SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 121: On Checklist, TV Watches You!

Posted on January 18, 2019

With January slipping by quickly, are you back in the groove of all your usual life responsibilities? Are you perhaps enjoying your free time by taking advantage of all those new gadgets you got over Christmas, such as a brand-new TV? It may have some unsavory features you don’t know about lurking in the menus and settings — and speaking of settings, what better time of the year than to review some of your mobile security settings? That, plus a look at some helpful resolutions you can make now that you’ll have a better chance of sticking with than your gym plan, and you’ve got the recipe for this week’s Checklist. 

On today’s list, we’re ticking off those boxes with a week chock-full of helpful security how-tos:

  • TVs That Are Too Smart for Your Own Good
  • Putting a Lock on Individual iOS Apps
  • Security Resolutions for the Relatively New Year

We’ll start off this week’s discussion by looking at smart TVs — and the pitfalls they might have in store for us.

TVs That Are Too Smart for Your Own Good

If you unwrapped a new TV on Christmas morning, it was surely an exciting experience, and we’re sure you could tell us all about it — its features, its resolution, how good the picture looks, and on the list goes. Here’s the bad news, though: your TV could probably tell us all about you just the same. That’s because practically every set sold today is a “smart TV.” Wi-Fi-enabled, Internet-connected, and chock full of apps, there are a lot of reasons to love smart TVs, such as the built-in ability to connect to your preferred streaming service. The great prices you can find on them around the holiday are pretty nice, too. That cheaper price tag comes with a caveat, though.

According to Business Insider, some of those cheap TVs are vacuuming up user data about usage and viewing habits and selling that information on to third parties. These third parties are typically advertisers or marketing firms looking to learn about how better to sell you even more stuff. TV manufacturers receive substantial payments from these third parties for the ability to access data streams from end users, which in turn creates a lower sticker price in stores.

So, what does your TV collect about you to send? Typically, it includes the types of shows you view, which ads are displayed and viewed on-screen, and the rough geographic location of your TV. At first, you might think that this doesn’t sound all that different from regular cable TV; most of us have made peace with the fact that using anything other than an antenna to do your viewing means someone can probably measure what you’ve watched. However, new technology takes that one step further.

It’s called ACR, or automatic content recognition. ACR is software running on some smart TVs purpose-built for identifying what you have on screen. With ACR, the TV understands more than just what you watch on cable — it’s anything displayed on the screen, from those over-the-air broadcasts to what you watch from your own personal DVD/Blu-Ray collection. Once identified, the software sends on the viewing statistics to the manufacturer or a paying third party. 

There aren’t a lot of upsides to this aside from the lower TV prices. Consider what it would be like if one of these advertisers could pair up your TV viewing history and habits with web browsing data from tracking cookies — suddenly you could start seeing ads linked between the two all the time. Hackers getting their hands-on usage data might look for homes where the TV hasn’t been turned on in days or weeks to look for robbery targets. Let’s be clear: these are some extreme hypotheticals. Nonetheless, it’s important to keep what can happen in mind.

More importantly: smart TV manufacturers aren’t making it easy for users to understand what they’re signing up for just by powering on their new device. Let’s be real: your eyes glazed over as soon as you saw the terms of service pop up on screen, right? Even if you did try to read through it, you wouldn’t have an easy time. Back in 2015, Consumer Reports wrote about the issue, noting that the privacy policies displayed on TVs are incredibly long, difficult to read, and can easily be skipped all at once. One TV featured policies in excess of 6,000 words long — who could ever glean the truth of what the TV does when trying to read that while sitting on their couch?

So, can you do anything about this? There is good news: you can turn off many of these features, or at least limit their functionality. The bad news: if you’ve already agreed to the Terms of Service during setup, all that information your TV already sent is out there for good. You can shut off the tap, though — even if it does involve digging deep into your TV’s settings.

There is, unfortunately, no “one size fits all” solution to this issue, as every TV manufacturer uses their own wording and menus. As you look through your TV’s settings — and take care to explore every menu and sub-menu — watch out for terms such as “Marketing” or “Advertising,” or features labeled “interactivity.” Then look for questions that ask you about turning off those features or opting out from the program. Those are a good sign that you’ve found the right settings. 

However, not every manufacturer even provides this option; some TVs have the data collection features baked in with no way to turn them off. Make sure you do your homework before you buy a smart TV, and if you already have one, spend some time doing a deep dive into the settings. What if you use a separate set-top box for your streaming, such as a Roku, Apple TV, Amazon Fire, or other hardware? Check your devices for similar settingsand make sure these devices aren’t dripping your data out as well. 

Putting a Lock on Individual iOS Apps

Let’s talk about passwords on your phone.

Let’s say you’ve already got a nice, secure passcode on your iPhone, but you’re still concerned about unauthorized access. Maybe you have a fidgety kid, and a quick hand-off of your phone is good for a few minutes of distraction. Perhaps you’re very security minded — or maybe “paranoid” would be the better word. Whatever the case may be, you want more layers of security. Some secure apps, like those for banking and even sometimes personal journaling, already come with their own built-in need to authenticate. Others don’t. Over at Cult of Mac, though, writer Charlie Sorrel has found a clever way to add this security in yourself — should you so desire.

It all has to do with the recently-introduced Screen Time feature. Screen Time, a new default app on the iPhone, is Apple’s way of letting you track how much time you spend on your device and what you do with that time. One option is to set an “App Level password,” which forces you to consider whether you want to keep wasting time on Facebook or whichever game is currently the most popular. However, this can be used as an unintended feature.

You can use that same password to lock down your most sensitive apps, keeping curious kids or snooping strangers from getting past a second layer of security. Want to try it out for yourself? Here’s how to do it:

  1. Make sure you have Screen Time enabled. To do that, tap on your Settings app, then find Screen Time. Tap to enter the settings.
  2. If not enabled, tap Turn on Screen Time. Now choose whether you’re setting up the feature for a child’s device or your own.
  3. Now tap Use Screen Time Passcode. We’re going to choose which specific apps we’d like to limit now.
  4. Locate the bar graph that displays your recent app usage statistics. Tap on this graph to view recent apps. 
  5. Tap on the app you want to set a passcode for.
  6. Tap Add Limit, and enter the passcode you just set up a moment ago.
  7. Using the on-screen dials, set a one-minute limit. Select Block at End of Limit.
  8. Tap Add, located at the top of the device screen. 

Now open your app and wait for a minute to allow the timer to expire. Its app icon will gray out, and you will see the option to enter the passcode to “ask for more time.” You’ve now effectively locked down that specific app. Just don’t forget your Screen Time password — and don’t set it to be the same as your lock screen code!

Keep in mind you will now need to enter the passcode to use that app for the rest of the day, and you can’t speed past it by using Touch ID. So, it’s a bit of an inconvenience, though that’s also part of the point. If you’re really security minded, you can even lock down every app with the passcode — though that that might be a bit of overkill. 

Security resolutions for the Relatively New Year

Let’s round out this week by talking about resolutions — and no, we don’t mean the fact that the gym staff haven’t seen you around since the first of the year. How about some security resolutions instead? A piece in The Next Web this week caught our eye. It’s all about starting the new year off right by making sure that you’re still following all the best practices for personal security so you can enjoy a year without so many stresses about insecurity (digitally speaking, of course). Some of these we’ve discussed on The Checklist before, and some we haven’t. What should you resolve to do right this year? 

The big one, right at the top of the list, is one that should be familiar to longtime Checklist listeners — manage your passwords. We talk a lot about this subject, but we also talk a lot about huge organizations losing your passwords to hackers. So, what’s the point of trying? It’s simple: the more passwords you have that are unique from one another, the less a single data breach matters. Who cares if a hacker steals a password that’s a random string of gibberish if you can change it quickly, and if it won’t let them into any other account? There are still plenty of good reasons to stay focused on good password management. 

Use a password manager. They not only reduce your need to remember passwordsbut also make it easier to keep track of all your logins, and also make it simple to generate very secure passwords instantly. Even if you don’t want to use a manager, you have options — just write them down on paper and keep them secured in a very safe place (like a safe). Even though it’s not a typical security strategy, it’s still safer than reusing passwords repeatedly. Password Do’s and Don’ts was one of the earliest episodes of The Checklist we did. That’s Episode 8 if you want to check it out.

Next up, turn on multi-factor authentication. Turn it on everywhere you can — you’ll be so thankful you did when you run into the first instance of realizing someone has tried to break into your account but failed. Text messages are the most common tool used to transmit one-time codes, though in some rare instances, bad guys could try to intercept those. Other options, such as code generating apps, offer alternatives for many services. Physical authentication keys are also an option for those who change devices frequently or who require a higher level of security. You can find out more from our archives, this time in Episode 41, Authentication and Authorization.

The Next Web’s final two tips: delete the apps you aren’t using and make sure you keep the apps you do use up to date. It’s an interesting one most people might not consider. Why should you get rid of the apps you aren’t using?

Privacy is the big reason. Consider ridesharing apps, for example, which require you to grant permission to access your location data. In the past, some of these apps have been caught tracking users even when the app is completely closed. There is potential for other apps to do this as well, ultimately selling your location info on to advertising firms. Just carrying your phone can allow these trackers the opportunity to pieces together clues about where you go and how long you stay.

So: if you don’t use an app anymore, get rid of it and download it again when you need it in the future. In the meantime, though, at least it won’t be tracking you around town, or anything else you may not know it’s doing. Meanwhile, set up automatic updates on your phone to allow the App Store to download the latest updates from app developers automatically. 

With these helpful how-tos and resolutions in mind, you can be confident that you’ll start off 2019 safer and more secure than you ended 2018. Now, what about all those other episodes of The Checklist we mentioned? You can dive into all of them and more, plus their complete show notes and tons of helpful links, right here in The Checklist Archives. With everything you could want for improving your understanding of security and the latest threats out there, it’s the easiest way to catch up on what you’ve missed. Of course, you can also easily find every episode on all your favorite streaming services. Catch up from episode 1, or stick with us as we slowly build towards episode 200!

Join our mailing list for the latest security news and deals