Checklist 167: Apple updates all of it

This edition of the Checklist covers the many updates released by Apple last week. Cupertino rolled out new features and bug fixes for all of its operating systems, so we’re going to take a look at last week’s security news broken down by OS.

On this edition of the Checklist:

• What’s new in iOS and iPadOS
• Notes for Mac users
• Watches, TVs, and HomePods

iOS 13.3 and iPadOS 13.3

Though technically distinct, iPadOS and iOS are similar enough that we’re going to group them together here. So without further ado:

FIDO2 security keys in Safari

The first major change to report is support for FIDO2-compliant physical security keys for Safari.

FIDO stands for Fast IDentity Online, and FIDO2 is the proposed authentication standard which is a joint project of the FIDO Alliance, an industry group dedicated to improving online authentication, and the W3C Consortium, the international organization that governs all kinds of design and development standards for the web.

The idea behind FIDO2 is to move people away from password-based authentication, which is rife with security issues, and towards a system which relies on a physical authentication device controlled by the user instead. These hardware devices would be used to authenticate a user to a website in the same way that passwords do now, and could potentially incorporate biometric identification tools such as fingerprint scanners in order to provide truly next-level security.

The latest iOS and iPadOS update provides support for these devices in Safari. Not every website is set up for FIDO2 authentication, of course, but those that are can now be visited in Safari on an iPhone or iPad. The update supports several types of physical device, including Lightning, USB-C, and NFC security keys.

Communication Limits for Screen Time

Your Screen Time feature can now be fine-tuned to limit who can contact you (and when). You’ll have the option to only allow those on your Contacts list to call you during certain times, for example.

But even more importantly, Communication Limits can also be used with Parental Controls to set similar limits on who can contact children. The feature has a safety protocol built in: Children can always dial emergency numbers, and once they do, all communication restrictions will be disabled for 24 hours so that in the event of something truly serious happening, they’ll be able to contact anyone they might need to contact.

All in all, good news for moms and dads — and anyone who doesn’t want work messages after 5 PM!

An end to AirDoS

AirDoS stands for Air Denial of Service, which, while not necessarily a vulnerability per se, has the potential to be intrusive and annoying.

First a word about terminology. In cybersecurity, a DoS attack, or denial-of-service attack, refers to an attack on a network or system which is meant to knock the target offline indefinitely, making it unavailable to the people who need it. This often works by overwhelming the target with a large number of bogus messages or requests.

To use the example we did on the podcast this week, imagine if a thousand people showed up at your local Starbucks trying to order pizza. The baristas would be so busy trying to deal with these nonsense requests that the people who’d actually come for coffee would leave empty-handed.

AirDoS was discovered by a security researcher named Kishan Bagaria, and is essentially a version of a DoS attack, but for AirDrop. Bagaria’s proof-of-concept showed how an attacker could send an unlimited number of files to nearby devices which were set up to receive files from any sender. Each incoming AirDrop file arrives as a request to either accept or reject the file, and each request causes a pop-up to appear which temporarily blocks the screen until the user says yes or no to the incoming file. But because Bagaria found that Apple wasn’t rate limiting these requests, he was able to create an automated program which sent request after request to the same device, in an endless loop, essentially making it unusable for the owner.

Apple did respond by adding a rate limiting feature, but this is a good example of why it’s sometimes wiser to use features like AirDrop a bit more cautiously. It might be best, for example, only to accept AirDrop requests from people on your Contacts list, rather than anyone who happens to be in the vicinity. It’s also probably a good idea to only ever accepting incoming files from known and trusted sources. Remember, AirDrop can be used to send almost any type of file, including photos, videos, and links. A bad actor could very easily use it to send, for example, a fake coupon containing a link to a malicious website. More worryingly, someone could conceivably use AirDrop to send you compromising or illegal material — things that you definitely wouldn’t want to have to explain to your employers…or the authorities.

A kernel fix

Lastly, of the many security updates mentioned by Apple in the release notes, one stands out as particularly important: better memory handling in the OS kernel. The kernel of an operating system refers to its core files and functionality. So any time you hear about security updates to the kernel, you know it’s serious — because vulnerabilities in the kernel can allow malicious actors to execute code on a target device, which can enable them to steal data or install malware. In this case, Apple says they fixed the issues with better memory handling, meaning that as long as you’ve updated your device to iOS 13.3 or iPadOS 13.3, you’re protected.

Older devices

Of course, not everyone is using a newer iPhone or iPad which can support iOS 13, but Apple still has those folks covered.

Anyone with an iPhone 6s and later, an iPad Air 2 and later, and iPad mini 4 and later, or iPod touch 7th generation is encouraged to upgrade to iOS 12.4.4. The update addresses a security issue in FaceTime.

Notes for Mac users

While macOS 10.15.2 (Catalina) doesn’t have all that much to talk about in the way of features, there was an interesting security note. The latest update apparently fixed an issue with FaceTime, though the Apple release note simply said: “Processing malicious video via FaceTime may lead to arbitrary code execution” and described the change as “An out-of-bounds read was addressed with improved input validation”. There still aren’t too many details available — even at the CVE page for the vulnerability — but given the growing popularity of FaceTime, bugs like this are sure to attract Apple’s attention and get patched fairly quickly. If you’re using Catalina, it’s time to update — and even if you’re still on Mojave or High Sierra, it would be good to update now too, since similar issues are addressed in those OSes as well.

Watches, TVs, and HomePods

The last section of this week’s Checklist deals with the remaining Apple updates, which affect watchOS, tvOS, and lastly, Apple HomePod.

watchOS 6.1.1

This update for the Apple Watch operating system contains a number of fixes, but one stood out: a patch for a WebKit bug which could allow arbitrary code execution. Since a lot of web links are sent via text message, this one seems particularly significant for Apple Watch users, since it would be very easy to click on one of those links and potentially open yourself up to malicious activity. According to Apple, the issue was addressed by better memory handling, and should now be a non-issue … provided, of course, that you update your watchOS to the latest version.

tvOS 13.3

There are several security enhancements in this latest version of tvOS, but since some of them are quite similar to what we’ve already discussed, we’ll focus on the IOUSBDeviceFamily vulnerability. This is another bug which could allow a bad actor to execute arbitrary code, and this one as well was solved by improved memory handling. Perhaps it’s time for Apple to review OS memory handling issues generally! If you have an Apple TV, you should update your operating system now.

HomePod 13.3

No news is good news, as the saying goes, and there’s not much to report about the latest version of the HomePod software, at least from a security standpoint. Apple’s release notes did mention that there were some user experience enhancements, probably our favorite of which was an improved ability to identify the voice profile of individual family members. HomePod is automatically updated, so there’s really not much to do here, either, other than go on enjoying your HomePod!