SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 99: I Saw What You Did!

Posted on July 26, 2018

It’s time for another look into the world of security news, where we’ll talk about where Apple stores your sensitive data, the latest and strangest anti-spam efforts, and more. This week we’re narrowing our focus to look at how Apple is handling some of the latest speed bumps in its efforts to grow while also trying to maintain its public commitment to customer privacy and data security. We’ve also got the latest nefarious scheme the bad guys are using to try and extort people on the web these days — and though it’s all based on lies, this one has a shocking grain of truth at its core. We’ve got all that on today’s Checklist:

  • Apple’s complicated relationships with India and China
  • Putting the “Restricted” back in USB Restricted Mode
  • An old scam with a scary new twist

Let’s start by soaring overseas and taking a looking at some of the complicated and curious interactions Apple has had recently in some international markets.

Apple’s complicated relationships with India and China

Giants in the world of technology have always faced some degree of problems when it comes to expanding their operations to China. The Chinese government exercises a wide degree of control over industry within the country and heavily prefers Chinese governance over foreign influence. For Western companies that are able to operate on the Chinese mainland, there are all kinds of rules and restrictions they must abide by, often including some form of censorship. We saw the consequence of one of these issues recently, when iOS devices set to the Chinese language would crash when attempting to display the emoji for the Taiwanese flag. Even giants like Google have grappled with whether to continue operating in the Chinese market space.

Now, Apple has given further concessions to the Chinese government too in a bid to continue supplying services to the many millions of iPhone owners in the East Asian country. If you’re a Chinese iPhone user who also relies on iCloud for storing backups of your data like messages and contacts, that information is no longer stored securely on overseas servers. Instead, Apple has handed over control of Chinese iCloud data to a state-owned mobile data company. That means a subsidiary of China Telecom will be able to exercise much more authority over the data.

Before this switch, the keys to unlocking the encryption on these iCloud accounts remained stored on servers physically located within the United States. Due to this, if the Chinese government wanted information on a user’s activities, they would be required to go through the US legal system to make such a request. Now with the move over to China-based servers, there are growing concerns that the government there could circumvent Apple and dig deep into user data at will — with little to no oversight at all, thanks to the towering Chinese bureaucracy.

Apple says that it lobbied hard against the move and fought efforts to force the transition, but legislation passed earlier this year in China made such local storage mandatory for many companies. In the end, Apple insists, it simply had no choice but to comply with the laws to continue serving the Chinese market.

For those who don’t live in China, there’s nothing to worry about; your data is still safely and securely stored elsewhere. For those who do, though, there is a glimmer of good news. Apple has had an option in iOS for some time now allowing users to “opt out” of storing their iCloud data locally in China. (This requires the account to have been created with its default country set to China originally.) However, since it’s not known what effect that opt-out would have on your data now, it’s probably safest to abandon your current iCloud account and create a new one that’s opted out from the start.

Should we have expected something different from Apple here? Is it reasonable to think they would have done anything else? When Google felt as though its values were being compromised and its users unfairly targeted more than a decade ago, they made a very public exit from the Chinese market rather than carry on with the government’s censorship. However, only a few years later, Google was bowing to pressure and re-entering the Chinese market with the censorship back in place. The company’s market share never recovered there, and it plays a consistent second-fiddle to Baidu, China’s version of Google.

Given Apple’s considerable presence in China, including many manufacturing partners, it’s clear the company was put between a rock and a hard place here. Shifting control to a Chinese government-linked provider is certainly not a good thing, but it’s tough to see what other options were there. Withdrawing from the market and abandoning its entire userbase was simply not a viable option. Could they have disabled iCloud altogether? Maybe so, but it’s hard to see how that would be a better option for users. Will this be the start of a slippery slope for Apple’s operations in China? We hope not.

Speaking of disagreements between Apple and foreign governments over privacy, though, there’s another story in this vein that deserves our attention as well. For that one, we need to track southward: to India.

India’s government wants to fight spam. That’s a good thing, right? We all hate spam, and it seems like we’re always getting more and more of it every year. It’s become a fact of life for those who do business online. Well, Apple isn’t so keen on the way India’s government is trying to go about fighting the spam problem in the country, and it’s led to a serious disagreement between the company and the country.

The Telecom Regulatory Authority of India, also known as TRAI, has developed its own anti-spam app that’s meant to stop unwanted calls, texts, and other messages from bothering people on their smartphones. This is an app the government wants everyone to be able to access since that would naturally be the most advantageous way to fight back against the growing tide of spam. However, Apple has declined to grant the app, called Do Not Disturb, a place on the App Store. Why not?

The Cupertino giant says that it’s all about concerns over privacy for users. Do Not Disturb requires users to grant access to their call and message logs, or else it cannot phone home to TRAI and identify which messages are spam. Last year, Apple pledged to help TRAI develop a version of Do Not Disturb that would not pry so deeply into users’ private data, but whether that has panned out is uncertain. What is certain, though, is that India has put a strict time limit on compliance for Apple and other mobile companies — with a stiff penalty. If Do Not Disturb isn’t permitted to be installed on Indian iPhones within the next six months, not only will Apple lose the ability to sell its devices to Indian customers, but all existing devices will be blacklisted from the country’s cellular networks. In essence, it’s like holding Apple’s entire customer base on the subcontinent hostage!

Will Apple bend and allow this to go forward, or will they find a workaround? Losing access to the market and cutting off existing customers is clearly not an option. For now, we don’t know exactly what will happen. Since iOS 12 has some built-in anti-spam features, mostly revolving around the ability to report calls, texts, and even third-party app-related issues as spam, they may be able to leverage that fact in their favor. For now, it’s all a big question mark. We’ll have to hold out hope that they can figure things out in a way that works for the betterment of everyone.

Putting the “Restricted” back in USB Restricted Mode

Now, it’s time for yet another quick update on the game of cat and mouse going on between Apple and the developers of phone-breaking devices, such as GrayKey. For a quick refresher: these devices can allow law enforcement (or the bad guys) to bypass an iPhone’s encryption and ultimately determine what its unlock passcode is, allowing access to someone’s data.

To counteract this, Apple released an update to iOS that included something called USB Restricted Mode. This mode prohibits connections between iOS devices and computers or other USB-linked devices if they haven’t been manually unlocked for more than 60 minutes. In other words, if the police or someone else took your device, they would have a very short window in which to use the port on your phone to start trying to crack open the data inside.

That sounded great until Russian security firm Elcomsoft — another provider of phone breaking and forensic software — found an embarrassingly simple exploit that could beat the clock. The person taking the phone would only have to plug in a trusted USB accessory immediately after taking the device, and USB restricted mode would never engage — since it would need to continue to communicate with the attached accessory.

Apple is already poised to fight back. According to news from Apple Insider, the latest developer beta of iOS 12 now requires the phone to be unlocked manually before any USB accessories can successfully connect. While you’ll still be able to charge your phone, nothing else will work without an unlock. In other words, those wanting into your phone will need your passcode or a biometric authentication (such as through Touch- or FaceID) to get inside now. This closes the loophole and strengthens the restriction to lock out prying eyes for good.

Of course, you could be coerced into using biometric data to unlock your phone under duress. The police, in some cases, have been allowed to ask users to use their fingerprints to unlock phones. Courts have subsequently upheld the right of the cops to do this; so, does that mean that using these convenient features puts you at risk? In some cases, the answer is yes — but how often will you realistically run into a situation where someone is forcing you to unlock your phone this way? It’s not very likely, but the good thing to remember is that there are plenty of ways to disable these biometric locks before it becomes a problem.

There are several ways these features become disabled for security purposes. Here they are — keep them in mind.

TouchID and FaceID will not work, and you will be prompted for your PIN if:

  • You turn on or restart the phone
  • 48 hours have elapsed since the last authenticated unlocking
  • No passcode has been used for 6.5 days, and there are no FaceID unlocks in the last 4 hours
  • Five unsuccessful unlock attempts occur
  • Emergency SOS mode is activated (press power button five times rapidly)
  • Find My iPhone sends a remote locking command

If you find yourself concerned about letting people into your phone, you have options — including switching to PIN-only for maximum security. In a stressful situation, though, Emergency SOS mode is all you need. Even if you activate SOS and then do nothing with it, it will still automatically disable all biometric locks on your phone. For the privacy-minded, that’s something to keep in mind. As for Apple’s battle against GrayKey and others, will this signal the end of that particular fight? It’s doubtful — but what the next move is for unlocker companies remains to be seen.

An old scam with a scary new twist

Our final topic today concerns a email scam that’s begun making the rounds en-masse, hitting thousands of inboxes and likely scaring huge numbers of people into thinking some mysterious hacker has compromised some of their darkest secrets. This scam has it all — it impresses upon users a sense of urgency, demanding they act right away, and it leverages a fear of embarrassment and social damage to extort money. More than that, though, this scam uses something that will make any user, no matter how savvy, sit up and pay attention: one of your passwords. What’s the story here?

According to Krebs on Security, it begins with an email from an unknown sender; hopefully, it just lands in your spam folder, but for others, it’s gotten through. In the email, the hacker claims to have placed malware on a website you visited, which he then used to record you through your webcam. The messages claim they have video evidence of you watching pornographic material online — while at the same time claiming to have used a keylogger to gain access to your other accounts. The hacker claims they have in their possession both the compromising video and the contact details for all your friends and family. You’re then given 24 hours to cough up a payment north of $1,000 in Bitcoin, “or else.”

This type of scam message has been circulating for some time now, but it’s coming with an added hook: the messages now lead off with a message that essentially states, “I know your password is xyz.” Except instead of xyz, it’s actually a password that you’ve used! Naturally, the idea is to scare someone into believing the message is real and to begin figuring out how to render the payment immediately. According to many of those who’ve received these emails, though, the passwords mentioned in the email are extremely old — sometimes almost a decade old.

For the savvy user and for those who don’t re-use passwords everywhere, it’s easy to see through this threat. It’s even easier if you don’t even have a webcam in the first place. For the average person, though, this could act as a serious snare — so it’s important to be aware of it in case you happen to hear of a friend or family member concerned about their privacy due to a threat they received in their email.

The big question: where are the bad guys getting these passwords from? Given their age, it seems most likely that someone has acquired an old password breach database on the dark web or from some other location. Then they decided to comb the database for valid email addresses before sending threats with the cracked passwords available in their data. Overall, the thing to do with this scam is “don’t panic.” If you get an email like this — or any email demanding a ransom — your best bet is to ignore it altogether.

However, it’s worth taking the time to shore up the strength of your passwords either way. Use a password manager to create and store secure passcodes, so you’re always protected from prying eyes, and don’t forget to use good password habits in the first place. We know we might sound like a broken record at this point, but it would shock you how often people who should know better still don’t follow the best rules and procedures for creating safe passwords. If you need a quick refresher yourself, we have just the thing for you. Head back into our archives and check out Checklist Episode 8, Password Do’s and Don’ts, as well as Checklist Episode 27, Steps to Take When You Suspect a Malware Infection. Cover all your bases, and you can protect your data and stay safeguarded against the schemes of greedy online hackers.

With that, it’s time to wrap up today’s discussion. As always, we strongly advise you to keep password security in the front of your mind as you browse the web. Whether you’ve got a photographic memory or you use a password manager to keep yourself safe, be sure to do all you can to keep your web presence locked down. Meanwhile, we’ll continue to watch Apple’s ongoing battle against unlockers and other devices and bring you any big and important updates to the company’s overseas ventures as well. Be sure to check out the links below for more details on each of the stories we covered today.

Join our mailing list for the latest security news and deals