On iOS and iPadOS, location services are typically turned on when you first set up your device. However, there may be reasons why you don’t want your device to be located, perhaps because you don’t want to be found but need to keep the device with you.

There are a few options to hide your location from prying eyes.

Please note: I will only mention iOS from here on, but the instructions are almost the same for iPadOS.

Turn off location services by app

Some apps will not work properly without location services, but it’s certainly worth checking which ones are actually using them.

• Go to Settings > Privacy & Security > Location Services.
• If Location Services is on, you will see a list of apps with permissions.

• Scroll down to select an app.
• Now you can tap the app and select an option of Never, Ask Next Time Or When I Share, While Using the App, or Always.
• From here, apps should provide an explanation of how they will use your location information. Some apps might offer only two options.

Turn location services off entirely

You can turn Location Services on or off at Settings > Privacy & Security > Location Services. Move the slider control to the left to turn Location Services off.

Note that turning Location Services of will also disable the Find My feature for the device.

Turn off Find My iPhone

Find My iPhone allows a user to track their devices. It allows you to locate the device from another device, make it play a sound if you are close, and even remotely erase your device if you suspect it has fallen in the wrong hands.

To disable Find My iPhone:

• Go to Settings
• Select your account name.
• Choose Find My
• Turn the feature off. You will need to enter your iCloud password.

An iPhone can still be tracked in some cases, even if it is in Airplane Mode. The only way tracking is not possible is to turn the iPhone off completely.  And even then, since iOS 15, iPhone models 11 and up will transmit their location even when powered off if the Find My Network is enabled in your settings.

To turn off Find My network:

• Go to Settings
• Select your account name.
• Choose Find My
• Turn Find My network off.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Privacy FAIL: Apple location service returns far more data than it should, to people who have no business knowing it, without your permission.

The post Apple API Allows Wi-Fi AP Location Tracking appeared first on Security Boulevard.

There will be times when you need to remove a user from a device. In this article we’ll show you how to remove a user from a Mac.

For a better understanding it’s good to understand the difference between an actual user of the device and a “sharing only user.” On a Mac, you can use Sharing Only User settings to create a user that has access to your files and folders over the network. You can also use these settings to limit their access to your shared information and system.

Both have very similar ways of removal:

• Apple menu > System Settings
• Click Users & Groups in the sidebar. (You may need to scroll down.)
• Click the Info button next to the user or group you want to delete, then click Delete User or Delete Group. Note: If a user is logged in to this Mac now, you can’t select them.

This will delete sharing users immediately. For other users you’ll have to decide what you want to do with their Home folder first. You can delete it, keep it, or save it in a disk image.

• To save it in a disk image, select Save the home folder in a disk image, then click Delete User. This archives all the user’s documents and information so the user can be restored later if needed. The disk image is saved in /Users/Deleted Users/.
• To leave the user’s home folder as is, select Don’t change the home folder, then click Delete User. The user’s documents and information are saved and the user can be restored later if needed. The Home folder remains in /Users/.
• To remove the user’s home folder from the computer: Select Delete the home folder, then click Delete User. The user’s folder will be deleted.

If you don’t delete a user’s home folder, you can restore the user and the contents of the home folder. (A sharing-only user doesn’t have a home folder.)

---

Did you know there’s a Malwarebytes for Mac? Give it a try!

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.

They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.

UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.

Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.

The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.

“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.

“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.

Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:

“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.

“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”

In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.

Asked about the changes, Apple said they have respected the “_nomap” flag on SSIDs for some time, but that this was only called out in a support article earlier this year.

Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.

“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.

“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.

“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”

The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.

“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”

A copy of the UMD research is available here (PDF).

Update, May 22, 4:54 p.m. ET: Added response from Apple.

From Slashdot:

Apple and Google have launched a new industry standard called “Detecting Unwanted Location Trackers” to combat the misuse of Bluetooth trackers for stalking. Starting Monday, iPhone and Android users will receive alerts when an unknown Bluetooth device is detected moving with them. The move comes after numerous cases of trackers like Apple’s AirTags being used for malicious purposes.

Several Bluetooth tag companies have committed to making their future products compatible with the new standard. Apple and Google said they will continue collaborating with the Internet Engineering Task Force to further develop this technology and address the issue of unwanted tracking.

This seems like a good idea, but I worry about false alarms. If I am walking with a friend, will it alert if they have a Bluetooth tracking device in their pocket?

In episode 330 Tom, Scott, and Kevin discuss the new features for iPhones and Android phones designed to warn users about secret trackers, possibly aiding in identifying stalkers. The hosts discuss Apple and Google’s collaboration on a technology called DOLT (Detecting Unwanted Location Trackers), aiming to improve user privacy by detecting Bluetooth trackers like Tiles […]

The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Shared Security Podcast.

The post New Tracker Warning Features on iPhones & Androids, 2024 Verizon Data Breach Investigations Report appeared first on Security Boulevard.

💾

iPhone owners are reporting that photos they’d deleted are now back on their phones, after updating to iOS 17.5.

With so many users reporting similar oddities, it would seem something went wrong, or at least different than to be expected. Here are some examples from Reddit:

“When in conversation with my partner, I went to send a picture and saw that the latest pictures were nsfw material we’d made years ago”

“I have four pics from 2010 that keep reappearing as the latest pics uploaded to iCloud. I have deleted them repeatedly.”

“Same thing happened to me. Six photos from different times, all I have deleted. Some I had deleted in 2023.”

When you delete a photo from an iPhone or iPad, it goes into a “Recently deleted” album for up to 30 days to make it easy to recover if the photo is accidentally deleted. However, the above examples vastly exceed this timeframe, and it’s unclear exactly what’s happened here.

When you delete a file, actually all that happens is you remove the pointer that tells you where exactly the file is located. This makes it hard to find, but not impossible. Until the system uses the location of the deleted file and replaces it with other data, the file can be retrieved.

Apple’s last update for iOS 17.5 and iPadOS 17.5 came out on Monday with a warning to update your iPhone as soon as possible. That’s because iOS 17.5 fixes 15 security vulnerabilities, some of which are serious. Please don’t let this article stop you from installing the update, but it’s good to be prepared for some unexpected behavior.

At the time of writing, Apple hasn’t commented on the issue.

Update May 21

Apple issued a fix in iOS and iPadOS 17.5.1. This update “addresses a rare issue where photos that experienced database corruption could reappear in the Photos library even if they were deleted.” It must be a first time that a “database corruption” leads to the return of deleted data. All I’ve ever known them to do was misplace data that was still needed.

We’ll keep you posted if we find out more.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Apple and Google have announced an industry specification for Bluetooth tracking devices which help alert users to unwanted tracking.

The specification, called Detecting Unwanted Location Trackers, will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them.

The alert would be pushed to the users device and would say “[Item] Found Moving With You.”

In many cases “[Item]” might well actually be an AirTag.

AirTags’ intended use is to let you easily track things like your keys, wallet, purse, backpack, luggage, and more. You can simply set it up with your iPhone, iPad, or iPod touch, attach it somewhere, and the AirTag will show up in your Find My app. However, AirTags have long been associated with this unwanted tracking, which is something Apple apparently did not foresee and has been working on to make this type of abuse harder.

Apple’s first step to discourage unwanted tracking was the “Tracking Notifications” option in the Find My app. This feature is available on iOS or iPadOS 14.5 or later.

Android introduced a similar “unknown tracker alert” to find trackers placed near you or in your belongings without your knowledge or consent.

With the new capability that both tech giants have pushed, users will now get the alert, regardless of the platform the device is paired with. If a user gets such an alert on their device, it means that someone else’s Bluetooth tracker is moving with them.

Android and iPhone users can view the tracker’s identifier, have the tracker play a sound to help locate it, and access instructions to disable it. Bluetooth tag manufacturers including Chipolo, eufy, Jio, Motorola, and Pebblebee have all said that future tags will be compatible.

Apple and Google will continue to work with the Internet Engineering Task Force via the Detecting Unwanted Location Trackers working group to develop the official standard for this technology.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Apple and Google have rolled out a new mobile feature that warns users of unwanted trackers moving with them.

The post Unwanted Tracking Alerts Rolling Out to iOS, Android appeared first on SecurityWeek.

Apple documents another zero-day flaw being exploited on older iPhones and documents security problems in macOS, iOS and iPadOS.

The post Apple Patch Day: Code Execution Flaws in iPhones, iPads, macOS appeared first on SecurityWeek.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against state-sponsored attacks” to “About Apple threat notifications and protecting against mercenary spyware.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

• Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
• Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

How to stay safe

Apple advises iPhone users to:

• Enable Lockdown mode.
• Keep devices up to date.
• Protect devices with a passcode.
• Use Multi-Factor-Authentication (MFA) for your Apple ID.
• Only install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

We’d like to add:

• Use an anti-malware solution on your device.
• If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
• Use a password manager.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Backing up your Mac computer doesn’t need to be intimidating.

By taking advantage of a user-friendly feature released by Apple several years ago, the entire backup process can be handled almost automatically, preserving your most important files, photos, applications, and emails from cyberthreats and mishaps.

Before starting the backup process, you will need an external storage device that can connect to your Mac with a USB or Thunderbolt cable. External storage devices, which are sometimes called external hard drives, are developed and sold by many different companies, including Lacie, SanDisk, and Western Digital.

If you do not have an external storage device, you must first get one. You should also follow Apple’s recommendation that your external storage device be twice as large as the hard drive of your Mac computer.

To find the hard drive size of your current Mac, open the System Settings app on your computer. On the left-hand rail, click General and then, in the window open to the right, click Storage.

Several statistics and options will be shown.

At the top of the Storage section, the hard drive space is shown. Here, it is 494.38 GB, or 500 GB roughly.

The Mac shown here has 500 GB of internal storage. If we were to back this Mac up, we would need to use an external storage device of 1 TB (terabyte).

Once you have your external storage device, you can begin the actual backup processs.

The simplest way to back up your Mac is with the built-in feature “Time Machine.”

First, connect your external storage device to your Mac.

Then, you need to set up that storage device as your “backup disk.” This means that, from this point forward, your external storage device will have one primary use, and that is as a backup device that syncs with Time Machine. Apple recommends that you do not use your external storage device that you are using with Time Machine for anything other than Time Machine backups.

To set up your storage device as your backup disk, follow these instructions:

Go to System Settings.  

Click on General in the left sidebar.

From here, click on Time Machine in the main window displayed to the right.

From the Time Machine menu, click Add Backup Disk or click the “Add” button (+).

From here, select your external storage device and then click Set Up Disk.

At this point in the process, you may receive two options from Time Machine:

1. If your device has other files on it, you will be asked if you want to erase the device so that it can be used solely as a backup with Time Machine. You can erase the files immediately and then continue the backup process through Time Machine. If you do not want to erase the files, you need to get a separate external storage device that will be used exclusively as a backup with Time Machine.
2. If your external storage device already has backups from a prior computer, you will be asked whether you can to keep those backups and roll them into new backups made with Time Machine. This is up to you.

From here, the backup process is nearly done.

To make a backup, simply click on Back Up Now from the Time Machine menu.

Your first backup could take a long time to complete, but know that you can continue using your computer like normal while the process happens in the background.

From here on, whenever you attach your external storage device to your Mac, Time Machine will automatically ask to make a backup of the changes to your Mac. You can also change the frequency of your backups in your Time Machine Settings.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

We’ve published posts on how to back up your iPhone to iCloud, and how to backup an iPhone to a Mac. Another method is to backup using the iTunes app on a Windows system.

Choose whichever backup method works best for you, and will continue to work.

First, connect your iPhone to the Windows system with a cable.

You are likely to see a prompt on your iPhone asking whether it can trust this computer.

To proceed, tap Trust and entering your passcode.

Then open the iTunes app on your Windows device.

In iTunes click the Device symbol in the upper left corner (next to the Music drop down box).

Note: It may take a while before the device icon appears

In the Settings of the iTunes app select Summary.

You’ll see some device data about your iPhone, and below that a Backups menu.

Here you can select either iCloud or This Computer.

To create a local backup select This Computer and click on Back Up Now to create a new backup of your iPhone on your Windows System.

To encrypt your backups, select Encrypt local backup, type a password, then click Set Password.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

One of the most cost effective ways to backup your iPhone is to save backups to your Mac. Backups are made automatically whenever you connect your iPhone to your Mac with a lead. Be aware though that backups can take up a lot of space on your Mac, and that if your Mac is lost, stolen, or inoperable, then you won’t be able to access your iPhone backups. If you need daily backups or backups that can always be accessed from anywhere, you may prefer to backup your iPhone to iCloud.

This guide tells you how to enable backups to your Mac, and how to check that everything is working as you expect.

First, connect your iPhone or iPad to a Mac using a cable.

Open the Finder app and select your iPhone from the list of Locations.

Click General.

Under Backups, choose Back up all of the data on your iPhone to this Mac.

To encrypt your backup data and protect it with a password, select Encrypt local backup. You will be prompted for a password.

Click Back Up Now.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the Settings app.

Then tap where you see your name and Apple ID, iCloud+, Media & Purchases.

Next, tap iCloud.

Scroll down and tap iCloud Backup.

Toggle Back Up This iPhone to on.

This may reveal a Back Up Over Cellular Data or Back Up Over Mobile Data toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under ALL DEVICE BACKUPS.

You can return to the previous screen by tapping the < iCloud link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap Manage Account Storage.

Scroll down the list of apps until you see Backups to see how much storage your backups are using.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

It’s yet another hardware side-channel attack:

The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.

[…]

The breakthrough of the new research is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “pointers”—meaning the reading of data and leaking it through a side channel—­is a flagrant violation of the constant-time paradigm.

[…]

The attack, which the researchers have named GoFetch, uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on a macOS system. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—­even when on separate cores within that cluster­—GoFetch can mine enough secrets to leak a secret key.

The attack works against both classical encryption algorithms and a newer generation of encryption that has been hardened to withstand anticipated attacks from quantum computers. The GoFetch app requires less than an hour to extract a 2048-bit RSA key and a little over two hours to extract a 2048-bit Diffie-Hellman key. The attack takes 54 minutes to extract the material required to assemble a Kyber-512 key and about 10 hours for a Dilithium-2 key, not counting offline time needed to process the raw data.

The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts. As its doing this, it extracts the app secret key that it uses to perform these cryptographic operations. This mechanism means the targeted app need not perform any cryptographic operations on its own during the collection period.

Note that exploiting the vulnerability requires running a malicious app on the target computer. So it could be worse. On the other hand, like many of these hardware side-channel attacks, it’s not possible to patch.

Slashdot thread.

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.

But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.

Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.

THE PHONE NUMBER IS KEY

Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.

“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”

Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.

“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”

Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.

Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — all the while still sitting at the local Apple Genius Bar.

Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the only aspect of Chris’s new iPhone and iCloud account that hadn’t changed.

WATCH OUT!

“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.

“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”

Ken didn’t know it when all this was happening (and it’s not at all obvious from the Apple prompts), but clicking “Allow” would not have allowed the attackers to change Ken’s password. Rather, clicking “Allow” displays a six digit PIN that must be entered on Ken’s device — allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.

Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.

A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.

Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.

KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.

After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.

RATE LIMITS

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Apple has not yet responded to requests for comment.

Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.

Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.

“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.

WHAT CAN YOU DO?

Apple seems requires a phone number to be on file for your account, but after you’ve set up the account it doesn’t have to be a mobile phone number. KrebsOnSecurity’s testing shows Apple will accept a VOIP number (like Google Voice). So, changing your account phone number to a VOIP number that isn’t widely known would be one mitigation here.

One caveat with the VOIP number idea: Unless you include a real mobile number, Apple’s iMessage and Facetime applications will be disabled for that device. This might a bonus for those concerned about reducing the overall attack surface of their Apple devices, since zero-click zero-days in these applications have repeatedly been used by spyware purveyors.

Also, it appears Apple’s password reset system will accept and respect email aliases. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account.

For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder. In this case, however, perhaps a less obvious alias than “+apple” would be advisable.

Update, March 27, 5:06 p.m. ET: Added perspective on Ken’s experience. Also included a What Can You Do? section.

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited. Zero-day vulnerabilities are discovered by attackers before the software company itself – meaning the vendor has ‘zero days’ to fix them.

Both the two vulnerabilities allow an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.

A patch for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation, running iOS 16.7.6 or iPadOS 16.7.6 is available for one of the vulnerabilities.

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 17.4 or iPadOS 17.4, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

CVE-2024-23225: a memory corruption issue was addressed with improved validation. A patch is available for this issue in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple says it’s aware of a report that this issue may have seen active exploitation.

CVE-2024-23296: a memory corruption issue in RTKit was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple says it’s aware of a report that this issue may have seen active exploitation.

RTKit is Apple’s real-time operating system, running on multiple chips in iPhone, Watch, MacBook, and peripherals like the iPod. A real-time operating system, is software that manages tasks on a single core, which is crucial for real-time applications that require precise timing.

Apple included several other vulnerabilities in the update, some of which it listed but it also mentions “Additional CVE entries coming soon.” For protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

We’re going to let you in on a little cybersecurity secret… There’s malware on Mac computers. There pretty much always has been.

As revealed in our 2024 ThreatDown State of Malware report, a full 11% of all detections recorded by Malwarebytes on Mac computers in 2023 were for different variants of malware—the catch-all term that cybersecurity researchers use to refer to ransomware, trojans, info stealers, worms, viruses, and more.

That 11% figure may not sound imposing but remember that many people today still believe that Apple devices, including Mac computers, are invulnerable to cyberinfections because of some sort of vague “Apple magic.”

In reality, “Apple magic” is more a byproduct of old advertising (this 2006 commercial from the “I’m a Mac, and I’m a PC” series did irreparable harm) and faulty conclusions concerning cybersecurity’s biggest breaches and attacks: People mistakenly believe that because most attacks target Windows computers and servers, no attacks target Macs.

The truth is far more nuanced, as the visible, overwhelming focus of cyberattacks on Windows machines is a consequence of Microsoft’s long-standing success in business computing.

For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows. This mass adoption was good for Microsoft and its revenue, but it also drew and maintained the interests of cybercriminals, who would develop malware that could impact the highest number of victims. This is why the biggest attacks, even today, predominantly target Windows-based malware and the sometimes-unpatched vulnerabilities found in Windows software and applications.  

Essentially, as Windows is the biggest target, cybercriminals zero in their efforts respectively.

But new information last year revealed that could all be changing.

Mac malware tactics shifted in 2023

Apple’s desktop and laptop operating system, macOS, represents a 31% share of US desktop operating systems, and roughly 25% of all businesses reportedly utilize Mac devices somewhere in their networks.

Already, the cybercriminals have taken note.

In April 2023, the most successful and dangerous ransomware in the world—LockBit—was found to have a variant developed for Mac. Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year.

While the LockBit variant for Mac was not operational upon discovery, the LockBit ransomware gang said at the time that it was “actively being developed.” Fortunately, LockBit suffered enormous blows this year, and the ransomware gang is probably less concerned with Mac malware development and more concerned with “avoiding prison.”

Separately, in September 2023, Malwarebytes discovered a cybercriminal campaign that tricked Mac users into accidentally installing a type of malware that can steal passwords, browser data, cookies, files, and cryptocurrency. The malware, called Atomic Stealer (or AMOS for short) was delivered through “malvertising,” a malware delivery tactic that abuses Google ads to send everyday users to malicious websites that—though they may appear legitimate—fool people into downloading malware.

In this campaign, when users searched on Google for the financial marketing trading app “TradingView,” they were sometimes shown a malicious search result that appeared entirely authentic: a website with TradingView branding was visible, and download buttons for Windows, Mac, and Linux were clearly listed.

But users who clicked the Mac download button instead received AMOS.

Just months later, AMOS again wriggled its way onto Mac computers, this time through a new delivery chain that has more typically targeted Windows users.

In November, Malwarebytes found AMOS being distributed through a malware delivery chain known as “ClearFake.” The ClearFake campaign tricks users into believing they’re downloading an approved web browser update. That has frequently meant a lot of malicious prompts mimicking Google Chrome’s branding and update language, but the more recent campaign imitated the default browser on Mac devices—Safari.

As Malwarebytes Labs wrote at the time:

“This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.”

Replace “magic” with Malwarebytes

Cyberthreats on Mac aren’t non-existent, they’re just different. But different threats still need effective protection, which is where Malwarebytes Premium can help.

Malwarebytes Premium detects and blocks the most common infostealers that target Macs—including AMOS—along with annoying browser hijackers and adware threats such as Genieo, Vsearch, Crossrider, and more. Stay protected, proactively, with Malwarebytes Premium for Mac.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022.

There’s a lot of detail in the Apple blog post, and more in Douglas Stabila’s security analysis.

I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers.