Tech Friday


  • Apple now tracks your emails and phone calls to "prevent fraud":
  • Apple recently added a new provision to their iTunes Store & Privacy policy which says that devices will receive a score based on the number of phone calls made and emails sent
  • The new system was quietly added as part of the new iOS 12 update
  • It reads: "To help identify and prevent fraud, information about how you use your device, including the approximate number of phone calls or emails you send and receive, will be used to compute a device trust score when you attempt a purchase. The submissions are designed so Apple cannot learn the real values on your device. The scores are stored for a fixed time on our servers."
  • According to Apple, the data used to compute the score, including the number of phone calls you've made, is only stored on the phone
  • The data that gets sent to Apple is only the numeric score and it's encrypted in transit
  • Apple said they use "the company’s standard privacy abstracting techniques and retained only for a limited period, without any way to work backward from the score to user behavior. No calls, emails, or other abstractions of that data are shared with Apple." 
  • Apple claims that it's impossible to reverse engineer the score to understand user behavior and that the score isn't used for targeted advertising, it's simply a fraud-prevention measure.
  • As of this writing, it's not possible to view your trust score on your phone, but Apple says users can request any of their data at any time here: https://privacy.apple.com/
  • Facebook recently announced a similar rating system
  • VentureBeat has recently noted that this new privacy policy applies to Apple TV too
  • A smartphone microphone and speakers can be used to eavesdrop:
    • Researchers at Cornell have reported a new way to capture data such as passwords using the microphone and speakers in a smartphone
    • They call it an "active acoustic side-channel attack"
    • In this attack, speakers are used to emit inaudible acoustic signals below the human hearing range while the echo is recorded via the microphones
    • This effectively creates a sonar system that can be used to capture user interaction with the device
    • This allows a victim's finger movements to be tracked
    • The Cornell study found that the number of unlock patterns that an attacker must try on a Samsung S4 phone can be reduced by up to 70% 
    • They also reported that their approach can be applied to other applications and device types
    • Cornell indicated that this is a new type of security vulnerability
    • You can read the paper here: https://arxiv.org/abs/1808.10250
  • Malware on IoT devices has skyrocketed 273% since 2017:
    • IoT devices are often an attractive and easy target for hackers. They’re always on, connected to the internet and often inherently insecure
    • Kaspersky Labs reported that IoT malware infections have exceeded 120,000
    • They have found 121,588 modifications of malware targeted at "smart" devices in the first half of 2018, a 273% increase!
    • Brute-forcing of passwords is used in 93% of attacks, the remainder rely on well-known exploits to access the devices
    • 60% of the hacked devices were routers, and the rest are a laundry list of devices
    • The FBI recently warned home users of the dangers of unsecured devices
    • David Emm, principal security researcher at Kaspersky said, "For those people who think that IoT devices don’t seem powerful enough to attract the attention of cyber-criminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes — and that security is implemented at the design stage, rather than considered as an afterthought"
    • You should think long and hard about bringing IoT devices that are not absolutely necessary into your home
    • If you do use IoT devices, you must change the default password and install any firmware updates!