Security Bits Logo no alpha channel

Security Bits — 20 Feb 2022

Feedback & Followups

Deep Dive 1 — Apple AirTag Developments

Apple has released plans for improving their abuse protections on AirTags. There’s a mix of short-term and longer-term changes.

The simplest change will be a new privacy warning when setting up an AirTag. The warning tells users not to abuse the trackers, and that Apple know who each tracker belongs to, and will pass that information on to law enforcement when presented with an appropriate warrant. This isn’t a change in policy, Apple are simply highlighting their existing procedures.

As well as adding the warning Apple are also updating their documentation to give users more information.

At the moment the alerts you get on your phone when a FindMy device that’s not yours is moving with you don’t give any details of what the device is, and in some cases, this is causing confusion because modern AirPods are FindMy items too, as are some trackers made by other manufacturers. The warnings will be updated to be more specific.

In the longer-term Apple are going to enable precision finding on trackers are following you, tweak the warning sound to make it easier to hear, and sync the sound with the phone alerts so they happen together. Finally, Apple are going to continue to improve the algorithm for detecting suspicious movement and alert users more quickly when possible.

Meanwhile, the New York Attorney General has released a very well-written warning about the dangers of AirTag abuse, as well as some good advice for how people can protect themselves.

A point I’ve been making all along is that AirTags did not cause tracker abuse, it was happening before AirTags, and would continue even if AirTags were to vanish tomorrow, and that the reason we hear so much about AirTag tracking is that Apple added more and better protection than everyone else, and it works, so victims of AirTag abuse know about it, while victims tracked with other devices don’t.

To underline this point, the New York Times did an excellent piece where tech journalist Kashmir Hill used an AirTag, a Tile, and a GPS tracker to track her partner (with his permission), to test both their effectiveness and their protections. The bottom line is pretty clear, everyone else’s protections are ‘way worse’ than Apple’s.

Links

Deep Dive 2 — Google’s Android Privacy Sandbox (non)Announcement

Google released a statement describing some vague possible privacy in the future, but giving no detail, and promising not to block anything advertisers can do today for at least the next 2 years. The spin Google are trying to put on this is that they are doing something as good as Apple’s App Tracking Transparency, but without hurting advertisers.

In terms of actual technology, they do mention their new Topics API, and a new similar FLEDGE API for tracking users across apps and then grouping them into custom audiences for advertisers.

The big thing they’re promising is an opt-in sandboxed API ad networks could choose to use to limit what their ad code can do when embedded in apps.

Ron Amadeo’s excellent critique at Ars Technica summarises this really get to the heart of this announcement in its conclusion:

Since Google is not making any privacy changes mandatory, it is basically asking advertising companies to voluntarily stop collecting data on users. If advertisers wanted to do that, they could make that change today.

Links:

Deep Dive 3 — 🧯 That T2 Hack

Details are sparse, but a grey hat hacking company is now offering a solution for brute-force cracking full disk encryption on Macs with a T2 hardware security chip.

One of the T2’s most important functions is to protect the encryption key for full-disk encryption on Macs with hardware protections preventing its extraction, and limiting the speed of guesses, making even a brute-force attack impossible.

We don’t know the details, but what Passware have found is a way to bypass the rate-limiting on guesses. Their password cracking solution can now make 15 guesses a second on Macs with a T2 chip.

This means a strong password will still take millennia to crack, but a commonly used and weak password can be guessed in less than a day.

Physical access is needed to perform these kinds of attacks, so this is not something most of us have to worry about, and, even with physical access, a strong password still provides excellent protection. So, no need to panic, just use a strong password for your Mac.

Links

❗ Action Alerts

Worthy Warnings

Notable News

Excellent Explainers

Interesting Insights

Just Because it’s Cool 😎

  • 🇺🇸 CISA have published a big list of free cyber security tools & services: www.cisa.gov/…

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top