Apple security

Jump to How Tos Articles

'Apple security' How Tos

How to Use Automatic Strong Passwords and Password Auditing in iOS 12

In iOS 12, Apple has introduced new password-related features that are designed to make it easier for iPhone and iPad users to create strong, secure, and unique passwords for app and website logins. In this guide, we'll show you how to use two of those features: automatic strong passwords and password auditing. Automatic strong passwords ensures that if you're prompted by a website or app to make up a password on the spot, Apple will automatically offer to generate a secure one for you. Password auditing meanwhile flags weak passwords and tells you if a password has been reused for different account login credentials. Here's how to use the two features. How to Use Automatic Strong Passwords in iOS 12 Launch Safari and navigate to the site asking you to create new login credentials, or launch a third-party app asking you to sign up for a new account. Enter a username or email address in the first field. Tap on the Password field – iOS will generate a strong password. Tap Use Strong Password to accept the password suggestion and save it to your iCloud Keychain.Pro tip: Next time you need one of your passwords, you can ask Siri. For example, you could say: "Siri, show me my BBC password." Siri will then open up your iCloud Keychain with the relevant entry, but only after you authenticate your identity with a fingerprint, a Face ID scan, or a passcode. How to Identify Reused Passwords in iOS 12 Launch the Settings app on your iPhone or iPad. Tap Passwords & Accounts. Authenticate via Touch ID, Face ID, or your passcode. Scroll down the list of

'Apple security' Articles

Apple Says No Personal Data Was Compromised in Australian Teenager Hacking Incident

In a statement, Apple has confirmed that no personal data was compromised by a 16-year-old student from Melbourne, Australia who admitted to hacking into Apple's internal servers on multiple occasions over one year. The Guardian:At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats. In this case, our teams discovered the unauthorized access, contained it, and reported the incident to law enforcement. We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.Australian publication The Age reported that the teen downloaded some 90GB of confidential files, and accessed customer accounts, storing information in a folder on his computer named "hacky hack hack." It's unclear exactly what he downloaded during the series of network intrusions. The student, who cannot be publicly named due to his age and notoriety in the hacking community, reportedly pleaded guilty to his actions in an Australian Children's Court this week, with sentencing deferred until next month. His lawyer later told police that the teen "dreamed of" working for Apple. The teen reportedly had a method of accessing Apple's servers that "worked flawlessly" on multiple occasions—until he was caught. The international investigation began when Apple detected the unauthorized access, contained it, and alerted the FBI. The allegations were passed on to the Australian Federal

Security Researchers Find Way to Prevent USB Restricted Mode From Activating on iOS Devices

Security researchers claim to have discovered a loophole that prevents an iPhone or iPad from activating USB Restricted Mode, Apple's latest anti-hacking feature in iOS 12 beta and iOS 11.4.1, which was released on Monday. USB Restricted Mode is designed to make iPhones and iPads immune to certain hacking techniques that use a USB connection to download data through the Lightning connector to crack the passcode. iOS 11.4.1 and iOS 12 prevent this by default by disabling data access to the Lightning port if it's been more than an hour since the iOS device was last unlocked. Users can also quickly disable the USB connection manually by engaging Emergency SOS mode. However, researchers at cybersecurity firm ElcomSoft claim to have discovered a loophole that resets the one-hour counter. The bypass technique involves connecting a USB accessory into the Lightning port of the iOS device, which prevents USB Restricted Mode from locking after one hour. ElcomSoft's Oleg Afonin explained the technique in a blog post: What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.According to

FBI Unable to Retrieve Encrypted Data From 6,900 Devices Over the Last 11 Months

The United States Federal Bureau of Investigation was unable to retrieve data from 6,900 mobile devices that it attempted to access over the course of the last 11 months, reports the Associated Press. FBI Director Christopher Wray shared the number at an annual conference for the International Association of Chiefs of Police on Sunday. During the first 11 months of the current fiscal year, Wray says the 6,900 devices that were inaccessible accounted for half of the total devices the FBI attempted to retrieve data from. Wray called the FBI's inability to get into the devices a "huge, huge problem." "To put it mildly, this is a huge, huge problem," Wray said. "It impacts investigations across the board -- narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation."Wray did not specify how many of the 6,900 devices the FBI could not access were iPhones or iPads running a version of Apple's iOS operating system, but encryption has been an issue between Apple and the FBI since last year when the two clashed over the unlocking of an iPhone 5c owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino. The FBI took Apple to court in an attempt to force Apple to create a version of iOS that would disable passcode security features and allow passcodes to be entered electronically, providing the FBI with the tools to hack into the device. Apple refused and fought the court order, claiming the FBI's request could set a "dangerous precedent" with serious implications for the future of

Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning. The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon. A KRACK attack proof-of-concept from security researcher Mathy Vanhoef Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads. Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software. Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue. Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection. Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability

Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

A new research paper from Duo Security, shared by Ars Technica, reveals that a significant number of Macs are running out-of-date EFI versions, leaving them susceptible to critical pre-boot firmware exploits. The security firm analyzed 73,324 Macs used in production environments and found that, on average, 4.2 percent of the systems were running the incorrect EFI version relative to the model and version of macOS or OS X installed. The percentage of incorrect EFI versions varies greatly depending on the model. The late 2015 21.5" iMac had the highest occurrence of incorrect EFI firmware, with 43 percent of systems running incorrect versions. EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS. EFI operates at a lower level than both the operating system and hypervisors, providing attackers with a greater level of control.Successful attack of a system's UEFI implementation provides an attacker with powerful capabilities in terms of stealth, persistence, and direct access to hardware, all in an OS and VMM independent manner.Duo Security found that 47 models capable of running OS X Yosemite, OS X El Capitan, or macOS Sierra, for example, did not have an EFI security patch for the Thunderstrike exploit publicly disclosed nearly three years ago. The research paper noted that there seems to be something interfering with the way bundled EFI updates are installed alongside macOS, while some Macs never received EFI updates whatsoever, but it doesn't

Apple's Latest Transparency Report Shows Jump in National Security Requests

Apple this week released its latest transparency report [PDF] outlining government data requests received from January 1, 2017 to June 30, 2017. In the United States, Apple received 4,479 requests for 8,958 devices and provided data 80 percent of the time (in 3,565 cases). Worldwide, Apple received 30,814 requests for data from 233,052 devices and provided data 80 percent of the time (in 23,856 cases). Overall demands for data were slightly down compared to requests during the same time period last year, but Apple disclosed a much higher number of national security requests that include orders received under FISA and National Security Letters. According to Apple, to date, it has not received any orders for bulk data. Apple says it received 13,250 - 13,499 National Security Orders affecting 9,000 to 9,249 accounts. That’s up from 2,750 - 2,999 orders affecting 2,000 to 2,249 accounts received during the first half of 2016. Though Apple attempts to be as transparent as possible in its reports, the government does not allow the company to release specific details when it comes to the number of National Security requests received, instead requiring a number range to be provided to customers. Apple uses the narrowest range permissible by law. Apple lately has been making more of an effort to be clearer about the type of information governments around the world have asked for, and its last two reports, this one included, have been highly detailed. Along with the total number of device requests and National Security Orders, Apple also provides data on a

Hacker Releases Firmware Decryption Key for Apple's Secure Enclave

A hacker released what he claimed to be a firmware decryption key for Apple's Secure Enclave on Thursday, initially sparking fears that iOS security had been compromised. Apple's Secure Enclave Processor (SEP) handles all cryptographic operations for the Apple Watch Series 2, the A7 processor that powers the iPhone 5s, the iPad Air, the iPad mini 2 and 3, and subsequent A-series chips. The encrypted SEP is completely isolated from the rest of the system and handles Touch ID transactions, password verifications, and other security processes on a separate OS to maintain data protection integrity even if the kernel has been compromised. One of the ways the SEP does this is by generating a Unique ID (UID) for each device for authentication purposes. The UID automatically changes every time a device is rebooted and remains unknown to other parts of the system, further enhancing its security. Beyond that, little is known about how the SEP actually works outside of Apple, but that's by design – the enclave's isolation serves to obfuscate it from the rest of the system, preventing hackers from rifling through its code to make it as secure as possible. key is fully grown https://t.co/MwN4kb9SQI use https://t.co/I9fLo5Iglh to decrypt and https://t.co/og6tiJHbCu to process— ~ (@xerub) August 16, 2017 The decryption key posted on GitHub yesterday would not enable hackers to access data stored inside the Secure Enclave, but it could allow hackers and security researchers to decrypt the firmware that controls it and potentially spot weaknesses in the code. Speaking to T

Security Researchers Don't Think Apple Pays Enough for Bug Bounties

Apple's bug bounty program has been available to select security researchers for almost a year now, but according to a new report from Motherboard, most researchers prefer not to share bugs with Apple due to low payouts. More money can be obtained from third-party sources for bugs in Apple software. "People can get more cash if they sell their bugs to others," said Nikias Bassen, a security researcher for the company Zimperium, and who joined Apple's program last year. "If you're just doing it for the money, you're not going to give [bugs] to Apple directly."Motherboard spoke to several members of Apple's bug bounty program with the condition of anonymity. Every single one said they had yet to report a bug to Apple and did not know anyone who had. iOS bugs are "too valuable to report to Apple," according to Patrick Wardle, a Synack researcher and former NSA hacker who was invited to the bug bounty program last year. Apple first introduced its bug bounty program in August of 2016 at the Black Hat Conference, an annual global InfoSec event. Apple offers bounties of up to $200,000 depending on the vulnerability. Secure boot firmware components earn $200,000 at the high end, while smaller vulnerabilities, like access from a sandboxed process to user data outside of the sandbox, will earn

Apple Devices Escape Mention in WikiLeaks' Latest 'Vault 7' CIA Hacking Documents

Wikileaks yesterday published its latest round of allegedly leaked CIA documents, detailing aspects of the U.S. agency's "Cherry Blossom" firmware modification program, which uses modified versions of router firmware to turn networking devices into surveillance tools. The document is the latest in WikiLeaks' "Vault 7" series of publications on CIA hacking methods. Previous leaks have detailed the agency's targeting of iOS devices and Macs, while this manual relates specifically to network routers: Once installed, the Cherry Blossom program can be used to monitor internet traffic, crawl for passwords, and redirect the target user to a particular website. The manual also describes how CIA agents might install the modified firmware. "In typical operation, a wireless device of interest is implanted with Cherry Blossom firmware, either using the Claymore tool or via a supply chain operation." While documents have not been made public that detail the "Claymore" tool, the latter tactic refers to the practice of intercepting the target device somewhere between the factory and the end user. The document lists several network products as susceptible to its hacking protocol, including devices from Asus, Belkin, Buffalo, Dell, DLink, Linksys, Motorola, Netgear, Senao, and US Robotics. Apple's AirPort networking equipment does not appear on the list, however. The CIA has struggled to penetrate Apple's network router hardware in the past due to a combination of the company's robust encryption and its use of proprietary hardware. Previous Harpy Eagle documents published by

Apple Helped U.K. Investigate Terrorist Attacks, Says CEO Tim Cook

Apple CEO Tim Cook revealed on Monday that the company has been helping the U.K. government investigate terror attacks in the country, despite being criticized by officials for its steadfast support of digital services that use end-to-end encryption. "We have been cooperating with the U.K. government not only in law enforcement kind of matters but on some of the attacks," Cook said during a Bloomberg Television interview on Monday. "I cannot speak on detail on that. But in cases when we have information and they have gone through the lawful process we don't just give it but we do it very promptly."Cook went on to suggest that rather than breaking encryption and risking the security of millions of users' private data, technology companies could provide police with metadata – revealing when, where, and who sent and received messages, but not their content – which could be extremely helpful in criminal investigations. "Metadata, if you're putting together a profile, is very important,” said Cook. The comments follow a third attack in as many months in the U.K., which has reignited the debate surrounding online surveillance in the country. The current Conservative government is demanding new powers that would force technology companies to compromise encryption protocols. In the wake of Saturday's terrorist attack at London Bridge, Prime Minister Theresa May again called for new laws to regulate the internet, demanding that internet companies do more to remove places online where terrorists can communicate. "We cannot allow this ideology the safe space it

Apple's Latest Transparency Report Shows Spike in U.S. Government Data Requests

Apple last night released its latest transparency report [PDF] outlining government data requests from July 1 to December 31, 2016. According to the data, which features several new request categories, Apple is making an effort to be as clear as possible about the types of information governments around the world have asked for. Apple's report is the most detailed report the company has produced yet. Worldwide, Apple received 30,184 device requests, covering 151,105 devices. Apple provided data for 21,737 device requests, which equates to a 72 percent response rate. In the U.S. specifically, Apple responded to 3,335 requests out of 4,268 (78 percent). According to Apple, device-based requests cover fraud investigations as well as customers who have asked law enforcement to help locate lost or stolen devices. Apple received 2,392 financial identifier requests worldwide, covering 21,249 devices. Apple provided information for 1,821 of the requests, which are related to cases where law enforcement officials are working on behalf of customers who have asked for help with fraudulent credit card activity. When it comes to worldwide government account requests, Apple received 2,231, rejecting 175 of those, and providing no data for 471. Non-content data was provided for 1,350 requests, and content was offered up in 410 cases. A total of 8,880 accounts were affected. In the United States, Apple says it received between 5750 and 5999 National Security Requests under FISA and National Security Letters, which affected 4750 to 4999 accounts. Apple is not allowed to

Third-Party Apps Will Need App-Specific Passwords for iCloud Access From June 15

App-specific passwords are set to become a mandatory requirement for third-party apps that access iCloud user data, according to an Apple Support email sent out today. Currently, app-specific passwords are used to allow non-native apps like email clients to sign in to iCloud accounts that are protected by two-factor authentication. The security measure ensures that users can still link up their iCloud account to apps and services not provided by Apple, while also avoiding the need to disclose their Apple ID password to third parties. However, app-specific passwords will become a basic requirement from June 15, according to Apple. The policy change basically means that users who want to continue using third-party apps with their iCloud account will have to enable two-factor authentication and generate individual passwords for each app. Beginning on 15 June, app-specific passwords will be required to access your iCloud data using third-party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar services not provided by Apple. If you are already signed in to a third-party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.Two-factor authentication ensures that you're the only person who can access your Apple account, even if someone knows your password. To turn it on from any iOS device running iOS 10.3 or later, open the Settings app, tap your name at the top, and then tap Password & Security. If

Researchers Uncover macOS and Safari Exploits at Pwn2Own 2017

The seventeenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, where researchers are competing in the 10th anniversary Pwn2Own computer hacking contest for over $1 million in prizes. Day one results have already been published over at the Zero Day Initiative website, with a couple of successful Mac-related exploits already appearing in the list of achievements. Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar. In a partial win, Samuel Groß (@5aelo) and Niklas Baumstark (@_niklasb) earn some style points by leaving a special message on the touch bar of the Mac. They used a use-after-free (UAF) in Safari combined with three logic bugs and a null pointer dereference to exploit Safari and elevate to root in macOS. They still managed to earn $28,000 USD and 9 Master of Pwn points.Later in the day, Chaitin Security Research Lab also targeted Safari with an escalation to root on macOS, finding success using a total of six bugs in their exploit chain, including "an info disclosure in Safari, four type confusion bugs in the browser, and a UAF in WindowServer". The combined efforts earned the team $35,000. The participating teams earned a total of $233,000 in prizes on day one, including a leading $105,000 earned by Tencent Security, according to published details. Other software successfully targeted by contestants include Adobe Reader, Ubuntu Desktop,

Researchers Uncover Multiple OS X and Safari Exploits at Pwn2Own 2016

The sixteenth annual CanSecWest security conference is underway in downtown Vancouver, British Columbia, and researchers participating in the Pwn2Own computer hacking contest have already discovered multiple vulnerabilities in OS X and the Safari web browser on the desktop. On day one of the event, independent security researcher JungHoon Lee earned $60,000 after exploiting both OS X and Safari. Lee uncovered four vulnerabilities in total, including one exploit in Safari and three other vulnerabilities within the OS X operating system, according to security firm Trend Micro.JungHoon Lee (lokihardt): Demonstrated a successful code execution attack against Apple Safari to gain root privileges. The attack consisted of four new vulnerabilities: a use-after-free vulnerability in Safari and three additional vulnerabilities, including a heap overflow to escalate to root. This demonstration earned 10 Master of Pwn points and US$60,000.Meanwhile, the report claims that the Tencent Security Team Shield group successfully executed code that enabled them to gain root privileges to Safari using "two use-after-free vulnerabilities," including one in Safari and the other in a "privileged process." The researchers were awarded $40,000 in prize money. The five participating teams earned a total of $282,500 in prizes on day one, including a leading $132,500 earned by the 360Vulcan Team, according to the report. Other web browsers and plugins that were successfully targeted include Adobe Flash, Google Chrome, and Microsoft Edge on Windows. Apple representatives have attended

Apple Shifting Security Team From Contractors to Full-Time Employees

Apple has decided to hire the majority of its day-to-day security staff in Silicon valley as full-time employees, a company spokeswoman confirmed to the San Jose Mercury News. Many of the security guards that Apple has hired in the past as contractors will become part of the company's expanded in-house security team and receive the same benefits as other employees, including full health insurance, retirement contributions and a leave of absence for new parents. Apple security guard in dispute with photographer at iPad event (via The Australian) Apple will continue using contractors as security guards for special events, such as the upcoming 9">"Spring Forward" media event at the Yerba Buena Center for the Arts on March 9th. Apple is believed to have begun constructing an extension on the Yerba Buena Center over the weekend, possibly as an Apple Watch demo area, and security guards wearing "Apple Security" shirts were spotted monitoring the premises."We will be hiring a large number of full-time people to handle our day-to-day security needs," the spokeswoman told the San Jose Mercury News. "We hope that virtually all of these positions will be filled by employees from our current security vendor and we're working closely with them on this process." Apple has faced increasing pressure to provide individuals who cook, clean and monitor security for the company with the same benefits as other employees. Local union United Service Workers West staged a protest on Apple's headquarters in Cupertino, California in December over complaints that its security contractor