Category Archives: iOS

Apple iOS in the Doghouse Again

iOS devices running 14.7 through 15.2 – basically all devices – are subject to a denial of service attack that forces the user to do a factory reset, wiping all of the user’s data.

If the user logs in to iCloud to restore the data, the denial of service attack will replay once the data is restored, resulting in a “rinse and repeat” cycle.

Apple was told about the bug last August but has not mitigated it. As a result, the researcher who discovered it has publicly disclosed it and created a proof of concept app to demonstrate it.

Apple has repeatedly said that they would fix it, but have not.

The bug is related to the Homekit software, which does home automation and, apparently, it does not matter whether you are doing any home automation or not. If the hacker manages to create a device name of more than 500,000 characters, which can be done in a number of ways, the iDevice goes into cardiac arrest.

For more technical details on how the attack works, read the article at the link.

Since all good attacks need a catchy name, this one is called DoorLock.

Apple did quietly create a partial mitigation in 15.1, if you know about it and use it. The attack creates a device name of more than 500,000 characters, causing the iDevice to go belly-up. There is a way to limit the device name length, but it is not set by default (why?). My guess is that maybe a half dozen Apple employees have set this to protect themselves.

One bright spot is that the hacker would either need to have access to your “home” or get you to manually accept an invitation to one. The second seems easier than the first, using a pretty vanilla social engineering scam.

If you don’t have your data backed up, you are, as they say, in a world of trouble.

There is a way, if you know what is going on, to mitigate the “rinse and repeat” loop to restore your data from iCloud, so all is not lost, but it could be very stressful.

You are now warned Credit: Bleeping Computer

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

How Many Images Are Required to Unlock Your iPhone?

Many people have moved to facial recognition to unlock their iPhone, mostly because it is easy.

Researchers wanted to know how secure that is.

For those people who use their face to authorize payments, the problem is, maybe, a bit more serious.

Researchers at Tel Aviv University harnessed deep fakes and that magic word, AI, to figure out what three of the leading facial recognition software packages are looking for.

Then they created a deep fake to look like that.

They created less than a dozen of these deep fake images – nine to be exact.

Then they tested these nine fake images against a publicly available database of faces called Labeled Faces in the Wild.

Those nine computer generated faces were considered a match for 40 to 60% of the faces in that database, depending on which software package was being tested.

NINE matched over 13,000.

While this was a research project and some of the systems could be programmed to reject the flat images, all that means is that the researchers would need to create 3D versions of those nine. Not a high bar to meet.

Researchers say that with more test data they could do even better.

Does this mean that facial device verification is useless?

No, it doesn’t. What it means is that it is a relatively low security authentication mechanism.

Each person needs to decide what an appropriate level of risk/security is for them.

Likely, for most consumers, facial recognition is probably sufficient.

Remember that facial recognition is different than iris or retina scans. They use completely different technologies, are much more expensive and complex and are highly secure.

We have seen similar problems with consumer-grade fingerprint scans.

All of these vendors have to deal with how long a consumer is willing to wait for his or her device to unlock and how many false “failures” that consumer is willing to tolerate.

Credit: Cybernews

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN

Apple MAY Join Many Others in Separating Security Patches from System Upgrades

Since the beginning of Apple-time (or is it i-time?), Apple has always bundled security fixes into iOS upgrades. This means that a user could not install a security update without also upgrading the OS. In general, Apple has always forced users to upgrade their iPhones and other mobile devices. This tends to make Apple products more secure because a higher percentage of the users are on the current version of the OS.

This is different than, say, Microsoft, who will push out monthly security patches even though they might only add new features once or twice a year.

According to 9to5Mac, Apple may be planning to separate security fixes from feature upgrades in the next version of iOS.

Of course, sometimes, Apple may release a new version of their OS just to patch a bug, but users never know what else might be bundled inside that upgrade.

But there is a new setting in the software update menu called “Install Security Updates”.

It could be that this is only a feature to install emergency fixes, something that has become more common at Apple as their software becomes more complex.

It also appears that if a user installs a security update they may have to uninstall it prior to installing a version upgrade. If this turns out to be true, this would be very unlike Apple and this makes it harder for users to stay current.

iOS 14.5 is going to be a big deal. One feature in it is that checks for fraudulent web sites will be run through Apple’s servers to protect user privacy and that could, possibly, break things or slow things down. This new update also requires users to opt-in to data sharing.

iOS 14.5 is expected to be released officially in a couple of months. Credit: The Hacker News

Google Reveal Data It Captures

Since Apple doesn’t make a lot of money by selling your data to others (or selling targeted ads to others based on data that it captures), it loves poking Google in the eye about its data collection practices.

Apple required “privacy nutrition labels” by vendors, including themselves, for all new releases of software distributed in the app store as of December 8th of last year.

Google’s response was to stop updating its software. Some people said that was because Google didn’t want to tell people what they were collecting. I suspect that it is more likely that Google was trying to figure out exactly what data they were collecting.

Here is an example of some of the data that Google collects:

This is an effort on Apple’s part to give people more information and help them understand whether they want use an app or not. But this is not where they are ending and the next step will hurt Google (and others) even more.

The graphic below compares the data the the search engine Duck-Duck-Go collects compared to the data collected by Google Chrome and the Google App. Click on the graphic below to expand it. Even before that you can see just by the number of bullets the difference between Duck-Duck-Go and Google.

Starting with iOS 14, all apps will not only have to tell users what data they are collecting but also get their permission to do it – what is known as “OPT-IN”. Opt-in is the advertiser’s nightmare. Basically, it requires the advertiser to say to the user “we want to collect, store forever and sell all this data we collect about you and your browsing or other habits, use it however we want without telling you how, not give you any control over that and in exchange – in exchange we are going to give you this app or maybe shove a bunch of ads in your face that you don’t want to see”.

In fairness, if you say no you will still see ads – they just won’t be targeted to you.

This means that the companies won’t be able to get as much money for those ads since the advertisers won’t know who those people are that are seeing those ads. WHAT IS UNKNOWN IS HOW MANY PEOPLE WILL ACTUALLY OPT IN.

Add to that, consumers have to trust app makes to tell the truth. After all, what is the downside if you lie? If Apple finds out, they could ban you from the App Store.

In iOS 14.5, Apple will require apps to get your permission to track you across other apps and websites. Apple has something called an ID for advertising or IDFA. Using IDFA, if Facebook showed you an ad for say a phone and you did not click on it, but you went to Google and searched for that phone.

Then you bought the phone. That vendor has your IDFA, can share it with Facebook and then Facebook gets credit an ad that was converted to a sale.

All this goes away, in stages, with iOS version 14 and 14.5 if the user does not opt in.

The reason this is a problem for Google and other advertisers is that users usually choose the default. The default is that if I don’t do anything, I effectively opt out and Google and the advertisers can’t target me.

That alone might be a reason to buy an iPhone.

Don’t expect Google to do that on Android any time soon. Or ever.

Credit: The Hacker News