Category Archives: iOS

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

How Many Images Are Required to Unlock Your iPhone?

Many people have moved to facial recognition to unlock their iPhone, mostly because it is easy.

Researchers wanted to know how secure that is.

For those people who use their face to authorize payments, the problem is, maybe, a bit more serious.

Researchers at Tel Aviv University harnessed deep fakes and that magic word, AI, to figure out what three of the leading facial recognition software packages are looking for.

Then they created a deep fake to look like that.

They created less than a dozen of these deep fake images – nine to be exact.

Then they tested these nine fake images against a publicly available database of faces called Labeled Faces in the Wild.

Those nine computer generated faces were considered a match for 40 to 60% of the faces in that database, depending on which software package was being tested.

NINE matched over 13,000.

While this was a research project and some of the systems could be programmed to reject the flat images, all that means is that the researchers would need to create 3D versions of those nine. Not a high bar to meet.

Researchers say that with more test data they could do even better.

Does this mean that facial device verification is useless?

No, it doesn’t. What it means is that it is a relatively low security authentication mechanism.

Each person needs to decide what an appropriate level of risk/security is for them.

Likely, for most consumers, facial recognition is probably sufficient.

Remember that facial recognition is different than iris or retina scans. They use completely different technologies, are much more expensive and complex and are highly secure.

We have seen similar problems with consumer-grade fingerprint scans.

All of these vendors have to deal with how long a consumer is willing to wait for his or her device to unlock and how many false “failures” that consumer is willing to tolerate.

Credit: Cybernews

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN

Apple MAY Join Many Others in Separating Security Patches from System Upgrades

Since the beginning of Apple-time (or is it i-time?), Apple has always bundled security fixes into iOS upgrades. This means that a user could not install a security update without also upgrading the OS. In general, Apple has always forced users to upgrade their iPhones and other mobile devices. This tends to make Apple products more secure because a higher percentage of the users are on the current version of the OS.

This is different than, say, Microsoft, who will push out monthly security patches even though they might only add new features once or twice a year.

According to 9to5Mac, Apple may be planning to separate security fixes from feature upgrades in the next version of iOS.

Of course, sometimes, Apple may release a new version of their OS just to patch a bug, but users never know what else might be bundled inside that upgrade.

But there is a new setting in the software update menu called “Install Security Updates”.

It could be that this is only a feature to install emergency fixes, something that has become more common at Apple as their software becomes more complex.

It also appears that if a user installs a security update they may have to uninstall it prior to installing a version upgrade. If this turns out to be true, this would be very unlike Apple and this makes it harder for users to stay current.

iOS 14.5 is going to be a big deal. One feature in it is that checks for fraudulent web sites will be run through Apple’s servers to protect user privacy and that could, possibly, break things or slow things down. This new update also requires users to opt-in to data sharing.

iOS 14.5 is expected to be released officially in a couple of months. Credit: The Hacker News

Google Reveal Data It Captures

Since Apple doesn’t make a lot of money by selling your data to others (or selling targeted ads to others based on data that it captures), it loves poking Google in the eye about its data collection practices.

Apple required “privacy nutrition labels” by vendors, including themselves, for all new releases of software distributed in the app store as of December 8th of last year.

Google’s response was to stop updating its software. Some people said that was because Google didn’t want to tell people what they were collecting. I suspect that it is more likely that Google was trying to figure out exactly what data they were collecting.

Here is an example of some of the data that Google collects:

This is an effort on Apple’s part to give people more information and help them understand whether they want use an app or not. But this is not where they are ending and the next step will hurt Google (and others) even more.

The graphic below compares the data the the search engine Duck-Duck-Go collects compared to the data collected by Google Chrome and the Google App. Click on the graphic below to expand it. Even before that you can see just by the number of bullets the difference between Duck-Duck-Go and Google.

Starting with iOS 14, all apps will not only have to tell users what data they are collecting but also get their permission to do it – what is known as “OPT-IN”. Opt-in is the advertiser’s nightmare. Basically, it requires the advertiser to say to the user “we want to collect, store forever and sell all this data we collect about you and your browsing or other habits, use it however we want without telling you how, not give you any control over that and in exchange – in exchange we are going to give you this app or maybe shove a bunch of ads in your face that you don’t want to see”.

In fairness, if you say no you will still see ads – they just won’t be targeted to you.

This means that the companies won’t be able to get as much money for those ads since the advertisers won’t know who those people are that are seeing those ads. WHAT IS UNKNOWN IS HOW MANY PEOPLE WILL ACTUALLY OPT IN.

Add to that, consumers have to trust app makes to tell the truth. After all, what is the downside if you lie? If Apple finds out, they could ban you from the App Store.

In iOS 14.5, Apple will require apps to get your permission to track you across other apps and websites. Apple has something called an ID for advertising or IDFA. Using IDFA, if Facebook showed you an ad for say a phone and you did not click on it, but you went to Google and searched for that phone.

Then you bought the phone. That vendor has your IDFA, can share it with Facebook and then Facebook gets credit an ad that was converted to a sale.

All this goes away, in stages, with iOS version 14 and 14.5 if the user does not opt in.

The reason this is a problem for Google and other advertisers is that users usually choose the default. The default is that if I don’t do anything, I effectively opt out and Google and the advertisers can’t target me.

That alone might be a reason to buy an iPhone.

Don’t expect Google to do that on Android any time soon. Or ever.

Credit: The Hacker News

Security News for the Week Ending March 5, 2021

Google Gives Up On Address Space Layout Randomization (ASLR)

ASLR is a security technique that has been used for years to make it harder for hackers to FIND code in memory to compromise it. There is a problem in the rendering engine in the Chromium project that breaks ASLR and Google says that they won’t fix it. Google says they are resigned to the fact that ASLR cannot be saved. They do have a plan, they say, for something better. Stay tuned. Credit: The Register

TALON: The Nationwide Network of Surveillance Cameras

A company called Flock has built a nationwide network of surveillance cameras using automated license plate readers. They sell to (anyone who’s check clears) police departments, homeowners associations and businesses. The system can record all license plates and detect “non-resident” vehicles or vehicles on a hotlist. The program, called TALON, allows customers to track vehicles and, by extension, people, anywhere in the country. They scan 500 million license plates a month and sell their data to, among others, 500 police departments. Customers of Flock can make the data available to anyone they choose to. Credit: Vice

New ‘unc0ver’ Tool Can Jailbreak All iPhones Running iOS 11-14.3

Like all good software, unc0ver is updated and now, newly released version 6 can jailbreak idevices running iOS 11.0 to 14.3. Apple has patched the bug in iOS 14.4, but they admitted that it may have been used by bad actors. This is a cat and mouse game, so expect version 7 of unc0ver. Credit: The Hacker News

Microsoft Tries to Catch up to Zoom with End to End Encryption in Teams

Months after Zoom was roundly criticized for not having adequate encryption and then implementing it, Microsoft says that they will implemented end to end encryption, but only on one-to-one calls. Note that it will not be on by default. They will also, separately, add customer key support to allow customers to encrypt chat, meeting recordings and other information that is not now currently encrypted. All of this will require customers to take actions to make it happen. Credit: Bleeping Computer