Security News: Passwords App Comes to iPhone, Home Routers Under Attack, More

By Cullen Thomas Fri, 09/27/2024

Here, find your monthly briefing on the latest hacks, scams, news, Apple security patches—and what you can do about it.

In this roundup:

Hacks, Scams, Trouble + What to Do

Lock Down Your iPhone with iOS 18 (& Protect against One Flaw)

The September 16th release of iOS 18 brings new security-relevant features to the iPhone, including a new Passwords app for managing your logins and credentials, the ability to lock and hide apps, a new secure payment tool called Tap to Pay, all great! But it also comes with a way to take control of another person’s iPhone during a FaceTime call, a dangerous tool in the hands of scammers. Here’s how to take advantage of the new security features and protect against the new vulnerability.

iPhone Life
Discover your iPhone's hidden features
Get a daily tip (with screenshots and clear instructions) so you can master your iPhone in just one minute a day.

How to Secure Your Passwords with the New Passwords App

If you’re fully invested in the Apple ecosystem you probably already use Safari to generate and save strong passwords to protect your accounts. With iOS 18, this functionality is bundled into a sleek new app called Passwords, where you can find everything you need to store your credentials and secure your online life. Here’s our article on how to use it.

How to Lock & Hide Apps in iOS 18

Sometimes you need to hand your iPhone to someone else, and when you do you’d like the peace of mind that comes with knowing they can’t access your private apps and data. iOS 18 has introduced a way to hide apps on your iPhone in a special hidden folder in the app library, as well as a way to lock apps so that they require an extra authentication check (usually Face ID or Touch ID) before they open. Here’s Apple’s article on how to hide and lock apps on your iPhone.

How to Send Money with Tap to Pay

There’s a new and private way to digitally send money to a nearby iPhone without needing to trade email addresses. To send money, open the Wallet app and tap on Apple Cash. Then tap Send or Request. From there, select Tap to Cash. Then choose how much money to send and tap Next. It will ask you to authenticate (the same way you do when using Apple Pay in a store), then your phone will enter a pairing state where you can tap it against another iPhone (that must be running iOS 18) and the money will transfer to that phone.

How to Stop Scammers from Taking Control of Your iPhone with Screen Share

Since iOS 17, it’s been possible to share your iPhone’s screen during a FaceTime call. iOS 18 goes a big step further and allows participants in a FaceTime call to request control over the other person’s iPhone. This shows a view of that device’s screen, and the remote participant can move apps around, open apps, and help diagnose or fix problems. Some functions are locked during remote access, so your Apple ID should normally be safe. However, care must be taken to only share control of your iPhone with real tech support helpers that you trust! Tech support scams are still very common, and the top search result when you google “help with my iPhone” is still very likely to be a scam.

If you’d like to try the remote control feature with a trusted contact, here’s how: initiate a FaceTime call to another iPhone. Then open the video screen, and at the top tap Share. You can choose to either share your screen, or ask the other participant to share theirs. Choose Ask to Share. They will get a prompt requesting sharing permission. Once the share starts, tap on the window showing the shared screen so it goes full screen. To initiate remote control, look at the bottom right and tap the hand icon. The sharee can end the remote session at any time by tapping the Screenshare icon in FaceTime or ending the call. If you have shared your screen with someone who is doing something you don’t like, simply end the FaceTime call, or tap the Share icon at the top of the screen. While remote controlled, your iPhone will not show your passcode screen or allow the remote participant to enter passcodes or biometrics.

Harmless Social Media or Foreign Election Interference? How to Tell

With the US Elections around the corner, Russia and China lead the pack of nations trying to use social media propaganda to sow confusion and sway the outcome. These efforts are widespread, but many examples like the ones I've included below have been unmasked, and those examples can help us recognize the signs.

Spamouflage

Social media analysis company Graphika identified 15 fake accounts on Twitter and one on TikTok, all attributed to China, and all created to sow dissent and discord around the U.S. Elections. The strategy has been to create fake personas pretending to be disaffected American voters, who post divisive narratives about hot-button topics on social media. They appear to be mostly focused on creating discord and distrust, rather than elevating specific political parties. These accounts can be recognized by their overly simple posting history, discrepancies in their social media profile, and liberal usage of stock photos for both their profile picture and posts. They tend to post cynical takes that are one-notedly patriotic. For more detail, see Graphika’s report.

Unwitting Influencers

US Law Enforcement, together with their counterparts in Canada and the UK, accuse Russian news agency RT (formerly known as Russia Today) of colluding with Russian intelligence services to perform covert influence operations around the world. The head of RT has proudly admitted this is true, publicly stating: “...what do you think — that I get orders from the CIA? Where else would I get my orders from if I head a Russian state media outlet funded by the state?”

The uncovering of RTs operations are detailed in numerous reports, and include efforts to influence the US election. Publishing slanted news or even disinformation intended to influence an election would not be illegal if it were done openly, but failing to disclose association with foreign espionage agents is a crime. An example of such an operation is the effort by reporters from Russia Today, Kostiantyn Kalashnikov and Elena Afanasyeva, who allegedly paid a Tennessee media outlet, which CNN has identified as Tenet Media, to hire YouTube influencers to make videos expressing views cynical of US election processes. Tenet media did not disclose to the influencers or to the public that the videos were funded by foreign agents.

A Little History

The strategy of hiring YouTube influencers may be novel, but the idea of using propaganda to weaken an adversary state is as old as states themselves. Politico wrote an excellent article detailing some of Russia’s historical efforts over the years to influence US elections and it’s worth a review. From this history, we note that foreign powers may express a preference for one US political party over another for lots of reasons, none of which should be taken to necessarily reflect on the candidates of that party or the party itself.

Their Goals & What to Look Out for

Needing to identify foreign influence operations in our day-to-day lives is an unfortunate side effect of living in a communication-rich world. It’s hopeful to note that the network uncovered by Graphika on Twitter was not very effective: most users have become used to large numbers of shallow accounts, and developed a healthy skepticism. It’s still worth remembering that accounts that aggressively sow discontent and cynicism may not be genuine, that reports of election interference are likely fabricated, and rage-bait on social media may be more insidious than just an effort to garner clicks. Whichever political party you support, you want to make sure that what you’re reading or watching about the election is true so you can make your choices free from foreign influences.

Are Hardware Keys Still Your Strongest Digital Defense?

YubiKeys are small USB devices that work as a physical key for your online accounts and have long been held as the gold standard digital security. In September, security researchers discovered a way to use specialized hardware to make copies of any Yubikey whose firmware version is older than 5.7, which could potentially allow an attacker to access accounts.

The bad news is that someone with temporary access to your hardware security key may be able to make a copy of it. The good news is the method for doing so requires over $10,000 worth of specialized hardware. But the bad news again is there’s no reason for them to go through the expense of copying your key when they could merely steal it (or replace it with a look-alike that doesn’t work so they have enough time to use it before you notice).

The good news again, is that’s just how keys work. It’s been possible to copy your front door key at the hardware store for decades, and we still use them. There’s really nothing to worry about here: keep a hold of your keys and keep your backup keys somewhere safe. If one stops working, remove it from your accounts right away. YubiKeys are still the gold standard for protecting your online accounts.

If you want to check which firmware your YubiKey runs, you can download the Yubico authenticator app to check your key. The firmware number will appear in the key’s title description as F/W: then the version number.

Criminals & Governments Can Hack Your Router: How to Evict Them

Russian hacking group Pawn Storm was able to access wireless home routers in the US up until January 26, 2024, reports Trend Micro. They did this by exploiting a vulnerability in the Moobot malware used by criminal hackers, which was already installed on a large network of home routers. To put that another way, Russian spies simply piggybacked on a criminal hacker group that had already penetrated a bunch of people’s home routers. In January, the FBI and its international partners brought down the botnet operated by Pawn Storm, which is likely associated with APT 28 and the Russian General Intelligence Directorate (GRU).

Pawn Storm used the routers for brute forcing, phishing, cryptocurrency mining, and more—the same things that the original criminal hackers had been already doing. This specific Moobot malware seems to have only affected Ubiquiti EdgeRouter devices, however, other similar malwares can affect other routers. For example, another group managed to infect routers from DLink, Netgear, and other manufacturers with malware called Ngioweb. In both these cases, the routers were using the default admin username and password.

What to Do: Protect Your Router from Malware

This incident highlights the importance of changing your router’s admin username and password. If your wireless router uses a default admin password, it will eventually get compromised. As always, be sure to use a strong, randomly generated password to keep your device secure. You’ll also want to make sure your router has the latest firmware installed. The methods for changing the admin password and updating the firmware on your Wi-Fi router depend on which device you have, so check your device’s manual.

Additionally, it’s worthwhile to occasionally just turn your Wi-Fi router off and then on again. Fortunately, most router malware cannot persist through a reboot, so once it’s been switched off and back on again, you’ll be perfectly safe from any malware like Moobot for a while.

This Should Be On Your Radar

Apple Drops Suit Against NSO Group

Apple believes that its lawsuit against the mercenary hacking company infamous for breaching iPhones is pointless, after the Israeli government intervened in a similar suit and other reasons. More coverage in The Record.

Ford Wants to Eavesdrop on Your Conversations

Ford has applied for a patent for a technology that would eavesdrop on drivers to personalize ads. More coverage in The Record.

Brazil Bans X (Formerly Twitter)

The social media platform formerly known as Twitter has been banned in the country of Brazil, after a fight between Elon Musk and the Brazilian supreme court. Read more at the BBC.

Don’t Download this “OCC” App Popup

Users of iOS 18 report a mysterious popup appearing on various news websites asking “Do you want to download “occ”?” If you see this, hit the x to close it. Do not download apps from popups on websites. Read more at the Dayton Beach News Journal

Hackers Found a Way Past Airport Security

Security researchers found a vulnerability in software used by pilots and flight attendants to pre-screen for security checkpoints, and were able to print themselves pre-certified passes to get through security. Read more at the researchers own website.

Scam Company Involved in Pig Butchering Handled $49 Billion Since 2021

Blockchain analysis firm Chainalysis dug into the movements of cryptocurrencies through well known scam compounds in Cambodia and was able to offer a rough estimate of just how huge a marketplace scamming has become in the region. Read more at The Record.

Watch Out for this iOS 18 Feature

iOS 18 offers a feature called screenshare, which lets a remote user request control over an iPhone (with some sensitive details disabled). While very helpful when providing tech support, be careful to only permit screen share requests from trusted sources. Read about how screenshare works here.

Banned Antivirus Software Kaspersky Replaced without Warning

If you are a US customer of Kaspersky Antivirus software, you may find it missing from your computer, silently replaced by UltraAV, a different antivirus software. Don’t be alarmed. UltraAV has purchased the customer base of Kaspersky, which was banned from operating in the US. Read more at Bleeping Computer.

Security Fail of the Month

Billionaire Pitches AI Universal Surveillance as Solution to All Crime

During a company financial meeting, Oracle co-founder Larry Ellison shared his vision for a near future in which AI would unite and analyze video streams from traffic cameras, security cameras, and police body cams to create a universal surveillance state, reports Ars Technica. He said: “Citizens will be on their best behavior because we are constantly recording and reporting everything that's going on.”

Larry is the co-founder of Oracle, the third largest software company by revenue and market share. They produce enterprise management and cloud tools. Their success briefly made Larry the world’s second-richest man. So, it is concerning to hear these sorts of ideas discussed in earnest, especially since AI surveillance tools have already been used on the London underground and in China. This is a space where privacy and security are at odds: yes we could sacrifice all privacy in the name of security, but then what is left to secure?

Security Updates from Apple

Everything you need to know about Apple’s latest software updates.

iOS 18 Is Out! Features Galore!

  • The most recent iOS and iPadOS is 18.0
  • The most recent macOS is 15.0
  • The most recent tvOS is 18.0 
  • The most recent watchOS is 11.0 
  • The most recent visionOS is 2.0

This suite of updates includes the customary yearly deluge of new features, from a redesigned Photos app to the inclusion of encrypted and feature rich messaging with Android phones in the Messages app, to the new Passwords app. The updates also patch numerous bugs and security vulnerabilities.

Some bugs have been reported. MacOS 15 appears to break some third-party security software, reports Tech Crunch. Our readers have reported that iOS 18s text message scheduling feature doesn’t always work even when all known conditions are met. A reader over at 9 to 5 Mac found a bug in the Messages app that could result in loss of a text message conversation.

Despite these bugs, it should be safe to update and we still recommend updating as soon as possible, unless you happen to need one of the tools listed in the Tech Crunch article (above).

Mission Statement

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Donna Schill.

Master your iPhone in one minute a day: Sign up here to get our FREE Tip of the Day delivered right to your inbox.

Topics

News
Privacy & Security

Author Details

Cullen Thomas's picture

Author Details

Cullen Thomas

Cullen Thomas is a senior instructor at iPhone Life. For ten years as faculty at Maharishi University, Cullen taught subjects ranging from camera and audio hardware to game design. Cullen applies a passion for gadgetry to answer questions about iPhones, iPads, Macs, and Apple cloud services; to teach live classes; and to specialize in the privacy and security aspects of the Apple ecosystem. Cullen has dual degrees in Media & Communications and Literature, and a Masters degree from the David Lynch Graduate School of Cinematic Arts.

Offline, Cullen designs videogames with Thought Spike Games, writes fiction, and studies new nerdery.

Mastodon: @CullenWritesTech@infosec.exchange

Email: cullen@iphonelife.com

Signal: +1-512-814-5526