Checklist 146: Just Because You Can…

Should you always run the latest software, even if it means being a bit of a beta tester? Some concerns with early, pre-release versions of iOS have us asking that question.  Later we’ll dive into the sometimes-absurd world of Internet of Things devices again to wonder what we really need to connect to the web. In the midst of it all, we’re jumping back to a story from last week to revisit the subject of silent updates. We’re wasting no time in diving into our stories for this week, with a list that includes:

• Should YOU Be Running Beta Software? 
• Should ANYONE Block Apple’s Silent Updates?
• Should There REALLY Be an App for Your Flatiron?

Here on The Checklist, we talk a lot about how important it is to run the latest versions of your software to stay safe from security threats. How new is too new, though? First up, let’s dive into a world of questions about betas.

Should YOU Be Running Beta Software? 

While doing this show, we try to maintain an even-keeled point of view, providing our listeners with a balanced look at the facts surrounding security, and that usually means we try to avoid giving Apple too much of the benefit of the doubt. With that said, we’re all still Mac fans here, after all — so sometimes it’s good to take a step back and make sure we’ve got the right perspective. That’s the thought process we ran through this week while considering a story that popped up across several tech news websites this week regarding security concerns uncovered in the latest beta releases for iOS 13 and iPadOS. 

If you’re like us, you might simply say, “Well, of course, there are problems — they’re betas,” and that might not necessarily be wrong. They are, after all, released to allow users to assist in hammering out the bugs and figuring out what works and what does not. However, more than just the developers run the betas; in fact, it turns out lots of people do, so these issues are worth mentioning. According to Apple Insider, a bug in this recent beta apparently allows an unauthenticated user to gain access to stored usernames and passwords on the device. They say it sounds worse than it actually is — so let’s break it down before we dive into a discussion about the implications.

The issue lies within the Settings app, according to the piece. After locating the “Website & App Passwords” option, a user could rapidly tap on the selection to trigger a bug that would allow the user to bypass any additional passcode, Touch ID, or FaceID authentication required by the device. Of course, the iPhone or iPad needs to be unlocked already for the user to even get to the Settings app — so there’s no “real world” threat to speak of here unless you’re one of the few people still avoiding the use of a lock on your phone. While it might sometimes feel inconvenient, it’s essential to ensure that no random person can pick up your phone and start accessing all your information — so keep it locked down if you aren’t.

Okay — so it’s not a serious bug, but is it a problem that it was in the beta at all? Betas are for bugs, after all. Apple releases the beta versions so developers can bring their own apps up to speed, so they are ready to go when the new iOS version launches. They also take in bug reports from those developers and users so they can identify and correct bugs that the internal teams haven’t yet found, creating a safer release for users.

So, does that mean you shouldn’t consider anything that happens in a beta to be a problem? Not necessarily — there are still issues that can be severe, especially if they make it into the version released to the public. We’ve seen problems as severe as beta updates bricking phones when installed, so one does need to be aware that using beta software comes with some risks involved. 

The average, everyday user is likely never to encounter a beta release of iOS, but that may not be the case for savvier, more plugged-in users out there. Apple may have open beta programs from time to time, but one could also simply pay the $99 annual fee for an Apple Developer ID to receive access to the beta software — and there are certainly people who do that. With a lower barrier for entry, should we take beta bugs seriously as problems? In the sense that we shouldn’t simply ignore them, yes — but these are problems specifically for beta users, and not for everyone. With that in mind, their impact is always going to be limited, and beta bugs will always pose less of a threat to users — at least until and unless they end up in a production release. 

Given how low the barrier to entry can be with Apple’s public beta programs, who should run these versions? Developers, obviously, but what about you? If you’re an adventurous user and you’re willing to accept the risk that some things may not work correctly or the way you expect them to, you might be a candidate. The point of the program, after all, is to report bugs back to Apple. If you’re willing to do that, you might enjoy the experience. However, if you depend on your device for critical tasks every single day, you should probably stick to the stable releases.

Should ANYONE Block Apple’s Silent Updates?

Remember last week’s show when we were zooming around discussing the fact that the Zoom videoconferencing app had a flaw that could let someone remotely turn on your webcam without your consent? Just before we began to record last week, word came down that Apple had sent out a silent update to correct what many saw as an equally nefarious concern. That was the fact that Zoom left its own web server on Macs even after a user uninstalled the client. 

This week, it’s the story that keeps on giving, as The Verge reports that Apple has sent out another silent update in the wake of the Zoom controversy. This one apparently nixes other “insecure software” from companies that licensed technology from Zoom. That included other apps for video calling, including RingCentral and Zhumu. Users of those apps would’ve encountered the same insecurities as Zoom users. Just like Zoom, uninstallation still left behind webservers that could’ve been a route for an exploit, so Apple stepped in to remove them without the need for any action by users.

In last week’s show, we joked a bit about how similar these actions were. Zoom’s webserver could allow the app to redownload itself without your permission, while Apple was also messing with things in our systems behind the scenes — we condemned one and applauded the other. Though we know Apple’s intentions here are good, it does raise concerns for some people. That led to Cult of Mac running a report on how to turn off the ability for Apple to run these “silent updates” to your Mac. We’ll go over how you can do it, too — it’s surprisingly simple — and then we’ll take a quick look at whether you should actually do that.

If you want to keep the option open, though, here’s what you’d need to do:

In macOS Mojave, open your System Preferences, locate “Software Update” in the lower right-hand corner, and find the button that says “Advanced.” Click that button. This will open several checkboxes, one of which says, “Install system data files and security updates.” Uncheck that box, and you’ve successfully opted out of these “silent” automatic updates. 

So, should you do this?

No! In fact, we would never suggest turning off this feature for the average user; it’s simply an easy way for Apple to ensure that the highest priority fixes reach users without delay, and it means you never have to worry about taking care of the problem yourself. If you are concerned about allowing a company to have that level of access to your machine, though, turn it off — but keep in mind that users who do so must shoulder the responsibility of running the updates manually at least once per week. Imagine if you were a Zoom user without this feature turned on — you could’ve gone the whole week with websites accessing your webcam without your permission or knowledge. Keeping the auto-updates turned on is just a good way to stay safe. 

Bottom line: if you trust Apple to manage your photos, your music, and your passwords, you can probably trust them to manage critical security updates for your Mac automatically. 

Should There REALLY Be an App for Your Flatiron?

It’s back to the wild world of the Internet of Things once more here on The Checklist…

How many times has this happened to you: you’re standing in the bathroom, holding your flatiron and straightening your hair before an evening out, and you find yourself thinking, “Wow, I really wish I was using my phone to control this iron, it would be so much more convenient.”

Well, you’re in luck. Calling it a “thing that should never have been a thing,” TechCrunch says that hair straightening devices with Bluetooth capabilities are ready to hit the market. No, we can’t believe it, either. Coming to us courtesy of a UK-based firm called Glamoriser, the company says it has the “world’s first Bluetooth hair straighteners,” a claim that we don’t find hard to believe at all. What can you do with this fantastic functionality? Well, apparently you can set the straightener to settings for certain hairstyles, or you could control the heat level from the app as well. You can even use it to turn off any of the straighteners you have that are within Bluetooth range!

Now, if you’re a long-time listener of The Checklist, you know that we’re not just bringing this up as an example of how ridiculous the Internet of Things can be — although it is a good example. You might think that there’s some security flaw in the smartphone app for the straightener, or that the company is leaking user data somewhere — but it’s somehow worse than either of those things. According to TechCrunch, these hair straighteners are hackable.

Based on research done by the security team at Pen Test Partners, glaring vulnerabilities in the straighteners were exposed. It took them no time at all to figure out a way to send “malicious commands” over Bluetooth to take control of the straighteners. It turns out the irons don’t use any protocols for pairing to a device. Instead, it happily accepts the first Bluetooth connection it receives. If the iron is not currently communicating with the user’s smart device, though, anyone else could use Bluetooth to connect to it themselves. Because the app allows for users to set both the time and temperature of the iron’s operation, one could conceivably set it to run at its maximum temperature — some 450 degrees Fahrenheit — for the longest time setting, about 20 minutes. Repeat that process, and you have a serious fire hazard on your hands. 

That’s fun, right?

It’s been a few weeks since we’ve talked about IoT devices on The Checklist, but it never hurts to revisit the topic. We would consider this an IoT device, even though it doesn’t connect to the open Internet, simply because it does allow for outside connections. Sure, the scenario in which an attack is trying to harm you by exploiting your hair straightener is a far-fetched one — but that doesn’t mean it isn’t symptomatic of a more widespread problem in the IoT industry. 

What sort of things should you look for when you want to buy an IoT device? There’s a straightforward question we’d like you to ask: do you really need that as a connected device? In most cases, the answer is probably “no” — and you’ll often find that the connectivity adds more complexity than you really want to deal with for a simple object. In many cases, you may quickly wish you had the old version of the item back… the one that didn’t require you to whip out your phone every time you wanted to use it.

Let’s say you have purchased an IoT device, though. What should you do to make sure you can use it safely? Look for red flags during the setup process and think about who can access your device and how. The fact that the straightener had no pairing process, for example, should be a huge red flag. Yes, others are locked out while you’re using it — but you won’t always be in the middle of straightening your hair. You can also download software such as the IoT Inspector, a Princeton-backed development we talked about a few weeks ago, that allows you to monitor the Internet traffic generated by your device. 

We’ll leave you with this: just because there’s an app for that doesn’t mean there should be one.