Here, find your monthly briefing on the latest hacks, scams, news, Apple security patches—and what you can do about it.
In this roundup:
- Location Data: How Much Privacy Can One App Give Away? A Lot
- Warning: Update Now! iOS 18.1 Brings Apple AI & Adds One Powerful New Feature
- Vote in the US Election? This Website Likely Shares Your Personal Information
- This Should Be On Your Radar: News Roundup
- Security Fail of the Month: Another Huge Unsecured Database
- Security Updates from Apple
Hacks, Scams, Trouble + What to Do
Location Data: How Much Privacy Can One App Give Away? A Lot
Did you know that when you enable location tracking for a third-party app, it may collect and sell your data about all your physical movements, and that the resulting databases are publicly available for almost anyone to buy and search?
All a bad actor needs to do is simply buy access to a location-based advertising database, such as the one used by the Locate X app. The location tracking data gathered by mobile apps and sold into publicly available databases can be so detailed that the Locate X app, or others like it, can use these publicly available databases to effectively stalk almost any individual’s movements, including patterns, habits, social networks, and any telltale trips to important sites. Four media outlets; 404 Media, Notus, Haaretz, and Krebs on Security were invited to witness a demo of Locate X, and saw it used to effortlessly track the movements of everyone who had visited a particular public park, for example.
Researchers say these datasets can be used to identify the members of grand juries, figure out which companies SEC officers are investigating, and identify which individuals have visited an abortion clinic. The Locate X app is currently in use by the Secret Service, who, based on internal communications obtained by 404 Media, think warrants are not required if users agreed to location tracking.
While Locate X is intended for use by law enforcement, a private investigator was able to get access simply by indicating that he was planning to work with police at some point in the future. Criminals also make use of hacked law enforcement email systems to issue fake subpoenas to gain access to this kind of information. More importantly, Locate X is just an interface to query databases of mobile app geolocation data, available for anyone with a little budget to buy. If Locate X were shut down tomorrow, another just like it would emerge unless infobrokers are dissuaded from trading in this kind of information or apps are prevented from gathering it to begin with.
The Bottom Line
The good news is you can turn location tracking off, and the even better news is that Apple has made location tracking an opt-in feature, where it’s off by default. But this is a great reminder to go to Settings > Privacy & Security > Location Services, and check the list of apps to see which ones are allowed to track your location.
Warning: Update Now! iOS 18.1 Brings Apple AI & Adds One Powerful New Feature
Apple’s latest iOS updates, iOS 18.1 (and iOS 18.1.1, which came out Nov 19) patch a large number of security bugs, brings Apple Intelligence to users for the first time, and adds one powerful privacy feature nobody expected, which keeps your device safe even when it’s lost or stolen.
Major updates usually patch a flight of security bugs, so that iOS 18.1 did so too doesn’t come as a huge surprise, but some of these are striking. For example: one bug might have allowed a maliciously crafted app to run shortcuts (from the Shortcuts app, which is a way for users to program the phone to perform arbitrary tasks) without user consent, another might allow an attacker to access private information from the Lock Screen, and one that would allow web page code to operate outside the web content sandbox (that’s bad).
Beyond patching bugs, iOS 18.1 also brought those of you with an iPhone 15 Pro or later their first slice of the Apple Intelligence AI features, which we discuss at length in our iOS 18 + Apple Intelligence Live Course.
But one thing nobody expected was also added with iOS 18.1. Apple silently rolled out a new feature called inactivity reboot. With inactivity reboot, iPhones that are left alone for a set period of time will reboot all on their own. When an iPhone is fresh from its latest reboot and has not yet been unlocked, it is much harder to hack. Even the kinds of hardware that law enforcement uses to break open seized devices can struggle when the device has been rebooted and not yet unlocked. This is because when you unlock it the first time, the device stores the keys in temporary memory, but when it’s rebooted that memory is wiped. If it’s been unlocked even once since the last reboot, then hacking it gets easier.
Reporters at 404 Media got a hold of warnings circulated among digital forensics labs warning that many iPhones which had been kept in the less secure state had rebooted themselves into the more secure one, even when those iPhones were kept in faraday cages. This inactivity reboot feature makes it much harder for law enforcement to investigate devices seized during arrests, but it also makes it much harder for thieves to break into stolen devices, or to wipe and resell them.
The Bottom Line
If your device is stolen or seized, it will reboot to protect itself. But If you are concerned that your iPhone may be seized or stolen in the near future, you don’t have to wait for an inactivity reboot: You could turn it off right away. This will put it into the most secure possible state (short of erasing all data and settings). For now, Apple seems committed to rolling out security updates focused on protecting their users.
Vote in the US Election? This Website Likely Shares Your Personal Information
Have you ever voted in a US election? Then, right-wing website VoteRef may be handing out your personal information to whoever asks for it. While voting rolls are considered public record, sites like VoteRef are making it a little too easy for ordinary citizens to access others’ private details.
At a time when political division is at its highest, it is extremely concerning that a site like VoteRef can exist. 404 Media reports that it’s as simple as typing a first and last name into the search bar, and you’ll instantly have access to the address and party affiliation of nearly anyone. It works the other way, too; the site allows you to look up an address and find out who lives there and what party they are associated with.
A vast majority of states are participating, with some exceptions, such as Arizona, California, Virginia, Pennsylvania, and Minnesota, as well as others. However, VoteRef itself states that “Eventually, all 50 states will be searchable.” Whether it will be able to get around state laws that prohibit the publication of voter data remains to be seen.
According to a ProPublica article published in 2022, the site is run by the Voter Reference Foundation, an organization headed by a former Trump campaign official. Supposedly, the site is “dedicated to ensuring transparent, accurate, and fair elections,” and its stated goal is to “[encourage] greater voter participation in all fifty states.” It does not, however, state how exposing the voting records of millions of Americans will help achieve that goal.
The Bottom Line
As said above, your voter registration is a public record, and, unfortunately, privacy laws don’t apply to public records. That means sites like VoteRef have no legal obligation to remove your data, so tools like Mozilla Monitor or Incogni are powerless. Your best bet is to contact your local representative and express your concerns over VoteRef and hope for better data privacy laws in the future.
This Should Be On Your Radar
Mapquest Is Back, Promising Privacy
The old print-ready navigation tool, MapQuest, has released a new privacy focused app for Android. While Apple Maps still does a good job protecting your privacy, we hope MapQuest rolls out an iOS version soon.
Chatbots Aren’t Your Friends
A lawsuit against Character.AI alleges their chatbot insisted it was a series of real people in chats with a teenager, presenting itself as a therapist, his adult lover, and others, before talking him into suicide.
A Quick And Easy Guide to Help Map Your Personal Risks Online
Protecting yourself in the age of digital surveillance should start with a look at what threats are relevant to you, what you have to protect, and what trade-offs you’re willing to make. The Electronic Frontiers Foundation just published a new handy intro guide to threat modeling.
Wired Guide: Learn to Protect Your Privacy from Digital Snooping
Wired has published an excellent article exploring many ways to help protect your privacy from digital snooping.
Do You Need Antivirus on Your Mac?
We used to say maybe not, but the answer is back to a yes. While this malware writeup on a set of malicious scripts and an infostealer package targeting MacOS from Intego doesn’t provide much detail about initial access, it’s just one example of how hackers are apportioning more and more attention to Mac computers.
New Infostealer Malware Targets Old iOS 13 and Previous
Hacking an up-to-date iPhone is pretty hard, but older models remain easy pickings, as demonstrated by a brand new infostealer malware which can infect any iPhone running iOS 13 that merely visits a maliciously crafted website.
Hacker Behind National Public Data Breach Arrested
A hacker who goes by the handle USDoD has been arrested in Brazil. They are responsible for the breach of the sketchy data broker National Public Data.
Novel Ransomware Can Infect Your Mac
Researchers at Trend Micro found an example of a new kind of ransomware that seems to be capable of targeting Mac computers, though it appears to be still in development.
Security Fail of the Month
Recruiter Leaves PII Unsecured for 200,000 Job Seekers
Cybersecurity researcher Jeremiah Fowler discovered an unprotected database containing the PII of some 200,000 job seekers, available to all on the internet. The database seems to belong to a company called Alltech Consulting Services.
The Bottom Line
Someone somewhere leaving a whole database of customer information open to the internet seems to happen with surprising regularity, but it’s still a big deal. These kinds of leaks are how scammers start their hunt for a mark. A data takedown service like Incogni or Mozilla Monitor can help here, since it will reduce the number of databases containing your information.
Security Updates from Apple
Everything you need to know about Apple’s latest software updates.
Introducing Apple Intelligence, Security Fixes, and Lots of Bug Stomping
- The most recent iOS and iPadOS is 18.1.1
- The most recent macOS is 15.1.1
- The most recent tvOS is 18.1
- The most recent watchOS is 11.1
- The most recent visionOS is 2.1.1
iOS 18.1 and its associated updates across the Apple ecosystem rolled out Apple Intelligence, its competitor to Chat GPT and its ilk. The features include Writing Tools, which will rewrite your content in different tones of voice as well as proofread for mistakes. Other tools include AI-generated summaries of notifications, emails, and web pages; a magic eraser tool in the Photos app for removing photobombers; and lots more. Apple Intelligence requires an iPhone 15 Pro or Pro Max, or an iPhone 16, but works on any iPad or Mac with an M series processor.
Beyond the AI features, 18.1 also fixed a bunch of important security bugs and flaws.
