SecureMac, Inc.

Checklist 150: Trust Issues

August 15, 2019

On this edition of The Checklist: The Siri Sessions, O.MG: A Cable Hack, and 15 Apps to Watch for on Kids’ Phones.

Checklist 150: Trust Issues

This week, we’ll look into whether or not Siri is listening when she shouldn’t be—and who she might be telling about it. We’ll introduce you to a counterfeit cable with a funny name and a not-so-funny functionality, and discuss what this means for you. And finally, we’ll return to the topic of app safety for kids, courtesy of our friends in the Pennsylvania police. This week’s list is all about trust:

  • The Siri Sessions
  • O.MG: A Cable Hack
  • 15 Apps to Watch for on Kids’ Phones

The Siri Sessions

Do you trust Apple?

Most listeners of this podcast—as well as its hosts—would probably say yes. Apple has marketed itself as the outlier tech company that actually respects its customers’ privacy, and it does, more often than not, live up to its promises.

But like any large corporation, Apple outsources a significant portion of its technical workload—and this can create privacy issues, as a recent Guardian piece revealed. 

It turns out that the third-party quality control group tasked with improving the accuracy of Apple’s Siri voice assistant had been given access to recordings of customers’ interactions with the software. And without meaning to, they’d been overhearing the most intimate details of Apple users’ lives—listening in on sensitive medical discussions, drug deals, and…er, some extremely personal NSFW moments, if you catch our drift.

Apple’s reason for listening to these recordings was fairly benign. The contractors were simply supposed to “grade” Siri’s performance in a bid to help the voice assistant and the Dictation tool perform better: to understand and interpret what users say with greater accuracy. Quality assurance teams were asked to listen to the recordings and attempt to gauge whether or not Siri was activated intentionally or accidentally, if the query was something that Siri could actually handle, as well as the appropriateness of Siri’s response. 

In fairness to Apple, we as consumers are driving this. We demand that our voice assistants work perfectly, every time. So it makes sense that a human being needs to check whether or not Siri is performing to expectations and report problems and failures. 

Yet at the same time, the idea of random tech specialists listening in on the most intimate moments of your life is, well, a bit creepy. Especially when you consider that the issue isn’t just about whether Apple should be privy to your interactions with Siri—but if Siri should have been listening in the first place. 

According to the whistleblower who came forward to the Guardian, there was a disturbingly high number of incidents in which the voice assistant was activated accidentally—and therefore picked up extremely personal information that no one should ever have overheard.

And while the tech giant encouraged their contractors only to make a report when there appeared to be a technical problem, without considering the nature of the content, the recordings they were listening to were accompanied by user location, contact details, and app data—obviously enough personally identifiable information to make anyone feel uncomfortable. 

Apple’s own response to the story—suspending the grading program globally and moving toward allowing customers to opt in to grading in the future—shows that they recognize how problematic the issue was from a privacy standpoint.

Deleting those recordings

If you’re uncomfortable with the thought that Apple (or its contractors) may still have access to some of your most personal conversations, there is a way to delete these recordings. 

Fair warning: It’s not the most straightforward of procedures, and it’s not something that can be done globally—you’ll need to take the time to go through this process on each of your devices.

For macOS

If you’re using a Mac, go to System Preferences > Siri. Once there, disable Enable Ask Siri.

You’ll then need to go into System Preferences > Dictation. Click to turn Dictation off.

For iOS

On an iOS device, go into Settings > Siri & Search. Then turn off both Listen for “Hey Siri” as well as Press Side Button for Siri.

Once you’ve done that, go to Settings > General > Keyboard, and then finally turn off Enable Dictation.

As this is a developing story, and especially since iOS 13 and macOS Catalina are slated for wide release this fall, we may see some important updates regarding how to opt in to or out of being an unpaid Siri developer. So stay tuned!

O.MG: A Cable Hack!

Switching gears a bit, let’s have a look at an interesting and somewhat disturbing presentation from this year’s DEF CON security conference. A security researcher who goes by the handle “MG” explained how he built (apparently in his kitchen) a USB cable which looks just like an Apple Lightning cable, but which contains extra components which allow a hacker to remotely connect to a computer that has used the cable—and then open a terminal on the target machine and execute code.

MG’s invention, which he somewhat hilariously called “O.MG cable”, was obviously for research and demonstration purposes only. So is it something to worry about? 

In theory, yes, but in practice, a one-of-a-kind, custom-engineered hacking cable would only be a threat to the very few people who would qualify as “high-value targets”. In other words, unless you work for the Department of Defense or are the CEO of a large company, you probably don’t have to worry about someone taking the time to build a single-use, fake USB cable to hack your Mac.

But even though the O.MG cable is more of a “proof of concept” device, it’s still worth considering what lessons it holds for everyday Mac users.

What the rest of us can take away from MG’s demo is that what you see isn’t always what you get when it comes to tech.

First, given the apparent ease with which a skilled hacker can compromise a USB device, it’s probably best to avoid those USB power jacks in high-traffic areas like airports. There’s just no way to know who installed them, or what their intentions were. Use a standard wall outlet instead.

Secondly, MG’s counterfeit cable should also give us pause when considering white-label peripherals and third-party repair services.

Again, it comes down to trust. Obviously, it’s possible to buy cheaper versions of the peripherals sold directly by Apple, but at least with Apple you know what you’re getting. Is it possible that an unscrupulous manufacturer or reseller could tamper with computer peripherals in a way that could compromise your security? In a word, yes, and the cost of saving a few dollars might not be worth the added risk.

But what about repair services? Apple takes heat for shutting out third-party repair shops, but there are legitimate security reasons to restrict who can and can’t get into their machines. After all, once you give up your computer to a repair service, you’ve pretty much put your privacy and security in someone else’s hands. So again: Who do you trust?

Having Apple repair your machine directly may be pricey, but it’s probably the safest bet. That said, there are also ways to balance cost concerns with safety: Apple Authorized Repair services are reputable, cost-effective, and routinely reviewed by Apple. 

In short, before plugging into a random USB jack, buying a dirt-cheap cable from Amazon, or taking your computer to be repaired at a shop you’re not too familiar with, ask yourself who you trust, and what balance of risk and cost you feel comfortable with.   

Apps to watch for on kids’ phones

Lastly, we’ll turn back to a topic we’ve touched on before: How to make sure your kids are safe on their mobile devices. 

A recent news story out of Pennsylvania reported that local police were warning parents about 15 apps that could pose dangers to their children’s safety.

These apps run the gamut from popular messengers (WhatsApp and Kik) to adult dating apps that really have no place on a tween’s phone (Grindr and Bumble). They also include apps like the now-banned Calculator%,  which mimics a calculator app but is designed to hide photos and files on a phone…in other words, things that kids don’t want their parents to see.

As we’ve said before on this show, we’re not fans of snooping on or tracking one’s children—largely for reasons for cybersecurity. And although we wouldn’t want to tell anyone how to parent, most of us can agree that kids need some freedom to grow and to make their own decisions without mom or dad watching their every move.

But there are also very good reasons to be concerned about what children and teens are up to online, not least of all because there are some very real dangers out there—dangers which young people may not be equipped to handle.  

So what’s the answer?

We tend to turn back to a combination of parental controls and family sharing as a good way to strike a balance between giving your kids some autonomy when it comes to their digital lives and making sure they’re not doing anything unsafe. These tools allow you to see what app your child is trying to install, research it, and either approve it or have a talk with your child to ask them more about it.

In the end, keeping the lines of communication open and talking to your children about what’s going on in their lives (both online and IRL) is the best way to keep them safe.

And of course, the final piece of the puzzle is you: Making sure that you’re aware of what’s going on in the world of cybersecurity and staying up to speed on the latest trends and news.

Filed under Security News, The Checklist Podcast by SecureMac

Related Posts

Latest Security News

Get the latest security news and deals