Checklist 326: Schrödinger's Vulnerability

Apple and Google propose standard for Bluetooth trackers

AirTags and other personal tracking devices have been the subject of great scrutiny over the past year. We’ve covered the topic extensively on the podcast:

The biggest security worry is that bad actors and/or stalkers will use devices like AirTag to track people. Now there appears to be some good news on that front: Apple and Google say they’re launching a new initiative to create technological standards that will help people receive alerts when they’re being tracked by AirTag, Tile, Pebblebee, Chipolo, or the like.

Ron Huang, Apple’s VP of Sensing and Connectivity, says:

This new industry specification builds upon the AirTag protections, and through collaboration with Google results in a critical step forward to help combat unwanted tracking across iOS and Android.

Erica Olsen, senior director of the Safety Net Project at the National Network to End Domestic Violence, voiced her approval of the proposed standards:

These new standards will minimize opportunities for abuse of this technology and decrease the burden on survivors in detecting unwanted trackers. We are grateful for these efforts and look forward to continuing to work together to address unwanted tracking and misuse.

The standards will be in the draft/review stage for the next few months, but the plan is to have working standards in place by the end of 2023.

NYPD Bluetooth

The power of AirTag trackers has enabled criminals to abuse them—but they’re also helping law enforcement fight back against crime.

CBS New York reports that the New York Police Department is giving away 500 of the Apple tracking devices to residents of the Bronx in an attempt to combat a wave of car thefts plaguing several neighborhoods in the borough.

In a tweet from his official account, NYPD Chief of Department Jeffrey Maddrey said:

The 21st century calls for 21st century policing. AirTags in your car will help us recover your vehicle if it’s stolen. We’ll use our drones, our StarChase technology & good old fashion police work to safely recover your stolen car. Help us help you, get an AirTag.

A nonprofit called the Association for a Better New York is funding the initiative. Car owners in the hardest hit Bronx neighborhoods of Castle Hill, Soundview, and Parkchester are advised to call their local police precinct if they want an AirTag.

Is juice jacking just hype?

Ars Technica ran an article this week entitled “Those scary warnings of juice jacking in airports and hotels? They’re mostly nonsense.”

Despite the government’s recent warning about the risk of juice jacking—compromising a mobile device via a malicious USB charging station—Ars Technica says that juice jacking is not something the average person should be worried about. To quote them:

…the vast majority of cybersecurity experts do not warn that juice jacking is a threat unless you’re a target of nation-state hackers. There are no documented cases of juice jacking ever taking place in the wild. Left out of the advisories is that modern iPhones and Android devices require users to click through an explicit warning before they can exchange files with a device connected by standard cables.

Our take? It’s true that the popular press has overstated the likelihood of juice jacking—though it’s also hard to blame them, considering that the warnings are coming from federal agencies.

On the other hand, it’s difficult to know for sure that something isn’t happening—and in general, cybersecurity is a matter of covering as many bases as possible, not just the biggest, most obvious threats.

For the more cautious among us, portable charging packs or standard wall outlets are likely the best options. Another cool alternative: data blockers, which act as a barrier between your device and the power source. Some models have transparent casings and no chips. Only the power pins that are connected, not the data pins—and the transparent casing lets you see that there is no physical way for data to leave your device.

Filed under Security News, The Checklist Podcast by SecureMac