SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 113: Security Breaks and Fixes in iOS

Posted on November 1, 2018

A slightly surprising slip-up on Apple’s part, a helpful security how-to, and an update on a persistent foe — that’s what we’re diving into this week as we tour the headlines and pluck out the security stories that seem most ripe for an interesting discussion. On today’s list, we’re checking off the following stories:

  • A bypass in Apple’s hours-old update
  • Scammy subscriptions, and how to stop them
  • And GrayKey is getting stuck in the lock

This week, we’re starting off with a pretty unique story. When Apple releases a new update, the smart thing to do (usually) is to apply it right away for the benefits of the security improvements and patches they bring. In the case of one of Apple’s most recent updates, though, it took only a few hours before something fixed turned into something broken.

A Bypass in Apple’s Hours-Old Update

So, what happened?

Very recently, Apple released the first incremental update to their latest version of iOS, version 12.1, filled with bug fixes and a few new features that weren’t quite ready for showtime when iOS 12 initially launched. On the very same day, a security researcher named Jose Rodriguez discovered an astonishingly simple way to bypass a locked iPhone’s passcode to get at the user’s contact list and all the information contained inside.

Rodriguez reached out to an online publication called Hacker News to share details and confirm that the bug did indeed work on the latest version of iOS — in fact, one of the new features introduced in 12.1 is integral to executing the bug.

Before we continue, a point of order. Typically, these “passcode bypass” exploits aren’t especially serious. A few appear throughout the life cycle of each version of iOS, and most do not expose particularly sensitive information, and they’re often impossible to exploit without direct physical access to your phone. Unless your roommate is a super spy, chances are no one will ever be able to use one of these exploits against you. On top of that, the procedure used to trigger the exploit is often long and involved. That is part of what makes this bug interesting — triggering it is surprisingly simple.

Here’s how it would work.

The person who wants to look at your contacts would first need to call your phone using any other iPhone (and it must be an iPhone). If they didn’t have the phone number, they could ask Siri to reveal it with the “Who am I?” command or use Siri to your phone — thus exposing the number.

Upon connecting, they must immediately select a FaceTime call, then select “Add Person” — this is a part of Apple’s new and expanded group FaceTime efforts. Merely tapping the + icon afterward allows the individual to view a complete list of contacts. A 3D touch gesture will reveal more info on each contact’s page. And that’s it — the exploit works even if the phone is locked.

The surprising thing here is that Apple seems to have missed the security implication during the effort to offer a more convenient way for users to access a feature such as Group FaceTime. That’s not to say that Apple’s rush to produce and promote a product left a massive, gaping hole in the system’s security — but it did leave a hole large enough to allow someone with bad intentions and a little bit of determination to squeeze through and see things they shouldn’t.

This battle between convenience and security has been an ongoing one within Apple, and it’s been the genesis of several bugs and issues similar to this one. By now, we should all know that Apple isn’t infallible, no matter how much they’d like us to think otherwise. So how do you come down on the right side of balancing security and convenience? It’s a tough line to walk. In this case, it looks like Apple came down on the side of convenience, since potentially exposing contact info in a limited scenario may seem an acceptable trade-off when compared to allowing users to add people to a call quickly. Of course, that might not be the case; it could just be a simple oversight where no one saw the consequences coming.

For now, there is no official patch, since the exploit appeared so soon after the latest version became available for download. Will Apple fix it? That remains to be seen. There is currently no way to completely stop this from happening on your own, either, aside from the obvious: don’t leave your phone with someone you don’t trust. However, there is one step you can take. Since someone must know your phone number to pull this off, that limits the pool of people who could see your contacts to people who already know your number.

To prevent Siri from giving it up in case where a stranger asks your device for it, simply navigate to your iPhone’s settings and look for “Siri & Search.” Here you can toggle off several options, such as listening for “Hey Siri” and allowing Siri from working when the device is locked. With these turned off, you can rest assured that no one can ask your digital assistant for your phone number in service of ferreting out some tidbits of your data.

Scammy Subscriptions, and How to Stop Them

Our next story in this week’s discussion might not strictly qualify as a “security story” since it doesn’t have anything to do with malware or unusual exploits or even a good old-fashioned data breach. Instead, it’s something to be aware of to protect yourself and your wallet. Cult of Mac and TechCrunch both recently highlighted a problem that they say is “plaguing” the App Store and causing all kinds of problems – so-called scam subscriptions.

At the heart of the issue are apps that offer users the opportunity to try them out for free, while kicking in a paid subscription option within a very short window. Often, users don’t know that they’ve agreed to make a payment until after the app charges them once their “free trial period” expires. These subscriptions are often accompanied by truly exorbitant rates that no one would typically want to pay voluntarily for an app. The investigative reporting that went into the reports identified a few key apps that were prime offenders. Some of these included the following apps:

  • The Scanner App: supposedly intended for use as part of a document scanning service, this app offered itself up as a free download but locked itself down into a paid-only mode within just three days — and users would have to take a microscope to the fine print in the app’s user agreement to find out anything about the automatic conversion
  • QR Code Reader: an app that does what it says, this one also flipped suddenly from free to paid within just three days. Did we mention that there’s a QR reader already built into the iPhone’s camera? There is — but this app somehow still convinced people it was worth paying for such basic functionality.
  • Weather Alarms: an app ostensibly for alerting users to changes in the weather or incoming severe storms, it used a “sneaky interface” to fool users into forking over a monthly fee of $20 for the privilege of using the app. The app hides the button used to close the page that offers a subscription for several seconds and makes it unclear what each option actually does. The result is often a subscription.

According to Cult of Mac, just these three apps alone were raking in up to $14.3 million every year by bamboozling users into subscriptions they didn’t need. That’s a nice chunk of change, even for the developers “only” making only $1 million a year on their app. In the original TechCrunch article, a number of other apps were examined on top of these three, showcasing a problem that is at least somewhat widespread on the App Store.

There is good news, though — while you should be vigilant about what you download, Apple seems to have taken notice after all the media attention. To no surprise they did take swift action. A few days after the stories broke, apps such as the QR Code Reader and Weather Alarm had been stricken from the App Store. 11 other apps identified by the articles were also taken down or modified to make their subscriptions clear and up front.

What happens if you accidentally get sucked into one of these scummy, scammy subscriptions? The good news is that getting out of them should be as easy as getting in — if you know what you’re doing. Here’s the list of steps you’ll need to follow to check up on things:

  • Visit the iTunes Store, either on your desktop computer or via your iOS device.
  • If using your desktop computer, click on the “Account” panel on the right-hand side of the iTunes Window. If using your iOS device, scroll all the way to the bottom of the App Store page and tap on the Apple ID button. At this point, you will be prompted to log in; enter your information and proceed.
  • Now look for a button or pane called “Subscriptions” and select it.
  • On the resulting screen you can quickly see what subscriptions you’ve authorized payments to; simply take advantage of the option to disable the subscriptions you no longer want to pay for, should you so desire.

There’s an added bonus to knowing about and using this screen: it can help you test the waters to make sure you aren’t getting into something you don’t want. For example, maybe there’s an app that you want to try, but you know for certain you don’t want to pay for a subscription to it after the free trial ends. After starting your trial, immediately follow the instructions above to go and cancel your subscription to the app. The store will alert you that although you’ve canceled the subscription, you can continue to use the application until the end of your free trial. How convenient is that?

If you’re concerned about accidentally paying for something you don’t want without noticing, keep an eye on your inbox too. Apple sends emails to users whenever a subscription begins to let you know that you’ve embarked on a free trial. This email should include other relevant information, such as the length of the trial and what you’ll have to pay when it ends. It also contains a helpful link to review your subscriptions — so keep your eyes peeled and look carefully at what you download on the App Store. Being vigilant, plus an understanding of how to manage your subscriptions, can help you to stay safe and avoid falling for one of these predatory schemes.

GrayKey Gets Stuck in the Lock

For our final story today, it’s time for another quick follow-up on a story we’ve glanced at extensively over the past year! We’re talking, of course, about GrayKey — the mysterious black box device marketed to law enforcement to break into a subject’s locked iPhone. Well, it appears that in Apple’s recent waves of updates, something in there finally did what Apple’s been chasing for months — shutting down the GrayKey’s ability to defeat iPhone encryption.

According to a report published by Forbes, several law enforcement sources anonymously reported that their devices no longer can break their way into devices running iOS 12 or higher. Instead of finding the key itself, GrayKeys can now only get a vague sense of what’s on the iPhone. Called a “partial extraction,” police can no longer dump the entire contents of an iPhone, but instead only view files not otherwise encrypted along with some types of basic metadata, such as the file size.

Why is that important? Well, it’s easy enough to look at a safe and to see how big it is and where it is — but you have no way of knowing what exactly is inside of it. This is similar. Sure, investigators might be able to make some educated guesses based on the size of certain files (e.g., large file sizes are often video files) but there is no way to know the content of those files. Even with the metadata available, these changes practically end GrayKey’s ability to function as it did before.

We know that GrayKey used some type of brute force method to guess passcodes, and that it used an exploit to avoid the typical lockout that iOS would institute after so many failed attempts. So, what did Apple to finally fix the problem? We don’t know. In fact, no one knows except Apple. Even some of the other leaders in the space of iPhone encryption breaking, such as developers with Elcomsoft, did not have answers when presented with the question. Ultimately, this is a good thing: you don’t want to let your adversaries know how you figured out how to beat them at their own game. Whatever Apple did in iOS 12, though, the important thing is that iPhone passwords are once again incredibly secure in just about every application — so long as they’re strong, of course.

That doesn’t mean it’s time for complacency, though; while GrayKey may be out of commission, that doesn’t necessarily mean it’s the last we’ll see of it, or of devices similar in function. Ultimately, someone may very well find another way to build a device that breaks into iPhones; it might take weeks or months, but we can bet someone is out there working on how to beat device security. GrayShift, the company behind GrayKey, could even be hard at work trying to find a new way in of their own. We’ll have to wait and see, though for now, we can celebrate the fact that after ad hoc solutions like USB Restricted Mode, Apple finally found a way to shut the door.

No surprise here, but neither Apple nor Grayshift responded to Forbes’ request for a comment on their article. The battle between the tech titan and the security startup continues in the shadows, but for now, it looks like there might actually be a clear victor — unless a story suddenly emerges in six months about a new version that works again.

With that, though, we’ll bring this episode of The Checklist to an end. If you’d like to revisit a recent episode you might have missed or want to bone up on your security knowledge so you can impress your family during the upcoming holidays, don’t forget that you can always diveinto our archives right here. In there is every episode we’ve ever recorded, complete with show notes, full audio, and all the links you’ll need to go deep down the rabbit’s hole.

Join our mailing list for the latest security news and deals