Feedback & Followups
- Attackers are continuing to compromise Google ads, and they’re now targeting apps in the news as well as developer & sysadmin tools:
- Apple & Google now Both Warn of Abuse with each Other’s Tags: iOS 17.5 Adds Cross-Platform Location Tracking Alerts — tidbits.com/…
- Previously announced, now in effect: 🇺🇸 SEC: Financial orgs have 30 days to send data breach notifications — www.bleepingcomputer.com/…
Deep Dive 1 — 🧯 Apple is Not Secretly Storing Deleted Photos in iCloud
*TL;DR — Apple have confirmed that this was only a database corruption issue confined to the original user’s devices, but that it could be passed from an old device to a new device via an encrypted iCloud backup. Neither Apple nor anyone else ever saw the partially deleted photos.
Shortly after Apple released the iOS 17.5 update social media and tech news sites exploded with reports of some users finding long deleted photos reappearing, zombie-like in their photos library.
The less reputable news sites added a frightening extra claim that this included photos re-appearing on devices that had been wiped and sold. They went on to speculate that this must mean Apple secretly stores deleted photos in iCloud. This was not true!
All this Sturm-und-Drang (definition) about wiped devices was based on one unverified claim by one user on Reddit that was deleted by the original poster. It smelled wrong to me from the start because when understand how iOS device encryption works, you know that’s not possible.
What really happens is way more boring. Your iCloud Photo Library is both a folder of image files and a database with metadata about those image files. There is not a one-to-one mapping of image files to photos, there can be cached versions at different resolutions. When you delete a photo its metadata is updated to mark it as deleted on a given date, and 30 days later it’s supposed to actually be deleted by removing the original file as well as any cached versions at different resolutions from the folder and removing the entry from the database. Due to a bug in earlier versions of iOS, this final deletion was only partially succeeding, leaving some bits of the photo’s data behind. It’s not clear to me exactly what bit, but based on descriptions I’ve read it seems to be cached alternative resolution files in the folder.
When iOS 17.5 installs it re-scans the photo library, presumably because the structure needs to be upgraded in some way, and it finds the remnants of the incorrectly deleted image and restores it rather than fully deleting it.
In general, it makes sense to try recover invalid data rather than ignore it, so I can see why devs would have coded it this way — just imagine the headlines if photos started disappearing! But, in this one case, ‘fail safe’ is actually not so safe! Those recovered snippets might have been deleted for a really good reason!
Apple have released iOS 17.5.1 to stop this happening, presumably any remnants from incomplete prior deletions will now be deleted instead of restored, but this fix only stops it from happening in future, it doesn’t us-resurrect any old photos already restored!
Apple have clarified that this was a very rare bug, but if you are worried something you really need to be gone is back, scroll back through your library in thumbnail view to give it a once-over.
Apple also clarified that these remnants were stored on device not in the cloud, but did clarify that they would have been included in encrypted iCloud backups, so they could have followed you from one device to another if you upgraded via iCloud backup/restore.
The key point is that only devices using your AppleID could ever have had the remnants in unencrypted form.
This is more of an annoyance than a security catastrophe, and it definitely is not in any way shape or form evidence of Apple doing anything nefarious.
Links
- iOS and iPadOS 17.5.1 fix a nasty bug that resurfaced old photos — arstechnica.com
- Apple wasn’t storing deleted iOS photos in iCloud after all — www.bleepingcomputer.com/…
- Apple elaborates on rare iOS 17.5 bug that resurfaced deleted photos — 9to5mac.com/…
Deep Drove 2 — Apple’s WiFi-Based Location System is not a Problem for Regular Peeps
There was also a lot of reporting on some excellent security research from the University of Maryland regarding organisation-level privacy/security risks from analysis of Apple’s WiFi-based location data API.
For context, since even before the very first iPhone was released there have been databases that map WiFi access point MAC addresses to GPS coordinates so devices with WiFi but not GPS can estimate their location by triangulating to a few base stations. When the iPhone launched Apple used a third-party service called Sky hooks, but in the years since both Apple & Google have built up their own database. Note that every WiFi packet must contain a MAC address for the access point it’s to/from for, and the MAC address must be outside the encrypted portion of the packet. These MAC addresses are broadcast in the open as a core part of the WiFi spec.
Apple and Google both provide an API for their devices to access their WiFi location service, but they work differently. Google’s API does the work in the cloud and returns the estimated location, meaning Google’s servers know where you are, and could be logging that. Apple’s API returns a list of nearby MAC to location mappings and lets the device do the math to estimate its position.
In terms of individual privacy, Apple’s API is better!
But, by returning what is in effect a sliver of the database to the clients Apple slowly share their database, so it can be used for statistical analysis.
Note that there is no way to map a WiFi MAC address to a person, so it’s not that Apple is leaking personal data. The problem is that you can sometimes get unexpectedly valuable data by applying statistics to pools of anonymous data.
A key fact to understanding what can be done with statistics is to know that the first half of a MAC address is assigned to a specific vendor, or,
To a specific technology or specification. This is how network scanners can tell you that a specific device in your LAN is an HP printer or a Dell PC.
When you combine MAC data with other known facts you can start to infer things. Sometimes those things are just fun facts — like that a bunch of travel routers that move from expensive New York neighbourhoods to the Hamptons on weekends. But, sometimes the inferences have bigger implications, like when you know the Ukrainian army use Starlink terminals with built-in WiFi access points. Now you can start to infer troop movements in a war!
There is very little risk to single people here, but if you want to remove your router from Apple & Google’s DB, you can do so by appending _nomap
to the end of your SSID (network name).
There is also a spec that allows mobile access points to use randomly chosen MAC addresses that they change periodically. There is a range of MAC addresses reserved for this, so well-designed mobile hotspots should use these MACs, but many don’t, hence the Hamptons insight. Until late 2023 Starlink terminals also didn’t use this spec, but now they do. Also, note that all modern smartphones use this spec.
Personally, I’m not losing any sleep over this one, but if you feel like it, and can handle the hassle of re-adding all your devices to WiFi, you could add _nomap
to your SSID.
Links
- The original reporting from Brian Krebs: Why Your Wi-Fi Router Doubles as an Apple AirTag — krebsonsecurity.com/…
- Summary and commentary from Adam Engst — tidbits.com/…
❗ Action Alerts
- Moore Google Chrome Emergency Zero-day Patches than you can keep up with: Google fixes third actively exploited Chrome zero-day in a week — www.bleepingcomputer.com/… (Advice from Bart: since chrome only updates itself on re-start, vital to turn Chrome on-and-off regularly, may set a reminder to fire off first thing in the morning or last thing in the evening)
- Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated. — isc.sans.edu/…
- May Patch Tuesday has been and gone, patch all your Microsoft & Adobe stuff — krebsonsecurity.com/… (Includes patches for 2 actively exploited Windows Zero-days)
- PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers — www.bleepingcomputer.com/…
- A Proof of Concept exploit has now been released
- Despite repeated attempts to alert D-Link the company has still not patched the flaw
- Owner need to apply a work-around until D-Link release a patch
- 🇨🇦 Apparently these routers are very popular in Canada
- Editorial by Bart: it’s because of this kind of attitude that I never buy from D-Link
- QNAP NAS owners beware — an audit has found 15 security vulnerabilities, and only the worst of them have been patched, update as much as you can, and consider taking your QNAP off the internet (maybe use TailScale for safer remote access) — QNAP QTS zero-day in Share feature gets public RCE exploit — www.bleepingcomputer.com/…
- Make sure your Firefox is patched: Researchers Uncover Flaws in Python Package for AI Models and PDF.js Used by Firefox — thehackernews.com/…
Worthy Warnings
Notable News
- Following on from Google last time, Apple have shared their most recent numbers on their App Store security protections: App Store stopped over $7 billion in potentially fraudulent transactions in four years — www.apple.com/…
- Apple’s full App Store Transparency Report — www.apple.com/… (PDF)
- Analysis: Apple’s 2023 App Store Transparency Report — daringfireball.net/…
- Google announced upcoming Android 15 security features at their Code conference:
- Android 15, Google Play Protect get new anti-malware and anti-fraud features — www.bleepingcomputer.com/… (automatic hiding of sensitive data in notifications when screen sharing, hiding of OTPs in notifications, more anti-malware features in the Play Store, and notifications when the cellular connection is unencrypted)
- Android to add new anti-theft and data protection features — www.bleepingcomputer.com/… (Similar to Apple’s lock features but with the added potential coolness of AI-based motion detection automatically sensing a snatch-and-grab theft)
- At their Build conference Microsoft announced some important up-coming security changes:
- Windows 11 to Deprecate NTLM, Add AI-Powered App Controls and Security Defenses — thehackernews.com/… (NTLM hashes are easy to crack, making it too easy for malware to expand around a network from a small initial breach)
- Microsoft to start killing off VBScript in second half of 2024 — www.bleepingcomputer.com/… (rarely used by people, massively abused by malware)
- LastPass is now encrypting URLs in password vaults for better security — www.bleepingcomputer.com/… (Editorial by Bart: about time!)
- Zoom adds post-quantum end-to-end encryption to video meetings — www.bleepingcomputer.com/…
- 🧯Looks like the new TOS are poorly worded, but fine: Slack AI Privacy Principles Generate Confusion and Consternation — tidbits.com/…
Top Tips
- 🇺🇸 🇬🇧 🇨🇦 🇯🇵 🇫🇮 🇪🇪 US CISA, in conjunction with international partners in the UK, Canada, Japan, Finland & Estonia, has issued advice to ‘civil society’ groups (i.e. charities, campaign groups etc.) that are engaged in the kind of controversial work that may bring them to the attention of governments on ‘Mitigating Cyber Threats with Limited Resources’ — it’s actually good advice for any security aware person, family, or small business: www.cisa.gov/… (direct PDF download)
Excellent Explainers
- More detail than you probably want on how Apple ensures your data gets deleted when you use the feature to wipe it before passing it on: How secure is Secure Erase (EACAS) — eclecticlight.co/…
Interesting Insights
Just Because it’s Cool 😎
- Nosillacastaway @[email protected] shared this fantastic feature from ING bank in the Netherlands that will hopefully be very widely copied: Expose scammers with Check the Call — www.ing.nl/…
Palate Cleansers
- From Bart:
- An excellent opportunity for home users to use enterprise-level products for their features, or, to get valuable experience: VMware makes Workstation Pro and Fusion Pro free for personal use — www.bleepingcomputer.com/… & How to get VMWare Fusion Pro 13 for free — appleinsider.com/…
- 🎧 An excellent telling of the story of the recent SSH back-door that was stopped just in time: Planet Money: The hack that almost broke the internet — overcast.fm/…
- 🎧 A fascinating true story: Decoder with Nilay Patel: How the FBI built its own smartphone company to hack the criminal underworld — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
Emoji | Meaning |
---|---|
🎧 | A link to audio content, probably a podcast. |
❗ | A call to action. |
flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
📊 | A link to graphical content, probably a chart, graph, or diagram. |
🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
💵 | A link to an article behind a paywall. |
📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |