Posted on November 1, 2018
A somewhat surprising slip-up on Apple's part, a useful security guide and an update on a persistent enemy – that's what we're diving into this week when we go on tour headlines and Pick out the security stories that seem most mature for an interesting discussion. On today's list, we check the following stories:
This week, we start with a quite unique story. When Apple publishes a new update, it's smart to (usually) use it right away for the benefits of security improvements and updates they bring. In the case of one of Apple's latest updates, it only took a few hours before anything was put into something broken.
A detour in Apple's old update
So what happened?
Recently, Apple launched the first step-by-step update to its latest version of IOS, Version 12.1, filled with bug fixes and a few new features that were not fully ready for showtime when iOS 12 was originally released. On the same day, a security researcher named Jose Rodriguez discovered an amazingly easy way to bypass a locked iPhone code to get to the user's contact list and all the information contained.
Rodriguez reached an online publication called Hacker News to share details and confirm that the error actually worked on the latest version of iOS. In fact, one of the new features introduced in 12.1 is integrated to perform the error.
Before we proceed, an order point. Generally, these "passcode bypass" utilities are not very serious. Some appear throughout the life cycle of each version of iOS, and most are not exposed to sensitive information, and they are often impossible to exploit without direct physical access to the phone. Unless your roommate is a super pioneer, chances are nobody will ever be able to use one of these exploits against you. Moreover, the procedure used to trigger the exploitation is often long and involved. It is part of what makes this mistake interesting – triggering it is surprisingly simple.
How it works.
The person who wants to look at your contacts must first call the phone using any other iPhone (and it must be an iPhone). If they did not have the phone number, they could ask Siri to reveal it with "Who am I?" – Command or use Siri to your phone – thus revealing the number.
When connecting, they must immediately select a FaceTime call, and then select "Add person" – this is part of Apple's new and expanded FaceTime bets. Just by pressing the + icon afterwards, the person can display a complete list of contacts. A 3D touch certificate will reveal more info on each contact's page. And that's it – the exploitation works even if the phone is locked.
The surprising thing here is that Apple seems to have missed the security implications during the effort to provide a more convenient way for users to access a feature like Group FaceTime. That's not to say that Apple's rush to produce and market a product left a huge gap in system security – but it left a hole big enough to allow anyone with bad intentions and a little will to squeeze through and see things they should not.
This battle between convenience and security has been an ongoing in Apple, and it has been the source of more errors and issues similar to this. Now, we all know that Apple is not infallible, no matter how much they want us to think otherwise. So how do you get to the right side to balance security and convenience? It's a tough line to go. In this case, Apple seems to come down to the side of convenience, since potentially postponing contact information in a limited scenario may seem as an acceptable deviation as users allow people to make a call quickly. Of course, that can not be the case; There can only be a single oversight there no one so the consequences come.
For now there is no official update, since utilization appeared as soon as the latest version was available for download. Will Apple fix it? It remains to be seen. There is currently no way to completely stop this on your own either, apart from the obvious: do not let your phone be with someone you do not trust. However, there is one step you can take. Since someone needs to know your phone number to remove this, it limits the pool to people who could see your contacts to people who already know your number.
To prevent Siri from giving it up in case a stranger asks your device for that, you can just navigate to your iPhone settings and look for "Siri & Search." Here you can swap more options, such as listening to "Hey Siri" and allowing Siri to work when the device is locked. When these are turned off, you can rest assured that no one can ask your digital assistant for your phone number to get some tidbits of your data.
Scammy Subscriptions and How To Stop Them
Our next story in this week's discussion can not be strictly qualified as a "safety story" since it has nothing to do with malware or unusual exploits or even a good old-fashioned data breach. Instead, there is something to be aware of to protect yourself and your wallet. Cult of Mac and TechCrunch both recently highlighted a problem as they say is the "plaguing" App Store and causes all sorts of problems – so-called scam subscriptions.
The core of the question is apps that allow users to try them out for free, while killing a paid subscription option in a very short window. Often, users do not know that they have agreed to make payment until after the app charges them when their "free trial" expires. These subscriptions are often accompanied by really exorbitant prices that no one will usually pay volunteer for an app. The investigative reporting that went into the reports identified some important apps that were the main offenders. Some of these included the following apps:
- The Scanner App: allegedly meant to be used as part of a document scanning service, offered this app itself as a free download, but locked into paid mode only within three days – and users must take a microscope for the fine print in the app's user agreement to find out about the automatic conversion
- QR Code Reader: An app that does what it says, this also suddenly turned from free to paid within just three days. Did we mention that it is a QR browser that is already embedded in the iPhone camera? It is – but this app is still convinced that people were worth paying for such basic functionality.
- Forecasts: An app that apparently alerts users to changes in weather or incoming serious storms, used it to a "hot interface" to trick users to forking over a $ 20 fee for the privilege of using the app. The app hides the button used to close the subscription page for several seconds, making it unclear what each option actually does. The result is often a subscription.
According to Cult of Mac, only these three apps were raking up to $ 14.3 million each year by bamboozling users for subscriptions they did not need. It's a nice part of change, even for developers "just" who only makes $ 1 million a year on their app. In the original TechCrunch article, a number of other apps were investigated on top of these three, showing a problem like in The least is somewhat widespread on the App Store.
It's good news, but – while you should be vigilant about what you download, Apple seems to have noticed after all media attention. No surprise they took quick action. A few days after the stories broke, apps like QR code reader and weather alarm were hit from the App Store. 11 other apps identified by the articles were also taken down or changed to make your subscriptions clear and up.
What happens if you accidentally get sucked into one of these scummy, scammy subscriptions? The good news is that getting out of them should be as easy as getting in – if you know what you're doing. Here is the list of steps you must follow to check things:
- Visit the iTunes Store, either on your desktop computer or via your iOS device.
- If you are using the desktop computer, click the "Account" Panel on the right side of the iTunes window. If you are using your iOS device, scroll down to the bottom of the App Store page and click the Apple ID button. At this time you will be prompted to log in; Enter your information and continue.
- Look for a button or route called "Subscriptions" and select it.
- On the resulting screen, you can quickly see which subscriptions you have approved payments to; Just take advantage of the ability to disable the subscriptions you will no longer pay for, if you wish.
It's an added bonus to know about and use this screen: it can help you test the water to make sure you're not there. There's nothing you do not want. For example, maybe it's an app you want to try, but you know for sure you will not pay for a subscription after it ends. Once you've started the trial, follow the instructions above to go and cancel the subscription to the app. The store will notify you that even if you canceled your subscription, you can continue to use the program until the end of the free trial. How practical is that?
If you are worried that you accidentally pay for something you do not want without notice, you can also keep an eye on your inbox. Apple sends email to users when a subscription begins to tell you that you have started a free trial. This email should contain other relevant information, such as the trial period and what to pay when it ends. It also contains a useful link to view your subscriptions – so keep your eyes peeled and watch what you download on the App Store. Being vigilant, plus an understanding of how you handle your subscriptions, can help keep you safe and avoid falling for one of these predators.
GrayKey gets stuck in the lock
For our latest story today, it's time for another quick follow-up of a story we've studied in the past year! We're talking about GrayKey – the mysterious black box device marketed for law enforcement to break into a subject's locked iPhone. Well, it seems that in Apple's newer update waves, something inside has done what Apple has been chasing for months – ended GrayKey's ability to defeat iPhone encryption.
According to a report by Forbes, several law enforcement sources have anonymously reported that their devices can no longer break into devices running iOS 12 or higher. Instead of finding the key itself, GrayKeys can now only get a vague feeling of what's on the iPhone. Called "partial recovery" no longer allows the police to dump the entire content of an iPhone, but only see files that are not encrypted with some basic metadata, such as file size.
Why is it important? Well, it's easy enough to look safe and see how big it is and where it is – but you have no way to know what's in it. This is similar. Sure that investigators can do some educated guesses based on the size of specific files (for example, large file sizes are often video files), but there is no way to know the contents of these files. Even with the available metadata, these changes virtually change GrayKey's ability to function as it did before.
We know that GrayKey used a kind of brute force method to guess passwords and that it used an exploitation to avoid the typical lockout that iOS would look for so many failed attempts. So, what did Apple do to fix the problem? We do not know. In fact, no one knows Apple. Even some of the other leaders during iPhone encryption, such as developers with Elcomsoft, did not answer when they were presented with the question. Ultimately, this is good: you will not let your opponents know how to figure out how to beat them in their own game. No matter what Apple did in iOS 12, it's important that the iPhone passwords again are incredibly secure in just about all applications – as long as they are strong, of course.
It does not mean it's time for complacency; While GrayKey may be out of commission, it does not necessarily mean that it is the last one we look at, or of devices that are equally functional. Finally, someone might find another way to build a device that breaks into the iPhone; It may take weeks or months, but we can bet that someone is out there working to turn on device security. GrayShift, the company behind GrayKey, can even be hard at work and trying to find a new way in itself. We have to wait and see, but for now we can celebrate the fact that after finally ad hoc solutions like USB-restricted mode, Apple found a way to close the door.
No surprise here, but neither Apple nor Grayshift responded to Forbes's request for a comment on its article. The battle between tech titan and security startup continues in the shadows, but at the moment it seems that it can actually be a clear victory – unless a story suddenly appears in six months about a new version that works again.
By this we understand this episode of the checklist. If you would like to visit a recent episode you may have missed or want to look up on your safety knowledge so that you can impress your family during the upcoming vacation, do not forget that you can always dive into our archives here. There are all episodes we've ever recorded, complete with showtimes, full sound, and all the links you need to go deep into the rabbit hole.