SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 134: Many Things, Revisited!

Posted on April 19, 2019

Ever wonder what your Internet of Things things are saying about you behind your back? Think that you need to be extra vigilant about your security when you’re traveling? Maybe you’re worried about overpaying for an app on the App Store thanks to a scammy subscription — these are all reasonable concerns to have, especially if you’ve been a longtime listener of The Checklist. This week, we’re revisiting a range of subjects with fresh updates, new perspectives, and some helpful tips on how to keep yourself secure in our chaotic and complicated digital world. On this week’s list, we’re ticking through the following items:

  • Worried About Your IoT Things? Princeton Has a Tool for That
  • Worried About Hotels & Data Security? You Should Be!
  • Apple’s Big Step Against Scammy Subscriptions

Oh, and of course—Facebook, right? Just have to throw that in there — after all, we could easily do a show a week just about the bad news that comes out about the world’s biggest social network. For now, though, let’s dive into what some in the Ivy League have created to help all of us be a little more aware about our IoT devices.

Worried About Your IoT Things? Princeton Has a Tool for That

How would you — yes, you! — like to play a part in helping to secure the Internet of Things? What about finding out about whether your connected devices are sending off data about you without your knowledge? We’ll get to those answers in a moment, but before we proceed, let’s quickly recap what we mean when we talk about the Internet of Things, because its definition can sometimes prove hard to pin down. 

It’s more than just a “network” of “things” — the IoT can include tons of devices we might not typically think to include. Most obvious are Wi-Fi-enabled lightbulbs, door locks, refrigerators, and other appliances that interact with smartphone apps, or those you can control over the Internet. There’s more than that, however; sensors can be a part of the Internet of Things, too, and all these devices can communicate with one another (or you) over the web. In other words, the IoT includes not only the hardware itself but the data the network produces as well. 

Not all that data stays within your home network, either; many IoT devices transmit data back to third parties. In many cases, this is harmless data. Consider an Internet-connected thermometer, for example. It might report the outdoor temperature to you while also sending data back to the manufacturer who may use aggregated weather information to make predictions about what the temperature will be later. 

Some of that data isn’t harmless, though, and it might be info you don’t want to be shared — such as your current location. As a result, when you think of the Internet of Things, you need to remember it is all these things bundled up into one package. That’s the gist of it, anyway — for a deeper dive on these subjects, we suggest heading into the archives to revisit Checklist 42 — The Internet of Things and Checklist 53 — How Many Lightbulbs Does It Take to Change the Internet?

Now, what are we talking about today? TechCrunch brings us a story about a group of computer scientists working at Princeton who have developed a tool that enables consumers to gain some deep insights into what data their IoT devices send back to base. There is one catch, though: the tool lets the researchers see the same information, too. Dubbed the “IoT Inspector,” you can download the app from Princeton’s website, though for right now it is only available on the Mac.

In their blog post, the Princeton team said their goal was to make it easier for end users to inspect how their devices communicated with third parties over the Internet. So, does it work? Their results seem to indicate it does, with the researchers noting they found that a Wi-Fi-connected Chromecast device continually stayed in touch with remote Google servers — even when no one was using the device. They also discovered a Geeni-brand lightbulb that engaged in constant communications with a company based in China.

There are a couple of drawbacks to the tool, though. TechCrunch notes that Safari users are out of luck, as IoT Inspector only works in Chrome and Firefox. The other concern is the one we just mentioned: users of IoT Inspector must allow the Princeton team to examine the data the app collects, too. The goal is to understand better how these devices share data, what trends may exist, and so on; Princeton says all collected data will be anonymized, and that their system never collects information on network traffic from non-IoT devices. The researchers will also share their data with others in the hopes of reaching deeper conclusions.

Users who opt to install the software will learn important things alongside network traffic analysis, including whether your device has been hacked to engage in a distributed denial of service (DDoS) attack. Overall, this is an interesting tool, and with a clear and up-front privacy policy, something our listeners may want to consider investigating for themselves. (Click here) to watch a video produced by the Princeton team on how to install the app on your Mac. 

Worried About Hotels & Data Security? You Should Be!

Next up we have another follow-up for you — not to any particular story, but a series of stories we’ve done in the past. If you’ve listened to the show recently, you’ll likely remember the recent and major Marriott data leak, in which several hotel chains under the Marriott umbrella were found to have leaked the personal information of more than 400 million people. We wondered at the time that story broke how widespread such a problem might be, and well, now we know. It turns out if you’re visiting a hotel, there’s a 67% — yes, two thirds — chance that you’ve struck a data leak.

According to Engadget, which drew upon a review of 1500 hotels conducted by security firm Symantec, 67% of surveyed properties leaked personal guest data in one way or another. It wasn’t just limited to one place on the map, either — Symantec surveyed hotels in 54 countries at all levels of quality. Some of the hotels spewing user data into the ether were in the E.U., where strict GDPR regulations are meant to prevent and penalize such situations. If you don’t remember exactly what GDPR is, don’t worry — there’s a Checklist for that. Visit Checklist 90 — WHOIS GDPR?

What’s the biggest source of this leaking information? Confirmation emails. It turns out that when a hotel sends you an email confirming your reservation, the URL that lets you view your reservation often contains your email and a unique code tied to your booking. It’s this code that enables you to skip the login process and quickly view info about your upcoming stay. However, Symantec points out that many hotels have data-sharing arrangements with third parties, and they get those two identifying pieces of data, too.

It doesn’t take a big leap of logic to assume that a hacker breaking into one of those third parties could sniff out those codes and reconstruct the URLs for viewing reservations. Some hotels apparently did not even use encryption on their links, making the window for hackers even wider. This type of attack would potentially let them see things such as your:

  • Name
  • Address
  • Phone number
  • Passport number
  • And more

At first glance, this might simply seem like one of those “everything is terrible” stories — what can you reasonably do to protect yourself from hotels that just aren’t using good security procedures? The good news is that there are some things you can do, and it all ultimately boils down to following best practices. In this case, using strong, unique passwords and two-factor authentication on your travel and booking sites is essential for safeguarding your info. 

Symantec further suggests that you should use a VPN when working on hotel reservations over public Wi-Fi, although generally, you should always consider using a VPN. It’s simply a safer, more secure way to browse the web; however, ensure that you’re choosing a VPN provider that is trustworthy and does not share any data of their own. If you aren’t paying for access, it’s probably not as safe as it could or should be.

Of course, you can also peek at the URL you’re clicking on from the hotelier. If you spot an email with a URL with your data exposed in it, you could take the proactive stance and try to alert the chain to the problem. Otherwise, simply choose a different hospitality provider in the future. 

Apple’s Big Step Against Scammy Subscriptions

Moving on to our final story for today, we’re doing another quick follow-up on the scammy subscriptions story we brought to you a few months ago. If you don’t remember this story from November, we talked about apps that offered users a free trial, but then rapidly moved them over to expensive paid subscriptions after an unfairly short period. These schemes began to infest the App Store, and users have grown sick of them — and so, too, has Apple, which has taken fresh steps to cut down on this abuse of the subscription feature.

How? They’ve added a new step to the subscription sign up process, and they’re trying hard to make sure users know that they are actually signing up for a subscription when they click OK. MacRumors brings us this story, which notes that Apple’s adding a second step requiring user confirmation when choosing a subscription-based app. After authenticating and initially OKing the purchase, iOS will now ask you again if you are really sure you want to sign up for a subscription.

The hope here is that a clear alert coming from Apple may stop app developers who’ve been using these scammy subscription tricks, or at least discourage more developers from trying them. However, there’s still something users need to do to make this work: users must actually read the pop-ups. Don’t trust software to do everything for you; if you install something and a pop-up appears, read it and make sure you know what you’re saying “OK” to before proceeding. 

Do you know whether you’re paying for any app subscriptions right now? Don’t worry; it’s easy to find out right now whether you are. Here’s what you need to do:

  • Visit the iTunes Store on your Mac or your iOS device.
  • On iOS devices in particular, scroll to the bottom of the page and tap on “Apple ID.”
  • For Mac users, click “Account” on the right side of iTunes.
  • Look for “Subscriptions” on the next page.
  • Click “Subscriptions,” and you can easily see your current subs right now. Disabling them from this page is as easy as a few clicks.

With your subscription squared away, all that’s left is to work on getting through the habit of clicking “OK” whenever a dialog box pops up; those often have important messages, and you don’t want to miss out on the opportunity to avoid a troublesome mistake! On that note, we’ll draw this week’s discussion to an end.

Join our mailing list for the latest security news and deals