We're highlighting these three skills because they're basic cyber self-defense for regular people, but they also would have prevented some of the stories you'll read about below.

• Keep your devices up to date. March saw several updates from Apple that fixed important vulnerabilities in your devices.
• Be wary of free Wi-Fi. Instead, use your iPhone’s hotspot.
• Be wary of unsolicited communications, especially when they seem urgent. Hang up, and call them back at an officially listed number.

For a complete list of our top security recommendations, join our live course: Privacy & Security for Apple Enthusiasts in 2024 on insider.iphonelife.com, all included in your iPhone Life Insider subscription.

Two Serious Security Bugs Fixed in iOS 17.4.1 and MacOS 14.4.1

Among the many bugs fixed with iOS 17.4 and 17.4.1 were two serious security flaws found by Nick Galloway at Google’s Project Zero threat research team. Both bugs are in the image processing engine and would allow an attacker to maliciously craft an image, then send that image to an iPhone so that when the iPhone processes the image the attacker gains code execution ability.

The Bottom Line: As always, it’s a good idea to update your devices to the latest operating system version.

Apple Processor Flaw Lets Hackers Steal Encryption Keys

Researchers have identified a new vulnerability in Apple’s M-series processors for Macs. The vulnerability, named GoFetch, allows an attacker with a malicious app installed on a Mac to eventually defeat portions of its encryption. An attacker can cycle through many possibilities of what the encryption key might be, and the vulnerability will leak a subtle indicator when an attempt is partially correct. This lets the attacker eventually learn the whole key. There is no evidence yet that this attack has been used, and Apple has been notified, however the vulnerability is in the design of M-series hardware and cannot be patched with software. App developers are able to mitigate the vulnerability in their own apps by employing a fix known to slow down their apps.

The Bottom Line: This vulnerability cannot be patched on M1 or M2 devices, but M3 devices may see an update that would slightly impact performance in order to fix the vulnerability for those machines. Exploiting the vulnerability does require that the attacker have code-execution ability on your machine, so it is prevented by safe consumer electronics use. Only install apps from reputable developers.

Change Healthcare Hit with Major Ransomware Attack

Change Healthcare is the largest payment clearing company for healthcare providers in the USA. In late February, many of their servers were taken offline in response to a ransomware incident by the criminal hacking gang known as BlackCat. James Rundle from the Wall Street Journal prives a good high level overview. Disabling the servers at Change Healthcare made it impossible for many healthcare providers in the USA to receive payment for up to 98 percent of the services they render. Providers ranging from single office family doctors to whole hospitals to care homes across the US have lost out on income ranging from a few thousand to millions every day. Many have survived through emergency assistance, others through loans, others have closed.

The BlackCat group responsible for the attack operates a ransomware as a service model, where they create and maintain the software necessary to encrypt a victim’s computer in exchange for taking a percentage of each ransom paid by victims, but they rely on independent operators, known as affiliates, to hack victims and install the ransomware that will encrypt its drives, lock up the computers, and potentially steal its data, until the ransom is paid.

It appears that Change Healthcare paid the ransom to get their computers back online, however, due to some criminal backstabbing from BlackCat, the ransom money never made it to the affiliate who had control of the computers: BlackCat took it and ran.

As of March 28, Change Healthcare is still not fully recovered.

The Bottom Line: The final cost to the US healthcare system is not yet known, but the effects are far reaching. We don’t know what, if any, personal information was stolen from Change Healthcare and is now in the hands of BlackCat or their affiliates. There isn’t anything that we as individual consumers can do except push elected representatives for better oversight and diversification of the financial services industries. Be on the lookout for scams trying to capitalize on the confusion, such as unsolicited offers of alternate payment systems. Always be wary of unsolicited calls or texts, especially if they try to pressure you with urgency or threats. You can always hang up, then call them back at an officially listed number. Always monitor your bank and credit card statements as well as your credit score and consider freezing your credit.

How to Steal a Tesla with Your iPhone

We do a lot of how-to videos but here's one we didn't make. Security firm Mysk released an explainer video demonstrating how a loophole in Tesla’s security practice would let an attacker steal a Tesla. The attack works by setting up a free Wi-Fi network at a Tesla charging station, but branding it to look like the free Wi-Fi offered at Tesla dealerships. Then the scammer just waits for someone to connect. The malicious Wi-Fi will ask for the victim’s Tesla ID and password to log them in. Once armed with that credential, the scammer can log in to the victim’s Tesla account and add their own iPhone as a key to the car, then simply unlock the car and drive away. The victim never receives any notifications of a new login to their account, of a new key added to their car, or that the car has been unlocked or started.

The Bottom Line: Tesla doesn’t offer free Wi-Fi at their charging stations, only at their dealerships. If you see free Tesla branded Wi-Fi at a charging station, it’s probably a scam. It’s best to avoid free Wi-Fi in general, because this is just one kind of scam of dozens that can be facilitated through malicious use of free Wi-Fi networks. Using multi-factor authentication on your Tesla account could prevent this attack, especially with a hardware key.

Public Database Reveals 5 Million Text Messages a Day

An internet and cell phone service provider called XY International, which primarily services Asia and claims to handle about 5 million text messages per day, accidentally left an internal database open to the internet without a password, reports Zack Whittaker at Tech Crunch. The database contained details of all text messages transiting their systems including for example the sensitive password recovery links for people trying to create a new password for a google or microsoft account, as well as the MFA codes used to secure accounts. Plus all of the private communications of millions of users, available to be read, copied, stored, and analyzed by anyone with the link.

The Bottom Line: Even if you are not a customer of XY International, this supplies evidence of the problems inherent to using text messages as an identity verification tool. When setting up multi-factor authentication (MFA) for your important accounts, bear in mind that a text message isn’t as secure as other forms of MFA. This also demonstrates the risks of using any unencrypted messaging system, and it's why we recommend using encrypted messagers like iMessage or the secure app Signal.

X Update Leaks Your Location

The social networking platform X (formerly Twitter) activated an audio or video calling feature for all users of its apps as of the 4th of March. A call on X permits both participants to see each other’s real IP address, which can be linked with their physical location. By default, the X app allows calls to you from anyone you follow, though you can limit that or expand it in the app’s settings. Despite its many security and privacy failings, X continues to be used by activists and journalists around the world whose safety is contingent on their locations remaining private.

The Bottom Line: If you’re still using the X app, consider disabling the video calling feature in the settings area. Tap your profile picture > Settings and Support > Settings and privacy > Privacy and safety > Direct messages, toggle off Enable audio and video calling. In that same menu there is a feature called Enhanced call privacy that will route the audio and video through X’s infrastructure to avoid giving away your IP address, but I would recommend using a more secure app for your calls.

Interactions with Chat GPT Are not Private

Researchers have developed a simple method for a passive observer of network traffic to identify the content of all Chat GPT interactions with high accuracy, even when they’re encrypted. The same approach works on every large language model search engine except Google Bard. Read more at Ars Technica.

The Bottom Line: While this is a novel tactic, it is one of many similar methods. For the moment it is probably best to consider any questions that you ask of large language models to not be private, and to assume the entire interaction can be inferred, recovered, or intercepted by third parties and the model operators. Do not use large language model generative AI to answer questions on sensitive topics or to evaluate your secret information.

US Justice Department Hits Apple with Massive Anti-Trust Lawsuit

An antitrust complaint filed by the DOJ alleges that Apple has knowingly inhibited the user experience on iPhones in order to make it more difficult for users to transition from iPhone to Android or another smartphone system, thus stifling flexibility and innovation in the smartphone industry and dozens of related markets. The lawsuit makes five specific complaints regarding: super apps, cloud streaming, messaging apps, smart watches, and digital wallets. It suggests that in each of these cases Apple has made their own product worse so that they could force users to use the Apple App store where they reap extraordinary profits. Usually, privacy & security is the excuse offered by Apple in these cases.

For example, the DOJ alleges that Apple has purposefully made messaging with non-Apple devices harder and less effective—the much maligned green bubbles, where any message sent to a non-Apple phone is given a green bubble and delivered with reduced functionality and lower quality. Apple claims it’s for security reasons: so you can distinguish between an encrypted iMessage and an unencrypted SMS message, but Apple could have put carrier-based SMS messages in a separate app from their iMessages (perhaps their FaceTime app?), or implemented one of the encryption protocols used by Android phones. In my opinion, their choices to not do those things do indeed leave iPhone users less secure, since it is impossible to know whether any given message will be sent as an encrypted iMessage or, due to factors outside of the user’s control, roll back to using unencrypted SMS.

The DOJ complaint is remarkably readable for a legal document, and the rest of their arguments are interesting.

The Bottom Line: This is just the beginning of the lawsuit, which is likely to drag on for years. My optimism would like to think that the case has merits, and that it will likely result in a superior product for Apple users. However, my reason suspects there may be more important monopolies for the DOJ to worry about.

Journal App Privacy

A viral TikTok video exaggerated claims that Apple’s Journal app is a privacy risk. In particular, the video warned about a feature that suggests journal topics to write about and is able to track who you spend time with in order to suggest that you journal about them. This works by using Bluetooth to detect when you are nearby to other iPhone users who are in your contacts roll. Your iPhone already does this for the Find My functionality that can find a lost iPhone.

The Bottom Line: The privacy and security concerns are minimal due to how the feature works. The location and proximity tracking function does not keep records of any identifying information about the other bluetooth devices nearby, and it only suggests your contacts as journaling topics if you were near them for a long time. If you use the Journal app, this isn’t anything to worry about. Nevertheless, if you wish to disable this feature of the Journal app, you can go to Settings > Privacy & Security > Journaling Suggestions and disable Discoverable by Others. But it might be more effective, and more relevant to your privacy, to spend a few minutes in the Settings > Privacy & Security > Location Services menu checking which apps have access to your location and limiting access for those which don’t need it.

Automakers Sharing Driver Data with Insurance Companies

Your car could be tattling on you to your insurance company, as 65-year-old Kenn Dahl recently found out, reports Kashmir Hill at the New York Times. Mr. Dahl drives a Chevrolet Bolt and found his insurance rates going up no matter where he shopped. Through the data broker LexisNexis Risk Solutions, he discovered that unbeknownst to him, General Motors had been sharing data about his behavior behind the wheel with car insurance companies, resulting in higher-than-normal rates. Drivers of other makes, such as Ford and Honda, have found that their driving behavior had been sold to LexisNexis as well. It turns out that most modern vehicles come with an app or service that can track the way you drive, which, according to the manufacturers, is to help customers develop safe driving habits by making them aware of their unsafe ones, such as hard braking or fast acceleration. That sounds like a useful idea in theory and most drivers would probably opt into a service like that. But most people are probably not on board with sharing that data with third parties, like car insurance companies.

The Bottom Line: So what can you do about it? The good news is that General Motors has since announced that it will no longer share driving data with data brokers. However, if you’re concerned about your car sharing data about how you drive, the best thing you can do is uninstall any companion apps you might have, such as Honda’s Driver Feedback, Kia’s Driving Score, Chevy’s MyChevrolet, etc. If you don’t use your car manufacturer’s apps, then you should have nothing to worry about.

Data Brokers, Who Are They?

Data broker companies gather profiles on vast numbers of private individuals through scraping of public records and aggregating of advertising-related details. They compile reports on individuals and offer these profiles for sale. Some examples include Radaris and Nuwber, as investigated by Brian Krebs of Krebs security, whose series of exposés on the shady practices of the data broker industry are well worth a read.

If you’ve ever been doxxed (had your contact info or address maliciously published), if you are the victim of stalking online or off, if you are a reporter, or a person of interest to the media, or an activist, or just a regular person with privacy concerns, then you have plenty of reason to want your personal details to be hard to find. These data brokers are also useful to hackers and scammers who use them to glean details about you so they can customize their scams.

The Bottom Line: It’s a challenging affair to remove your details from these databases simply because there are so many, but since they operate as businesses, they are legally required to allow you to opt out. Investigative tech reporter Yael Grauer compiled a helpful instruction set in the data broker opt out list that tells how to opt out of each data broker in the list, while security researcher Alice Watson offers advice on data pollution: the practice of making the databases wrong about you. This clever approach could help you identify a scammer, since they'll be wrong in the same ways as the databases, but it's neither easy nor quick. If you'd prefer a less hands-on approach, Mozilla foundation runs a paid service, Mozilla Monitor, that will try to get your information taken down from as many sites as possible, but we haven't tested it ourselves.

How to Turn on Rapid Security Response

A Rapid Security Response is an iOS security response designed to patch up a detected vulnerability automatically instead of waiting for you to install the update yourself. This addresses security risks in a timely fashion, minimizing risk to users. A Rapid Security Response is applied automatically to your iPhone, so you don't have to be on the lookout for it or make sure you get the update in a timely fashion.

In your Settings app, navigate to General > Software Update > Automatic Updates. There, make sure Security Responses & System Files is toggled on.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter is written by me, Cullen Thomas, with contributions from Rhett Intriago, edited by Donna Schill.