Checklist 355: 23andMe and 7 Million Others

Exploit Tricking iPhone Users on Lockdown Mode Raises Security Concerns

In a recent podcast discussion, likened to a horror scenario, the focus was on an alarming exploit related to Lockdown Mode on iPhones. The eerie comparison drew attention to a potential vulnerability where the very act of securing the device could inadvertently allow malicious entities inside, much like barricading oneself with an escaped inmate.

The discussion centered on a revelation by device management firm Jamf, as reported by AppleInsider. According to the report, an attacker could deceive an iPhone user into believing that Lockdown Mode, designed to fortify security against hacking attempts and malware, is active on their device when it’s actually not.

Lockdown Mode serves as a shield for specific targets like activists, journalists, government officials, and dissenters by blocking various potential attack vectors, such as file sharing, unauthorized connections, and geolocation data exposure. However, the exploit demonstrated by Jamf raises concerns about the false sense of security it could instill in users.

The exploit, characterized as a proof-of-concept, tricks users into believing that their device is in Lockdown Mode when malware might already be present. It manipulates visual cues, including simulated restarts and warnings in Safari, creating a misleading perception of safety for the user.

The podcast emphasizes that Lockdown Mode is most effective when activated before an attack, essentially barricading the door before the intrusion occurs. The exploit, though a proof-of-concept and not an imminent threat for the average user, sheds light on the limitations of Lockdown Mode, highlighting that it’s not an anti-malware solution but a preventative measure against attacks.

The exploit’s demonstration by Jamf was achieved through manipulating user interfaces and taking advantage of user unfamiliarity with Lockdown Mode’s intricacies. However, it’s crucial to note that Lockdown Mode itself functions as intended – to secure the device from potential threats before infiltration.

The discussion’s core message is directed at individuals relying on Lockdown Mode’s protection, urging awareness about its limitations and emphasizing the need for proactive security measures, especially for those particularly vulnerable to targeted attacks.

23andMe Data Breach Exposes Millions of Users to Extensive Privacy Risks

A recent podcast delved into the alarming 23andMe data breach, unraveling the staggering scope of the compromised information and the company’s questionable handling of the situation.

The 23andMe company, renowned for its direct-to-consumer genetic testing services, faced a major security breach. Miscreants began selling user data on the dark web, hinting at millions affected, yet a recent filing with the Securities and Exchange Commission (SEC) stated that only 14,000 accounts, about 0.1% of users, were accessed.

This stark disparity between reported numbers and the scale of data trading raised eyebrows. Wired speculated that while 14,000 accounts were hacked, millions of others might have had their information “scraped.”

The breach was attributed to “credential stuffing,” a method using leaked usernames and passwords from previous breaches. However, it’s acknowledged that a more extensive number of users had their information accessed. The compromised data included personal details shared through the DNA Relatives feature, affecting approximately 5.5 million users, with sensitive information like birth years, profile pictures, family names, and even links to self-created family trees being exposed.

Furthermore, an additional 1.4 million DNA Relatives users had their display names, relationship labels, birth years, and self-reported location data stolen. This breach raises grave concerns about privacy invasion and potential misuse of personal genetic and familial information.

The situation intensifies considering 23andMe’s offerings of genetic health risk tests and involvement in clinical research programs, prompting questions about data privacy safeguards. Security experts, including US National Security Agency cybersecurity director Rob Joyce, criticized the breach, emphasizing the lack of transparency regarding how accounts were targeted for stuffing.

In an attempt to address the fallout, 23andMe is altering its terms of service, emphasizing dispute resolutions and arbitration. Users are allowed to opt out of these changes within a specific timeframe.

The breach not only raises serious concerns about user privacy but also casts doubts on 23andMe’s ability to safeguard sensitive genetic and personal data. It’s evident that this breach might have far-reaching consequences and may continue to be a topic of concern in the future.