A developer named Felix Krause has surfaced an issue that’s been present in Apple’s iOS for a long time and which I’ve often wondered about myself, which is that the operating system periodically pops up what appear to the user to be random dialog boxes asking users to supply their Apple ID passwords. Because of the seemingly random times and places these dialogs show up, they train users to enter their passwords when using apps, which means that apps could at least theoretically recreate these dialogs with their own and thereby phish users’ Apple ID details, creating a security vulnerability. The post Krause wrote about this suggests several fixes, the most of obvious of which is that these dialogs should direct users to the Settings app rather than prompting for a password directly. In my opinion, it would also be nice if the dialogs explained why the user suddenly had to re-enter their password – the lack of explanation is another long-standing niggle I have with these dialogs. But this feels like a rare goof by Apple, which is normally so strong on privacy and security but has here created a situation which could easily be exploited by malicious parties. It’s easily fixed, though, and hopefully Apple will do so soon.
via Felix Krause
This issue has been covered in various places over the past couple of weeks, but this is the first bit of real criticism I’ve seen of Apple’s approach here, and I thought it was worth diving into briefly. In iOS 11, the Control Center users reach by sliding up from the bottom of the screen on most iPhones has what appear to be on/off toggles for Bluetooth and WiFi, but in reality these toggles don’t actually turn those radios all the way off. Rather, they leave both radios in a more limited mode in which they still operate in certain ways and in fact will reactivate each morning at 5am. This is a change Apple hasn’t communicated proactively to users in any way, and represents a fairly big shift from how things have worked in the past.
The EFF piece linked below suggests this presents security risks given past Bluetooth vulnerabilities, though it doesn’t actually suggest any specific vulnerabilities Apple might be exposing users to in iOS, which like most mobile operating systems handles Bluetooth pairing requests pretty carefully. Apple’s reasoning for the change is sound – leaving these radios in this in-between state enables key Apple functions like Handoff of activity between devices, the Instant Hotspot feature, and others – but the implementation of the change feels un-Apple-like, in that it’s unintuitive and overrides user preferences in a couple of different ways. Apple could have made similar changes in a more transparent and user-friendly way, and avoided some of the criticism it’s now getting.
The Yahoo breach reported before its acquisition by Verizon closed, and which had been said to affect 1 billion accounts, is now reported to have affected all 3 billion accounts Yahoo had. That could be a bit of a misleading number, given that there’s no way Yahoo had 3 billion separate customers – many of these accounts were likely dormant and duplicates of other accounts, so the actual number of people affected is likely far smaller, and the number who will have had sensitive information shared even smaller. But it’s still a staggering number. However, I’d bet that with the ongoing chatter about the Equifax hack (including the former CEO’s testimony in Congress this week), as well as the broad political story around tech companies and Russian election meddling, this will blow over really quickly and the additional fallout for Verizon and/or the Yahoo brand will be minimal. That may be sad, but no less true for that.
Samsung and ADT have announced a partnership which will combine Samsung’s SmartThings home automation gear with the alarm company’s security system and optional monitoring service. Consumers will buy at retail and install the system themselves, while professional monitoring by ADT will be an optional extra. This is something of a theme in recent weeks, with Nest’s recent launch of a self-install security system (also with a partnership with an existing company for monitoring) and a separate announcement by smaller smart home company Ring. I continue to be skeptical about the broad appeal of self-installed smart home systems, but there clearly is a segment of the population that’s willing to self install and manage, and expanding into security makes sense for them. At the same time, most buyers are likely to continue to go with service-based approaches to both security systems and broader smart home gear.
Bloomberg’s Apple and Google reporters have teamed up for a story about Google building new tools to help secure the accounts of high profile users or others with higher exposure to attempted hacking. This is apparently a response to some previously reported hacks of prominent users’ Gmail accounts and will combine new ways to secure logins with restrictions on third party app integrations and other features designed to close potential entries for hackers. The feature has a name – Advanced Protection Program – and will be marketed to executives and politicians among others, suggesting that it will be a fee-based service, likely an add-on to corporate deployments of Google’s G Suite. All of this feels very topical in the midst of all the reporting about Russian meddling in last year’s US elections, and although that’s mostly currently focused on ad buying and influence through social networks rather than hacking, it’s all obviously connected, with widespread allegations that the Russians were feeding documents from various hacks to Wikileaks, for example.
As new versions of Apple’s operating systems and new iPhone hardware roll out, Apple has updated its website’s privacy section to reflect some of the recent changes and especially to deal with questions users may have about the Face ID feature on the upcoming iPhone X. The site starts with big picture statements about Apple’s commitment to privacy, starting with the assertion that “At Apple, we believe privacy is a fundamental human right” and moves on to more detailed descriptions of Apple’s approach to privacy. In a nutshell, the policy described there is that Apple isn’t interested in your personal data, enables you to determine with whom to share it, and also provides tools for you to protect your information and devices. Apple also addresses its use of differential privacy, which has been in the news lately for a couple of different reasons, including a recent study which asserted that it’s weaker as a privacy protection than Apple says, but also because of changes to Safari data gathering in macOS High Sierra.
For Apple, the key is that it has no reason to infringe on its users’ privacy, because its business model is best served by protecting that privacy rather than gathering data on its users. That’s a meaningful differentiator for at least some Apple customers, and reinforcing these values will be important to them, but for many other customers Apple, Google, Microsoft, and other companies’ privacy policies are not a matter of significant moment. That could of course change in time as these companies have potential access to more and more personal data including health data, but for now the surveys I’ve seen suggest that trust levels are broadly similar between big companies and most people don’t avoid companies like Google because of their business models and approach to data gathering.
BlackBerry and Delphi today announced a partnership which will see the latter use the former’s QNX operating system as a secure foundation for its autonomous driving system. What’s not clear from either the press release the companies issued or the CNBC report linked below is what operating system Delphi’s platform has been built on until this point, because it’s not brand new and the company has been talking about releasing it to car manufacturers in 2019. At any rate, as far as I can tell QNX will join Intel and its Mobileye subsidiary as partners around the system, which focuses mostly on pulling in sensor data and making sense of it, rather than complete control of the car. QNX is already a widely used operating system within the car industry and BlackBerry has spent a lot of time hardening it and demonstrating its ultra-secure credentials since its acquisition several years ago, something that’s likely to become increasingly important as cars become more and more like connected computers. Investors clearly see the partnership as a boon for BlackBerry, whose shares rose quite a bit after hours today, but Delphi is only one of a number of manufacturers building similar systems for smaller car manufacturers, while larger automakers will likely mostly build their own. Further competition in this space will come from companies like Waymo, who will develop their own sensor and sensor fusion technology to go with their autonomous driving software and therefore offer something more like a complete package in time.
Though the headline on the Recode piece linked below says Apple is facing questions from the US Senate on its new Face ID feature, the reality is that the questions are coming from one Senator: former comedian Al Franken, who’s always taken an interest in tech issues and tends to use them to raise his public profile. A number of the questions he’s posing have already been addressed by Apple (including in its public announcement of the feature) while others suggest Franken thinks Apple is Google or some other company which regularly uses data on its customers to target advertising. All of which suggests he either hasn’t taken time to understand the feature properly, or is simply grandstanding, which frankly feels more likely. Apple’s stance on privacy and security is abundantly clear at this point, as demonstrated by its approach to the Touch ID feature (which Franken previously investigated in a similar way). None of that will stop people freaking out about the feature, and coincidentally or not the Economist magazine’s cover story this week is about the dangers of companies collecting facial data. But Apple is storing this data on the device in ways inaccessible to anyone but the user or for purposes other than those intended by Apple and approved by the user.
Instagram Says Error Allowed Hackers to Obtain Celebrity Email Addresses, Phone Numbers (Aug 30, 2017)
The UK National Health Service and many other corporate and government systems around the world are being attacked by ransomware which is enabled by NSA hacking tools for targeting Windows leaked earlier this year. Though Microsoft issued a patch for the affected vulnerability in March, many organizations haven’t applied those patches, which is not uncommon especially in large distributed organizations with many computers not “owned” by a particular end user or subject to any blanket policy on such updates. Though the motive appears to be financial – the hackers are demanding bitcoin in return for unlocking the affected machines – its immediate impact has been disruption, as operations have been canceled and medical centers closed, among other things. It’s a salutary lesson on the importance for both individuals and business of applying OS upgrades and patches in a timely fashion, but also of the vast reliance on aging machines and software across the corporate world. It’s also the kind of thing that’s dramatically less likely to affect web-based or more locked down systems like ChromeOS, Apple’s iOS or macOS, or even Microsoft’s new Windows 10 S. But given the prevalence of older versions of Windows in enterprises and government departments, that’s not going to help much anytime soon.
HP Laptops with Conexant Secretly Maintain Log of Keystrokes (May 12, 2017)
Microsoft Hires Head of Privacy and Data Security from FTC (Apr 28, 2017)
This is a great move from Microsoft, which has been at the forefront of recent legal cases over data privacy and security, as it reinforces its commitment to these issues at a time when threats to both security and privacy are increasing. Putting a high profile individual explicitly in charge of this area is a great symbolic move, but if done right should also ensure that these issues are examined in every aspect of Microsoft’s business. So far, Apple has been arguably the strongest champion for privacy as a guiding force among the major tech companies, but this move could see Microsoft become a more prominent advocate too. Worth noting: Brill won’t start at Microsoft until the summer.