SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 172: A Ring of Trouble

Posted on January 30, 2020

On this week’s Checklist, we’ll revisit the issues with Amazon’s Ring, take another look at iCloud backups, and hit the highlights from Apple’s latest round of OS updates.

 

More issues with Ring

The security and privacy issues around Amazon’s Ring doorbell camera system are making news yet again, due to one Amazon engineer’s strikingly blunt public criticism of Ring. According to the Amazon employee:

“The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back.”

That’s a pretty uncompromising stance, but one which we’re broadly sympathetic to. The very existence of a network of surveillance cameras whose video feeds can be accessed remotely is a privacy threat — even if we trust the intentions of the people running the system — because that data is potentially accessible by other parties whose motivations may be less benevolent.   

This fundamental problem with Ring and data security was also underscored by a recent report from the Electronic Frontier Foundation (EFF) which detailed a number of consumer privacy issues with the Ring Android app. The app, it seems, was collecting all sorts of personal information about users: their names, IP addresses, mobile carriers, doorbell settings, and more. The information was then sent on to third-party analytics companies and even Facebook, presumably with the goal of selling the detailed user profiles created from the data to advertisers and vendors. According to the EFF report, users were unaware of this data collection, and there was no way to opt out. The issue with the Ring mobile app selling user data to third parties is likely to be less of a problem for iOS users, since Apple has taken steps to curb this kind of behavior on its platforms. 

The overall picture of Ring that’s emerging is genuinely troubling — and apparently not only to watchdog groups but also to people within the company itself — and that’s why we’d recommend that anyone thinking about getting Ring seriously consider the privacy implications of doing so.

 

How to get rid of iCloud (and why you may not want to)

On last week’s podcast, we talked about some of the potential privacy issues with iCloud backups. Following up on that, we’d like to take a closer look at how to turn iCloud backups off — as well as some reasons why this might not be a good idea.

First, let’s take a look at the benefits of using iCloud to back up an iPhone. To begin with, if you need to restore your device, iCloud backups mean that you don’t have to do it manually. If you, for example, damage an iPhone and need to get it replaced at the Apple Store, having an iCloud backup means that you can restore all of your apps and settings pretty much instantly from the cloud. Restoring a device from a local backup would be more time-consuming. Secondly, iCloud.com is undeniably convenient. It’s a one-stop shop for you to manage all of your Apple devices and access important apps like Calendar and Find My. For people who want to use their iPhone to work on documents created on their Mac, it’s invaluable.

But despite the many advantages of iCloud, there will still be some people who feel that the privacy trade-off — having their backups potentially accessible to someone at Apple — is just not worth it. So for those folks, here’s how to turn off iCloud backups:

Go to Settings > [your name] > iCloud > iCloud Backup, and tap iCloud Backup in order to see the toggle switch to turn iCloud backups off.

Remember that any iCloud backups made previously are still on Apple’s servers, and will have to be deleted manually. But before you do this, make sure that you back up your device locally before proceeding. To delete your old cloud backups, go to Settings > [my name] > iCloud > Manage Storage > Backups. There you should see all of your old backups. Tap on a backup to see the option to delete it.

 

Apple updates everything

Apple ​released quite a few updates to its OSes this week. In what follows, we’ll take a look at some of the more interesting ones.

iOS 13.3.1 fixed something that wasn’t a security vulnerability per se, but nonetheless had to do with a potential security issue. Apple says that they addressed a bug in the Communication Limits feature which was allowing users to add new contacts without first entering the Screen Time passcode. Since Communication Limits used with Screen Time is a parental monitoring tool, this means that children had been able to add new contacts without a parent’s permission, which could have been a potential safety issue.

Another iOS bug which Apple fixed was a problem in Mail in which remote images were loading even when “Load Remote Images” was disabled. This has security implications, because spammers and hackers use remote-loading images to determine whether or not an email address is valid. They include images served from unique URLs in their initial emails. If they see that one of these unique URLs was used to load an image, they know that the email address they sent it to was valid — and they follow up with even more spam emails or, worst-case, phishing emails. 

Turning off remote loading of images is a good way to become invisible to the bad guys, denying them the confirmation that they’re looking for so that they’ll assume that your email address is non-responsive and move on to another target. That’s why it’s a good security practice to disable remote image loading and to only load images manually when you see that the message is from a sender you trust. And that’s also why it’s good news that Apple has addressed this issue.

On the Mac side of things, Apple released the third version of Catalina: macOS 10.15.3. One update worth mentioning is a fix to a bug which had allowed apps to read files outside of Gatekeeper. Gatekeeper is a macOS security feature which, among other things, is supposed to keep apps “in their own lane” and prevent them from accessing files and locations that they shouldn’t have access to. If apps can bypass Gatekeeper and read files that they shouldn’t be reading, potentially sending that information somewhere else, it’s a clear security risk, which is what makes this a significant update. There are fixes for safer web browsing as well: Safari 13.0.5 eliminates some vulnerabilities that could have allowed malicious code to be executed on a user’s system or permitted address bar spoofing attacks.

Lastly, the tvOS update addressed a vulnerability which could have allowed maliciously crafted XML — or “Extensible Markup Language” — to result in arbitrary code execution on a user’s system. XML is one of the ways that machines communicate with one another, and this bug could have allowed someone to send a message containing  malicious code to a target system, and get the target system to execute that code.

As we always say whenever there are updates, please take a moment to update all your OSes if you haven’t done so already — and consider setting yourself up for automatic updates in the future.

That takes us to the end of this week’s Checklist, but if you have a security question or would like to suggest a topic for a future show, drop us a line at Checklist@SecureMac.com.

Join our mailing list for the latest security news and deals