole MacOS. I had to perform terminal destroy disk keys operation, ( terminal> xartutil --erase-all ) than I have found my iMac like diskless/bricked. I used Apple Configurator 2 to get my system back online and here I'm restored and healthy. Port 7000 is definitively dangerous to listen on while bad guys nearby... I almost forgot - my MacOS firewall was set to "blocking all incoming connections". So it seems there is still a way how to enter my MacOS.

This answered two of my questions on port usage, A, but and B, why my Control Center had been receiving incoming connections. However, I like Digitec have tried resetting my mac due to a previously hacked router issue, and just end up setting up another OS in a different partition somehow, and I am not new to this by any means. Files I can't access and the directory is a mess. So, Digitec, what can I do to avoid bricking and having to use the Apple Configurator 2 to revive? Any options there to make this a little easier and less time-consuming?

Back to the Port Issue, I don't understand why this Airplay Feature would use an insecure port AND have control center access on as a privacy setting by default. I've never seen this in my Preferences pane, which made me think that hackers could also access my accessibility settings which have never been set up in this version of OS on my Macbook, but I see now that there are enough options pre-set for a hacker to control my computer right there from the control center, and it's allowing incoming connections by default. Is this a design flaw we think?

To see what is or is not listening on port 5000, use this command at a Terminal window near you.

lsof -Pn | grep LISTEN

On the right you'll see TCP *:5000 (LISTEN) usually listed once for each IP version, and on the left is the name of the program that's sucking on the port, which is ControlCe if its AirPlay. If nothing is using that port, then it won't be listed.

Funny thing just happened: I turned off AirPlay Receiver, started my service on port 5000, turned AirPlay Receiver back on, it is now happily listening on port 54842 in addition to port 7000 on which it was also listening before.

  • did it stay that way across restarts... or only if you already had something running on 5000?

    also, I found that it would let me start flask run the first time (default port 5000) after a restart... but once I had quit flask, AirPlay Receiver seemed to react to that and would acquire the port. which was kinda annoying since it made me think I had backgrounded flask by accident. anyway, I resolved this with setting export FLASK_RUN_PORT=8000 for my environment to change the default for flask... doubting apple will change what its using.

Add a Comment

Thanks for sharing the comprehensive info. Instead of making any change I guess I just avoid using PORT range(5000,7000) for dev and debug.

I've also captured traffic that is malformed coming into my brand new Mac Apple Silicon. Port 7000 was open and bound to ControlCenter. The traffic I've captured (PCAP) respembles the airplay protocol RTSP. using a blist00 tag followed by a payload.
Interestingly, the attack traffic (dport 7000) has TCP options set. They are 12 bytes. 0101 and then 10 more bytes for an array of two timestamps. I'm pretty sure this is part of the attack payload.

Can we democratically vote to have whoever made the decision to occupy port 5000 fired? Or at least punched in the gut.