Feedback & Followups
- Push Notification Law Enforcement Requests: shortly after we recorded the previous instalment Apple updated their process for law enforcement to request push notification metadata from Apple, now lining their process up with Google’s to also require a search warrant, and hence, approval by a judge — daringfireball.net/…
- Related Suggested Reading: Apple’s full process for US Law Enforcement listing all the different types of data that can be requested — www.apple.com/… (PDF)
- Beeper Mini: The Beeper Mini saga seems to have run its course, with the cat-and-mouse game appearing to have ended with Beeper throwing in the proverbial towel:
- Observation from Bart: We now understand that the key to all this has been device IDs — the iMessage API requires a valid device ID at registration, and periodically after that to retain the link. Beeper had been using just a small handful of old IDs initially, which is how Apple could easily block then, then they switched to a bigger set of re-used IDs they they used in batches of 20 signups, next they use the device IDs of actual Macs, requiring users to have a Mac running an agent, and finally, they only way to keep the show on the road is for users of Beeper Mini to also have a jailbroken iPhone who’s device ID they can use for their connection to iMessage. Given what we know now it seems Beeper were very naive to believe Apple could not lock them out. It’s also reassuring for iOS users that Apple’s security is not as weak as the Beeper Mini hack (it was an unauthorised access to a computer system) seemed to imply.
- Beeper Mini is down for 5% of users, but there’s a fix — appleinsider.com/…
- Not dead yet: Beeper Mini’s new fix requires Mac access — appleinsider.com/…
- Beeper has more ridiculous work-arounds for its iMessage bridge hack — forums.appleinsider.com/…
Deep Dive — ‘Active Listening’ Ads?
News broke this week that Cox Media Group was selling an ad product they claimed was based on Active Listening, where customers could buy ads based on random conversations overheard by smart devices in people’s homes. The ad copy was truly terrifying, giving examples of the kind of conversation that would feed this service:
“The car lease ends in a month—we need a plan.”
“A mini van would be perfect for us.”
“Do I see mold on the ceiling?”
“We need to get serious about planning for retirement.”
“This AC is on it’s [sic] last leg!”
“We need a better mortgage rate.”
Once 404 media broke the story the page vanished from Cox Media Group’s site, and it now seems unclear how real this product was. It may have been a lot more aspirational than real. The claim that smart TVs were listening in on conversations is plausible, but given how modern smart phones show indicators when the mic is active (for precisely this kind of thing!), it seems unlikely they really recording people that way.
I (Bart) think the most concrete take-away from this story is probably that it’s best to avoid smart TVs and to use a trustworthy box like an Apple TV to an Amazon Fire stick to add smarts to your TV, and never to let your TV anywhere near an internet connection!
Links
- The original report: Marketing Company Claims That It Actually Is Listening to Your Phone and Smart Speakers to Target Ads — www.404media.co/…
- Ad Company Claims ‘It’s True. Your Devices Are Listening to You’ — gizmodo.com/…
- Marketing company claims it can eavesdrop on your conversations thru your devices — 9to5mac.com/…
❗ Action Alerts
- Apple emergency updates fix recent zero-days on older iPhones — www.bleepingcomputer.com/… ( iOS 16.7.3, iPadOS 16.7.3, tvOS 17.2 & watchOS 10.2)
- Google fixes 8th Chrome zero-day exploited in attacks this year — www.bleepingcomputer.com/…
- New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now — thehackernews.com/…
Worthy Warnings
- A phishing campaign that’s currently targeting Instagram highlights a new approach to bypassing 2FA/MFA, try trick humans into handing over their recovery codes — www.bleepingcomputer.com/…
- There is a silly bug in Twitter/X that allows URLs linking directly to posts on the social media site to be deceptive – links consist of a username followed by a post ID, but the username is never checked, and when replaced with another username, the link continues to work — www.bleepingcomputer.com/…
- Ubiquiti users report having access to others’ UniFi routers, cameras — www.bleepingcomputer.com/… (it was a brief DB corruption, but important for users to know that it’s possible their camera feeds were seen by others)
- Xfinity discloses data breach affecting over 35 million people — www.bleepingcomputer.com/… (includes hashed passwords, so if you re-used, change everywhere)
- Mortgage giant Mr. Cooper data breach affects 14.7 million people — www.bleepingcomputer.com/… (includes SSNs & bank account numbers, so high risk of targeted very credible phishing attacks)
Notable News
- Terrapin attacks can downgrade security of OpenSSH connections — www.bleepingcomputer.com/…
- Advice from Bart: until this gets fixed, be aware that an Adversary in the Middle (AiTM) can break into your SSH connections. Best to avoid using SSH from un-trusted networks without additional protection from a VPN.
- Google is changing how it handled location data so it can no longer be compelled to comply with constitutionally very questionable geo fence warrants (where all Android users who happened to be near a crime become suspects) — daringfireball.net/…
- Following on from a string of printer-related zero-day bugs in recent years: Microsoft unveils new, more secure Windows Protected Print Mode — www.bleepingcomputer.com/…
-
iOS 17.3 (now in Beta) will add a new opt-in feature to protect against the damage thieves who know your iPhone passcode can currently do (as highlighted by Joanna Stern & Co. at the WSJ in recent months). Named Stolen Device Protection, the feature will require biometrics before and after a 1 hour delay when changing Apple ID passwords or FaceID faces while not at an explicitly trusted location — daringfireball.net/…
- Related: How To Enable Stolen Device Protection on iPhone — www.macobserver.com/…
- Related: Joanna Stern Interviews iPhone Passcode Thief in Prison — tidbits.com/… (Bart’s key take-away: it was the squishy organic bit that was targeted to get the passcode, not complicated things like secret videos)
- Google have released details of their moves to incorporate compiler-level protections into security critical parts of Android, starting with the drivers for the cellular radios — thehackernews.com/…
- Discord adds Security Key support for all users to enhance security — www.bleepingcomputer.com/… (WebAuthn support, so Passkeys & hardware dongles)
- Some positive developments for Threads:
- Threads is coming to Europe, with what Meta believe is sufficient privacy protections to comply with EU law — www.theverge.com/…
- Threads Has Begun Federating Via ActivityPub — daringfireball.net/…
Palate Cleansers
- 99% Invisible Ep. 563: Empire of the Sum — overcast.fm/… (a fascinating history of counting machines)
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |