MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
Here's a description of some issues involved with Apple's T2 security/storage processor:
CrystalIDEA said:
Fan control on Apple computers equipped with T2 chip on Windows (via Boot Camp)

... The introduction of the new T2 security chip makes it currently impossible for [our] app to work under Windows (iMac Pro and MacBook Pro 2018). ... It seems that the T2 chip blocks access to SMC under Windows, while SMC is essential to get sensors values and fans info.

We confirmed the problem themselves on both iMac Pro and MacBook Pro 2018. Unfortunately, we believe it won’t be solved in the future, though there’s a GitHub issue.

PS. There’s another restriction of the T2 chip not related to the app: it’s currently not possible to install any 3rdParty operating system except Windows 10 on Apple computers equipped with T2 chip (earlier some enthusiasts installed Linux). The T2 chip makes it impossible to see the internal drive, Apple generously did an exception only for Windows 10 (but only if you install it via Boot Camp).
 


Ric Ford

MacInTouch
Apple has an unpatched security hole in today's iOS 13.1 release, but the company promises to provide a fix at some unspecified point in the future.
Apple Support said:
https://support.apple.com/en-us/HT210613
An upcoming software update will fix an issue that impacts third-party keyboard apps. ... Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven't approved this access.
 


Ric Ford

MacInTouch
Just a heads-up: While setting up an iPad with iPadOS, I got tricked by Apple into enabling 2FA for an Apple ID I had not wanted to convert to 2FA — part of a long, repetitive, convoluted, laborious, confusing process involving multiple Apple devices I happen to own and all kinds of authentication hoops and ladders....

It does appear that an Apple email following the conversion offers some means of reverting within a limited amount of time.

P.S. It's actually even worse. It appears that some devices are set up with 2FA while others are not, despite sharing a single Apple ID. I thought 2FA was a property of an Apple ID, not a device. Is it a property of combinations of the two? Talk about confusing...
 


Ric Ford

MacInTouch
Here are some more things iPadOS installation did without notification or permission:
  • turned on Bluetooth (previously off)
  • turned on Siri Suggestions for Safari (previously off)
  • turned on iCloud sync for Shortcuts (not previously installed)
  • turned on "Show Apple Music"
  • forced two-factor authentication
  • enabled "Significant Locations" tracking
  • tried to force updates to other devices — "your devices need upgrading"...
  • uses AI to analyze personal photos (and other personal information)
#privacy #security
 



Here are some more things iPadOS installation did without notification or permission:
  • turned on Bluetooth (previously off)
  • turned on Siri Suggestions for Safari (previously off)
  • turned on iCloud sync for Shortcuts (not previously installed)
  • turned on "Show Apple Music"
  • forced two-factor authentication
  • enabled "Significant Locations" tracking
  • tried to force updates to other devices — "your devices need upgrading"...
  • uses AI to analyze personal photos (and other personal information)
#privacy #security
I don't know what I find most disconcerting; did they do this on purpose or by accident? The fact that they flipped all those bits on your device, but not on mine, or that previous installs have flipped many bits on my devices but not on others. WTF?
 


I thought 2FA was a property of an Apple ID, not a device.
2FA protects your Apple ID and once you use it to allow use of your Apple ID on that device, it becomes "trusted" and can then be used by subsequent requests to authenticate any future 2FA needs.
 


Here are some more things iPadOS installation did without notification or permission:
  • turned on Bluetooth (previously off)
  • turned on Siri Suggestions for Safari (previously off)
  • turned on iCloud sync for Shortcuts (not previously installed)
  • turned on "Show Apple Music"
  • forced two-factor authentication
  • enabled "Significant Locations" tracking
  • tried to force updates to other devices — "your devices need upgrading"...
  • uses AI to analyze personal photos (and other personal information)
#privacy #security
For what it's worth, 13.1 did not turn on Bluetooth on my 11-inch iPad Pro, nor did it force TFA on a secondary Apple ID (my primary already has it).

I didn't receive any messaging that my iPhone also needed updating, but maybe that's because it was already at 13.0.

But as Will Blume points out, who knows what criteria determine which way the bits flip? Does Apple document such things, even internally?
 


I don't know what I find most disconcerting; did they do this on purpose or by accident? The fact that they flipped all those bits on your device, but not on mine, or that previous installs have flipped many bits on my devices but not on others. WTF?
I suspect (based on no facts, but an idea of how software is often developed) that there's some kind of audit of configuration files and any files determined to be corrupt were replaced with factory-default config files.

Of course, this then begs the question about what could have corrupted them or what the nature of the corruption actually is. I can think of lots of possibilities, including:
  1. File not readable
  2. File is syntactically invalid
  3. Parameter set to illegal value (was a feature removed?)
  4. Parameter set to unsupported value (enabled an undocumented feature?)
  5. Illegal parameter found (deleted feature?)
  6. Unsupported parameter found (undocumented feature?)
If I was writing the updater, I'd replace the file (after generating a warning and making a backup copy of the original) for cases 1 and 2. I'd probably revert the specific parameter to a default (and generate a warning and backup) for cases 3 and 5. I'd probably do nothing (but maybe issue a warning) for cases 4 and 6.

FWIW, when Linux packages get updated and a configuration file is different from the default, one of the following is usually done:
  • Put the default file, with a new name (e.g. foo_config.rpmnew) in the directory with the existing file
  • Rename the original file (e.g. foo_config.rpmsave), replacing it with the new default
  • Ask the user what to do - keep the original, keep the new one, or provide a means to manually edit it so the changes can be incorporated.
Of course, none of this should ever actually be an issue on a system like iOS where there is no way to manually edit the configuration files....
 


Ric Ford

MacInTouch
Same here, Ric. I had it turned off and, after updating to iOS 13.1, it was turned back on.
Not here - this time... Apple updates having been flipping Preferences back to their preferences for so long, I have a habit of just running through them all after updates just in case.
Me, too. Apple Cash, Game Center and a new thing called "Allow Payments on Mac." Turned them all off.
Here are some more things iPadOS installation did without notification or permission...
I suspect (based on no facts, but an idea of how software is often developed) that there's some kind of audit of configuration files and any files determined to be corrupt were replaced with factory-default config files. Of course, this then begs the question about what could have corrupted them or what the nature of the corruption actually is.
I should have been more clear. I started by clean-installing iOS 12 on an iPad 6 (General > Reset > Erase all content and settings), then went through all settings and configured them as much as possible for privacy and security, then installed iOS 13.1 and rechecked preferences (after jumping through a great many hoops , e.g. for 2FA). I may have missed some detail somewhere but it seems pretty clear that Apple’s changing some (but not all) settings behind our backs.
 


Ric Ford

MacInTouch
Glenn Fleishman tries to explain confusing Apple security behavior:
TidBITS said:
Why Apple Asks for Your Passcode or Password with a New Login (and Why It’s Safe)
If you’ve set up or restored an Apple device recently and have two-factor authentication enabled on your Apple ID, you may have seen a message during configuration that defies your understanding of how Apple maintains device privacy and account security.

The message reads something like, “Enter Mac Password. Enter the password you use to unlock the Mac ‘name here’. This password protects your Apple ID, saved passwords, and other data stored in iCloud. Your password is encrypted and cannot be read by Apple.” The prompt might instead ask for your iPhone or iPad passcode.

Doesn’t this seem contradictory, confusing, and just plain wrong? Why would Apple ask for the password or passcode for one of your other devices? Could it be some sort of scam? What exactly is going on here?
 


Ric Ford

MacInTouch
Here's important information from Apple about iCloud and encryption, noting that 2FA is a prerequisite for end-to-end-encryption:
Apple Support said:
iCloud security overview
... For certain sensitive information, Apple uses end-to-end encryption. This means that only you can access your information, and only on devices where you’re signed into iCloud. No one else, not even Apple, can access end-to-end encrypted information.

In some cases, your iCloud data may be stored using third-party partners’ servers—such as Amazon Web Services or Google Cloud Platform—but these partners don’t have the keys to decrypt your data stored on their servers.

End-to-end encryption requires that you have two-factor authentication turned on for your Apple ID. Keeping your software up-to-date and using two-factor authentication are the most important things that you can do to maintain the security of your devices and data.
 


I should have been more clear. I started by clean-installing iOS 12 on an iPad 6 (General > Reset > Erase all content and settings), ... then installed iOS 13.1...
I may be mistaken, I thought once a new major version was released, that that was the only version available for an iOS device, provided the newest version supported said device. I'd be happy to be mistaken as I missed the 12.4.1 update on a couple iOS 12 devices.
 


Ric Ford

MacInTouch
I may be mistaken, I thought once a new major version was released, that that was the only version available for an iOS device, provided the newest version supported said device. I'd be happy to be mistaken as I missed the 12.4.1 update on a couple iOS 12 devices.
When a new iOS release enters Apple distribution, the previous version remains valid for a short period of time until Apple suddenly stops "signing" it.

Another question is: how does Apple's reset procedure determine which iOS release you get when more than one is currently being signed? (Another question is how this works for devices that are incompatible with the latest iOS/iPadOS.)

In addition to all that, there are some extra features/options that may be available via something like iMazing.

 


Ric Ford

MacInTouch
Apple issued another big batch of critical security updates today, as well as some descriptions of its previous patches.

I don't see a security update for Apple Watch users who want to stay with watchOS 5 in order to avoid watchOS 6's requirement of updating the linked iPhone to iOS 13.

Name and information linkAvailable forRelease date
macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, Security Update 2019-005 SierramacOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.626 Sep 2019
watchOS 5.3.2Apple Watch Series 1 and Apple Watch Series 226 Sep 2019
iOS 12.4.2iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPad touch 6th generation26 Sep 2019
iOS 13.1 and iPadOS 13.1iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation24 Sep 2019
Safari 13.0.1macOS Mojave 10.14.6 and macOS High Sierra 10.13.624 Sep 2019
Apple TV Software 7.4
This update has no published CVE entries.
Apple TV (3rd generation)24 Sep 2019
tvOS 13Apple TV 4K and Apple TV HD24 Sep 2019
Xcode 11.0macOS Mojave 10.14.4 and later20 Sep 2019
watchOS 6Apple Watch Series 3 and later
Apple Watch Series 1 and 2 will support watchOS 6 later this year.
19 Sep 2019
 


And Apple Cash was turned on.
I didn't see any more problems this morning on MacInTouch so I did the iOS 12 to IOS 13.1 update. I went through most of the Settings, and it turned on a long list of things I didn't want on.

I don't use Siri or iCloud at all, and I would love to know how to make IOS stop asking me to sign in, which it has been doing for months.

Here is a partial list, mostly trying to push/draw me further into Apple's maze or quagmire or whatever it is. Gotta give Apple credit for being inconsistent. I think they put in different changes for different devices just to keep people guessing.

iPhone 7
  • Turned on Bluetooth
  • Turned on iCloud Drive for Shortcuts, Number, Pages
  • Turned on Apple Cash, and worse, turned on "Allow Access When Locked"
  • Turned on Auto-Play Message Effects and Video Previews in Accessibility
  • Turned on Siri Suggestions for Messages, Find My, Mail, Phone, Safari, Shortcuts
  • Safari turned on "Ask" for camera and microphone and location when I had set them to Deny.
  • Switched from Document Storage to iCloud for Number and Pages and Shortcuts
iPad Air 2 from iOS 12 to 13.1 turned on:
  • AirDrop
  • BlueTooth
  • Notifications for iTunes Store
  • Turned on Apple Cash
  • in Accessibility, turned on Auto-Play Message Effects and Video Previews
  • in Siri and Search
    • Find My and Shortcuts turned on Learn from this App, Show in Search, Suggest Shortcuts
    • turned on Show Siri Suggestions in Find My, Mail, Messages, Reminders, Safari, Tips
  • Reminders turned on Today Notification
  • Maps turned on Weather Conditions
  • Safari turned on "Ask" for Camera, Microphone, Location
  • Shortcuts turned on iCloud Sync and Sync Shortcut Order
I did the iOS 12.4.2 update for iPhone 6 Plus, and the only thing it turned on was iCloud for Numbers. I still had to wade through all the Settings.
 


Ric Ford

MacInTouch
When a new iOS release enters Apple distribution, the previous version remains valid for a short period of time until Apple suddenly stops "signing" it.
But, now we're in a nasty situation with Apple security updates:

If you have an iPhone running iOS 12.4.1, you need a security update today to patch a serious vulnerability, and that patch is included in iOS 12.4.2, but Apple won't let you choose that update. Instead, to get this critical security patch, you have to update to iOS 13.1. iOS 12.4.2 is only available for older Apple devices that can't run iOS 13.

Jumping iOS 12 to iOS 13 is a major change that, obviously, not everyone wants to do immediately, but they can't get the security fix unless they do.

And it looks like the Apple Watch security update also forces an update to watchOS 6 and thus iOS 13 (for newer devices).
 


But, now we're in a nasty situation with Apple security updates:
If you have an iPhone running iOS 12.4.1, you need a security update to patch a serious vulnerability, and that patch is included in iOS 12.4.2, but Apple won't let you choose that update! Instead, to get this critical security patch, you have to update to iOS 13.1.
So I can update my iPhone 5s to 12.4.2 (and I will) but have to update my iPhone SE to 13.1 (which I won't... yet).
 


Ric Ford

MacInTouch
2015 MacBook Pro 15", running macOS Sierra, after the second Security Update 2019-004 Sierra (SecUpd2019-004Sierra.dmg, created Jul 29, 2019, 9:00 PM)
Model Identifier: MacBookPro11,4​
Boot ROM Version: 194.0.0.0.0​
SMC Version (system): 2.29f24​
System Version: macOS 10.12.6 (16G2128)​
Kernel Version: Darwin 16.7.0​
2015 MacBook Pro 15" after Security Update 2019-005 Sierra:
Model Identifier: MacBookPro11,4​
Boot ROM Version: 194.0.0.0.0​
SMC Version (system): 2.29f24​
System Version: macOS 10.12.6 (16G2136)​
Kernel Version: Darwin 16.7.0​
 


Running macOS 10.14.6 with "automatic updates" and "automatic downloads" turned off:

Due to yesterday’s security update release, I just got a notification in the top right today saying something along the lines of "A new update is available. Click Restart to install" with two options "Restart" and "Later". (So ‘Restart isn't actually restart, it's download + restart? right?)

Clicking "Later" offered various options, so I chose "Remind me tomorrow." Immediately, a new notification appears stating "Automatic updates have been turned ON" with two options "OK" and "Turn Off".

So ‘Remind me tomorrow’ is not actually remind me, but switch something on I never asked for and install an update automatically at some point in the future which, I guess, might not be tomrorow, but, maybe, an hour later while I'm in the middle of working?

[expletives deleted]
 


Running macOS 10.14.6 with "automatic updates" and "automatic downloads" turned off:

Due to yesterday’s security update release, I just got a notification in the top right today saying something along the lines of "A new update is available. Click Restart to install" with two options "Restart" and "Later". (So ‘Restart isn't actually restart, it's download + restart? right?)

Clicking "Later" offered various options, so I chose "Remind me tomorrow." Immediately, a new notification appears stating "Automatic updates have been turned ON" with two options "OK" and "Turn Off".

So ‘Remind me tomorrow’ is not actually remind me, but switch something on I never asked for and install an update automatically at some point in the future which, I guess, might not be tomrorow, but, maybe, an hour later while I'm in the middle of working?

[expletives deleted]
Could the Mac somehow have misread what you clicked on? I've seen that seem to happen a few times lately, and thought I might have misread or clicked on the wrong spot, but I have also seen similar things happen if the Mac is busy doing something in the background and hasn't caught up with what else you're doing.

Definitely very aggravating in any case.
 


Could the Mac somehow have misread what you clicked on? I've seen that seem to happen a few times lately, and thought I might have misread or clicked on the wrong spot, but I have also seen similar things happen if the Mac is busy doing something in the background and hasn't caught up with what else you're doing.
Definitely very aggravating in any case.
I am ultra-careful about what I click on, especially with these sorts s of notifications, as Apple has played all sorts of tricks before. This one is new to me, though. I don't ever remember a software update notification offering me the immediate option of "Restart" (I do not have automatically download updates turned on).

And whatever I've done before (which is, either clicking on the text of the notification – which simply takes you to App Store > Updates / System Preferences > Software Update – or choosing Later > Remind me tomorrow) has never, ever immediately turned on "automatic updates"!
 


Ric Ford

MacInTouch
Here's a look at Apple's new alternative to Facebook/Google sign-ins:
Juli Clover said:
Sign in with Apple: What It Is and How It Works
Apple in iOS 13 introduced a new Sign in with Apple feature, which is designed to let you create accounts for apps and websites using your Apple ID, so you don't have to give away your personal information. Sign in with Apple is an alternative to the existing sign in with Google and Facebook options that apps and websites often offer.
 


So ‘Restart isn't actually restart, it's download + restart? right?
No, it means that it has already been downloaded to /Library/Updates and agreeing to it will cause a restart after the displayed amount of seconds.

There has been one occasion back in 2014 with a network time protocol vulnerability where Apple forced a security update download, so they do have that capability, but I haven't heard any other reports about this one.
 


Ric Ford

MacInTouch
Here's some critical information about Apple's latest security patches:
Sophos said:
Apple users, patch now! The ‘bug that got away’ has been fixed
... we urged you, back in August 2019, to double-check that you were patched up to iOS 12.4 – it’s risky to be unpatched at any time, let alone after exploit code is available to anyone who cares to download it.

Interestingly, Google deliberately kept quiet about CVE-2019-8641 at the time, noting that Apple’s fix “did not fully remediate the issue”. It looks as though the Project Zero researchers were right, because Apple’s latest slew of updates include a fix...

... Given that the headline bug in this round of patches could be abused to inject malicious code from a distance – what’s known as RCE, or Remote Code Execution – without waiting for you to click or approve anything, we recommend doing an update check right now.
 


No, it means that it has already been downloaded to /Library/Updates and agreeing to it will cause a restart after the displayed amount of seconds.
There has been one occasion back in 2014 with a network time protocol vulnerability where Apple forced a security update download, so they do have that capability, but I haven't heard any other reports about this one.
I'm sorry but that's just plain wrong on Apple's side (and clearly we've been here before). It does not matter how important the update is, I specifically don't have "automatically download updates" on, and force-downloading content to my computer is totally wrong! Free U2 music [see here] I can just about live with, but force-downloading software after explicitly denying it is #BadApple. Very bad. :-(
 


Ric Ford

MacInTouch
I feel like there's been a little too much Apple security "fun" lately....
ZDNet said:
New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips
A security researcher has released today a new jailbreak that impacts all iOS devices running on A5 to A11 chipsets -- chips included in all Apple products released between 2011 and 2017. This includes iPhone models from 4S to 8 and X.

The jailbreak uses a new exploit named Checkm8 that exploits vulnerabilities in Apple's Bootrom (secure boot ROM) to grant phone owners full control over their device.

... Bootrom jailbreaks are very rare. They are the most highly sought after jailbreaks because they are permanent and can't be patched. Fixing any Bootrom vulnerability requires a silicon revision, meaning physical modifications to device chipsets, something that no company can fix without callbacks or mass replacements. In effect, this is a permanent jailbreak that will work in perpetuity.
 


Ric Ford

MacInTouch
Apple has an unpatched security hole in today's iOS 13.1 release, but the company promises to provide a fix at some unspecified point in the future.
Apple Support said:
https://support.apple.com/en-us/HT210613
An upcoming software update will fix an issue that impacts third-party keyboard apps. ... Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven't approved this access.
And the fix is now in:
Apple said:
About the security content of iOS 13.1.1 and iPadOS 13.1.1
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts