Feedback & Followups
- 🇺🇸 Pennsylvania has announced plans to release an Apple/Google-based COVID app in September — www.imore.com/…
- Which U.S. states are using Apple’s Exposure Notification API for COVID-19 contact tracing? 9to5mac.com/…
- 🇦🇺 Australia’s non-Google/Apple COVID app continues to struggle with success rates while phones are locked between 27% & 40% (Editorial by Bart: this is of course completely expected, and, what surprises me is that it sometimes nearly manages to work half the time) — www.imore.com/…;
- 🇬🇧 English & Welsh victims of the massive 2014-2018 data breach at Marriott hotels are suing the company. According to the UK Information Commissioner 7M UK residents were caught up in the breach — www.macobserver.com/…
Deep Dive — Is a 6-Digit PIN Safe on your iOS Device?
Thanks to COVID a lot of people who relied on FaceID to make the inconvenience of an alphanumeric password on their iOS devices an acceptable experience are now being tempted to revert to a 6-digit PIN.
An anecdote has emerged that suggests that perhaps there are now enough GreyKey-like machines out there that they have made their way into the hands of regular criminals, and that they are being used to crack iOS PINs on stolen devices.
Somehow, a user who recently had an iPhone with a 6-digit passcode stolen found that the thieves had cracked the PIN, used the PIN to access his KeyChain and then used his passwords to steal $30K via unauthorised wire transfers, spend $2.5K in the AppStore, and break into loads of the user’s online accounts.
The assumption is that the criminals who stole the phone used a second-hand iPhone cracking device like the GreyKey to crack the PIN. We know these devices exist, but in theory, they are only available to law enforcement. Mind you, at least one example has been reported of one of these devices for sale on eBay, so it’s not unreasonable to assume they are leaking out beyond the law enforcement community. Of course, good old fashioned corruption is another possibility — a bad cop making a few bucks on the side cracking iPhones for their mob buddies doesn’t too outlandish to me.
It’s important to remember that this is a single anecdote, and, we are assuming the PIN was cracked, and guessing that was done with a GreyKey-like device. Be careful not to read too much into this one very wobbly datapoint!
Having said that, my advice remains as it always was, use a real password on your iOS device. If you set your phone to erase after 10 failed attempts, then a 6-character password seems adequate to me — there’s a lot more entropy in even a terrible password like M0nkey than there is in any six-digit PIN!
Links
- Can Thieves Crack 6-Digit iPhone Passcodes? — daringfireball.net/…
- If Hackers Crack a Six-Digit iPhone Passcode, They Can Get All Your Passwords — www.intego.com/…
Worthy Warnings
- Don’t believe every Android notification you get, even if it’s from a reputable app — security researchers have found flaws in how even major companies secure their notification services, and attackers are actively exploiting notifications from high-profile apps including Google Hangouts & Microsoft Teams — nakedsecurity.sophos.com/…
- Voice Phishers Targeting Corporate VPNs — krebsonsecurity.com/…
- Security researchers have published details of an as-yet-unpatched bug in Safari that allows it to leak some local files, including your browsing history — www.macobserver.com/…
- 235M TikTok, Instagram, and YouTube profiles caught up in data breach — www.imore.com/…
- 🇺🇸 Medical Data of Auto Accident Victims Exposed Online — securethoughts.com/…
Notable News
- A report from the Institute for Strategic Dialogue, a UK counter-extremist organisation, has found that Facebook’s algorithm ‘actively promotes’ Holocaust denial — www.theguardian.com/…
- Related Auschwitz Museum Twitter account to see the face of one person per day who was murdered and learn a little bit about them twitter.com/…
- Facebook is pro-actively warning their customers (advertisers), that Apple’s iOS 14 privacy features will cut their revenue by an estimated 50%, and that their entire Audience Network tool might become unviable on iOS — arstechnica.com/…
- Bonus: Best headline I’ve seen on this story: Facebook apologizes to users, businesses for Apple’s monstrous efforts to protect its customers’ privacy — www.theregister.com/…
- Related: News Publishers Join Facebook in Worry Over iOS 14 Anti-Tracking Feature — www.macobserver.com/…
Top Tips
Palate Cleansers
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
On episode 799, Bart said he does not watch YouTube videos because turning off Autoplay does not stick from session to session. I turned Youtube AutoPlay off on my Mac, iPad and iPhone and the setting has stayed off for 3-4 days, even after reboots and resets. I am running the latest software on all my devices. What he previously experienced seems to have been fixed, at least it has for me. Maybe he should try again to see if that is true for him.
James — do you log in to YouTube? I don’t because I don’t want to make it even easier for them to spy on me than it already is 🙂
Yes I do login to YouTube.