Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 2024 May 26

Feedback & Followups

Deep Dive 1 — 🧯 Apple is Not Secretly Storing Deleted Photos in iCloud

*TL;DR — Apple have confirmed that this was only a database corruption issue confined to the original user’s devices, but that it could be passed from an old device to a new device via an encrypted iCloud backup. Neither Apple nor anyone else ever saw the partially deleted photos.

Shortly after Apple released the iOS 17.5 update social media and tech news sites exploded with reports of some users finding long deleted photos reappearing, zombie-like in their photos library.

The less reputable news sites added a frightening extra claim that this included photos re-appearing on devices that had been wiped and sold. They went on to speculate that this must mean Apple secretly stores deleted photos in iCloud. This was not true!

All this Sturm-und-Drang (definition) about wiped devices was based on one unverified claim by one user on Reddit that was deleted by the original poster. It smelled wrong to me from the start because when understand how iOS device encryption works, you know that’s not possible.

What really happens is way more boring. Your iCloud Photo Library is both a folder of image files and a database with metadata about those image files. There is not a one-to-one mapping of image files to photos, there can be cached versions at different resolutions. When you delete a photo its metadata is updated to mark it as deleted on a given date, and 30 days later it’s supposed to actually be deleted by removing the original file as well as any cached versions at different resolutions from the folder and removing the entry from the database. Due to a bug in earlier versions of iOS, this final deletion was only partially succeeding, leaving some bits of the photo’s data behind. It’s not clear to me exactly what bit, but based on descriptions I’ve read it seems to be cached alternative resolution files in the folder.

When iOS 17.5 installs it re-scans the photo library, presumably because the structure needs to be upgraded in some way, and it finds the remnants of the incorrectly deleted image and restores it rather than fully deleting it.

In general, it makes sense to try recover invalid data rather than ignore it, so I can see why devs would have coded it this way — just imagine the headlines if photos started disappearing! But, in this one case, ‘fail safe’ is actually not so safe! Those recovered snippets might have been deleted for a really good reason!

Apple have released iOS 17.5.1 to stop this happening, presumably any remnants from incomplete prior deletions will now be deleted instead of restored, but this fix only stops it from happening in future, it doesn’t us-resurrect any old photos already restored!

Apple have clarified that this was a very rare bug, but if you are worried something you really need to be gone is back, scroll back through your library in thumbnail view to give it a once-over.

Apple also clarified that these remnants were stored on device not in the cloud, but did clarify that they would have been included in encrypted iCloud backups, so they could have followed you from one device to another if you upgraded via iCloud backup/restore.

The key point is that only devices using your AppleID could ever have had the remnants in unencrypted form.

This is more of an annoyance than a security catastrophe, and it definitely is not in any way shape or form evidence of Apple doing anything nefarious.

Links

Deep Drove 2 — Apple’s WiFi-Based Location System is not a Problem for Regular Peeps

There was also a lot of reporting on some excellent security research from the University of Maryland regarding organisation-level privacy/security risks from analysis of Apple’s WiFi-based location data API.

For context, since even before the very first iPhone was released there have been databases that map WiFi access point MAC addresses to GPS coordinates so devices with WiFi but not GPS can estimate their location by triangulating to a few base stations. When the iPhone launched Apple used a third-party service called Sky hooks, but in the years since both Apple & Google have built up their own database. Note that every WiFi packet must contain a MAC address for the access point it’s to/from for, and the MAC address must be outside the encrypted portion of the packet. These MAC addresses are broadcast in the open as a core part of the WiFi spec.

Apple and Google both provide an API for their devices to access their WiFi location service, but they work differently. Google’s API does the work in the cloud and returns the estimated location, meaning Google’s servers know where you are, and could be logging that. Apple’s API returns a list of nearby MAC to location mappings and lets the device do the math to estimate its position.

In terms of individual privacy, Apple’s API is better!

But, by returning what is in effect a sliver of the database to the clients Apple slowly share their database, so it can be used for statistical analysis.

Note that there is no way to map a WiFi MAC address to a person, so it’s not that Apple is leaking personal data. The problem is that you can sometimes get unexpectedly valuable data by applying statistics to pools of anonymous data.

A key fact to understanding what can be done with statistics is to know that the first half of a MAC address is assigned to a specific vendor, or,
To a specific technology or specification. This is how network scanners can tell you that a specific device in your LAN is an HP printer or a Dell PC.

When you combine MAC data with other known facts you can start to infer things. Sometimes those things are just fun facts — like that a bunch of travel routers that move from expensive New York neighbourhoods to the Hamptons on weekends. But, sometimes the inferences have bigger implications, like when you know the Ukrainian army use Starlink terminals with built-in WiFi access points. Now you can start to infer troop movements in a war!

There is very little risk to single people here, but if you want to remove your router from Apple & Google’s DB, you can do so by appending _nomap to the end of your SSID (network name).

There is also a spec that allows mobile access points to use randomly chosen MAC addresses that they change periodically. There is a range of MAC addresses reserved for this, so well-designed mobile hotspots should use these MACs, but many don’t, hence the Hamptons insight. Until late 2023 Starlink terminals also didn’t use this spec, but now they do. Also, note that all modern smartphones use this spec.

Personally, I’m not losing any sleep over this one, but if you feel like it, and can handle the hassle of re-adding all your devices to WiFi, you could add _nomap to your SSID.

Links

❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

  • 🇺🇸 🇬🇧 🇨🇦 🇯🇵 🇫🇮 🇪🇪 US CISA, in conjunction with international partners in the UK, Canada, Japan, Finland & Estonia, has issued advice to ‘civil society’ groups (i.e. charities, campaign groups etc.) that are engaged in the kind of controversial work that may bring them to the attention of governments on ‘Mitigating Cyber Threats with Limited Resources’ — it’s actually good advice for any security aware person, family, or small business: www.cisa.gov/… (direct PDF download)

Excellent Explainers

Interesting Insights

Just Because it’s Cool 😎

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top