Recent Apple Security Patches Were Related to Espionage Against Russia

In July, you might have noticed a pop-up on your iPhone asking you to install a security update. This was a small thing, and no inconvenience to most of us. Most of the time these updates aren’t all that interesting, but in this case there’s a whole story: the updates had to do with Russia’s war of aggression in Ukraine.

In March, the Kremlin warned a group of officials involved in Russia’s presidential election to stop using iPhones. They suspected that those devices had been hacked by foreign powers, especially the United States, who could then pass on the activities of their users to Ukrainian decision-makers. In June, the FSB, Russia’s internal security agency, accused Apple of collaborating with United States spy agencies to produce weaknesses in the iOS operating system that would allow for spying on iPhones. Apple denied the claims, and the FSB has offered no evidence at all.

At the same time, the Russia-based security firm Kaspersky announced that they had independently identified a hacking campaign to gain remote access to the iPhones of Kaspersky staff. This is likely the same campaign that had the FSB worried. Kaspersky wrote up the hack under the name Operation Triangulation. Then, on July 10th and 12, Apple issued two rapid security updates both reportedly related to fixing the vulnerabilities found by Kaspersky’s researchers. Nevertheless, in July, Russia began moving to ban iPhone use by all Russian government officials, suggesting that they do not believe these patches were sufficient to end the vulnerability.

The Bottom Line: Is Apple helping the NSA spy on Russia to help out Ukraine? Probably not. Any bug that Apple might introduce to help out a spy agency could also be used by other people, such as criminals or scammers, and Apple has been absolute about saying no to such requests in the past, but that won’t stop them getting dragged into international affairs, and they are required to comply with US law.

There isn’t anything you need to do. Simply install the updates to help protect your iPhone against the vulnerabilities that were exploited to spy on Russian decision makers. In theory if those vulnerabilities could be used to target them, then they could be used to target anybody with an iPhone, but in practice we have no evidence that they ever have been. Still, it’s worth installing the update.

Malicious Pop-ups Are Still a Scourge

The greatest digital threat to most of us remains the risk of clicking on ads and links that we shouldn’t. Whether it’s ads offering too-good-to-be-true deals or emails warning that your YouTube/Facebook/X account has been disabled, there is always some new clever technique to convince us to click a malicious link. One of the old standbys in the scammer toolkit is the fake iPhone virus warning, so we’ve recently updated our article about what to do if you see a virus warning on your iPhone.

The Bottom Line: These alerts are fake. iPhones can’t be scanned for viruses, so any pop-up warning that a virus has been detected by a scan is lying. For more, see iPhone Virus Warning: How to Get Rid of Fake Apple Security Alerts (2023)

FBI Warning About NFT Scams

Crime in the NFT marketplace remains extremely common. One example of an NFT-related scam that’s been making the rounds lately has been called out in an FBI Warning. Criminals create social media accounts that appear identical to known NFT creators, then use those accounts to announce a surprise deal, “mint” of new NFTs, or a sale—all places where they use the sense of urgency to trick people into acting quickly. When victims connect to purchase, their accounts are instead drained.

The Bottom Line: NFTs are digital artworks, so if you are interested in trading them, be aware of the artist you are purchasing from, follow them directly and not any look-alike accounts, and always double-check who you are interacting with before making a purchase, especially if the purchase is made to feel urgent.

MacOS App NightOwl Is One for the Trash

NightOwl is an older app, and there’s a good chance you aren’t using it. But this case is still interesting to help understand how potentially unwanted behavior can sneak onto your machine. NightOwl is a little third-party Mac app that swaps your color scheme from light mode to dark mode at sunset. You don’t need any such app anymore because the same functionality is built into your Mac’s operating system. However, people don’t always remove old software they’re not using, and that creates an opportunity for malfeasance.

According to a report by Arol Wright at How-To Geek, the developers of NightOwl sold it to a company called TPE.FYI LLC, who then updated the code of NightOwl to do some uncool things. NightOwl now modifies the computer’s network settings to permit the Mac to serve as a gateway for internet traffic from the company’s affiliates. This means that NightOwl will use the computer’s internet bandwidth and processing resources to do tasks for unknown third parties. Uncool, NightOwl. Uncool.

The Bottom Line: If you happen to be running this app, you should remove it completely. More generally, this demonstrates a common method for sneaking malware onto computers: when an app or extension has grown long in the tooth, the developers may abandon that app or sell it to a third party interested in exploiting the computers where it is installed. It’s a good idea to remove old apps and extensions that you’re not using anymore, and for any non-Apple application you run, consider checking in every few years to make sure it’s still actively supported by a trustworthy team.

Researchers Identify Keystrokes on a MacBook from Audio in a Zoom Call with 93% Accuracy

Researchers at several UK universities have collaborated to produce an AI tool that can listen to the sounds of someone typing on a keyboard in order to identify what they are typing with a high degree of accuracy. Tools similar to this have been around since at least the early 2000s, but this research demonstrates how deep learning AI tools can make them much more accurate and effective. Using such a tool, an attacker could analyze the audio of a Zoom call and recreate any passwords entered by the presenter during the call.

The Bottom Line: In general, avoid typing passwords during any Zoom call or other screen sharing or screen recording event. If you need to type, consider muting your microphone while you do so.

Bug in the Screen-Time App Allows Kids to Bypass Controls

The feature called Downtime, which may be found in the Settings app > Screen Time > Downtime, allows parents and guardians to specify hours of the day when a ward’s iPhone is locked and inaccessible. According to a report from the Wall Street Journal, a bug has been causing the schedules set by some users to revert to previous or default settings.

The Bottom Line: If you use Downtime, consider double checking to make sure it’s still set up how you want it.

Apple Cracks the Whip Over Device Fingerprinting

Apple has updated their developer program guidelines to crack down on device fingerprinting, which is the practice of correlating technical details and usage patterns to identify a particular iPhone or Mac user regardless of that user’s privacy settings. Starting with iOS 17 and MacOS Sonoma, app developers will have to explain to Apple why their app needs a particular class of details about the device or its user. If they can’t give a good answer, they will not be able to upload their app to the App Stores. This adds a hurdle for app developers who wish to track the activity of individuals online and across apps and devices, and it’s consistent with Apple’s general policy of trying to make life as difficult as possible for anyone who wants to pry into the details of Apple’s users. The new rules will improve user privacy even if the user has granted the app permission to track them.

The Bottom Line: You don’t need to take any special action to take advantage of this feature. It’s just better for everyone (except some advertisers).

Android Phones Can Now Detect AirTags

Ever since Apple rolled out their AirTag tracker devices, it’s been possible for a stalker to discreetly plant one on a victim and then learn that person’s location, habits, friends, and much more by following the movement of the hidden AirTag. This was addressed right away for iPhone users–iPhones can detect nearby AirTags, even ones they don’t recognize, and will alert the user if an unknown AirTag is detected traveling with them. However, Android users were still vulnerable to being tracked with an AirTag. To fix this, Apple and Google have teamed up to develop a system to allow Android phones the same protection iPhones have enjoyed in this case: they will pop-up a notification if they notice an AirTag nearby and traveling with them. A very welcome team-up!

The Bottom Line: If you use an AirTag on your keys, then the next time you get in the car with an Android user they may get an alert about your AirTag.

Criminals Have Their Own ChatGPT

For years, we have guarded our inboxes against scam emails and phishing attempts by carefully reading the wording of any suspect email, on the lookout for spelling and grammar errors. These kinds of errors were a common sign of deception because online scammers are often from a different country than their victims, and primarily use a different language. Enter ChatGPT, Google Bard, and the rest of the generative AI systems. These systems can compose grammatically correct prose given only a simple prompt. The creators of these systems have gone to some lengths to work in safeguards so that the systems will refuse to generate scams, phishing emails, or other documents that would be helpful to criminals, but now Wired reports that a version of ChatGPT has been created by criminals, called WormGPT, which strips out those protections, and allows scammers to generate scam emails, and much more.

The Bottom Line: Over the next few years, we should expect the quality of language in scam emails to improve, as well as the tools and techniques that scammers use to try to trick us. Always check the sender’s email address to make sure that it’s from the correct domain, and where possible check links in emails to make sure they point to the correct domains.

Apple Decries Proposed Changes to UK Surveillance Laws

Lawmakers in the UK are working on updating regulations to make it easier for the UK government to monitor encrypted communications traffic, including between iPhone users. In response Apple has threatened to withdraw services, rather than comply.

The Bottom Line: No action is necessary from you. Apple’s commitment to user privacy is on show here, as they push back on any effort to make surveillance of iPhone users easier.

Share Passwords from Your iPhone Using AirDrop

There’s an easy way to securely send a password to someone nearby. This method uses AirDrop to send a copy of your credential, which the other person can save in their iPhone. AirDrop is encrypted and short range, so it doesn’t pass over the internet. Long, complex passwords make your accounts safe, but they can be annoying to read out to someone even if you want to share it. Password sharing with AirDrop solves this problem. You don’t have to read it out, you can just send it straight to their device. This makes it easy to set up your accounts and your Wi-Fi with passwords that would be difficult to repeat out loud, but would also be strong and secure and difficult to guess.

To share passwords with AirDrop, open Settings > Passwords, then authenticate your identity by with Face ID, Touch ID, or by entering your passcode. From there, select a password from your vault and tap it. Select AirDrop. If you don't see the AirDrop option, tap the Share icon at the top of the screen instead. Tap the contact or device you want to share your password with.

Next month, I'll be back to show you how to share passwords using iCloud so that the password stays up to date for both parties, a feature that should be released with iOS 17 in September.