2 Apple security fumbles: Random MAC and Password Prediction

Apple Store Chicago Apple is getting taken to task for a couple of security issues.

First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.

Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.

https://www.youtube.com/watch?v=ceC9jMIpszI

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me onFacebookTwitter, and Google+.

A tiny change in iOS 8 prevents WiFi tracking of iOS devices

IOS8 MAC Randomization

News just broke of a new feature in iOS 8 announced at Apple’s WWDC which was not covered in the big keynote. Advertisers and retail outlets have been using Wi-Fi to track mobile devices for some time. I talked about a network of Wi-Fi tracking trashcans last year in the podcast.

This works because, by default, most mobile devices are constantly on the lookout for Wi-Fi networks. The device communicates with visible base stations to see if they are known, if they are secure, and what they are called. That communication reveals the MAC address of the device’s Wi-Fi.

Like the address on your house, your phone number, or IP addresses, MAC addresses are globally unique identifiers. Everything that can speak Wi-Fi has its own individual MAC address. This makes it a great hook for tracking. If someone sets up a bunch of Wi-Fi base stations, most mobile devices going by will try to connect, giving it their MAC address. By looking at the pattern of those connections, the device can be tracked. 

More sophisticated solutions have even used signal strength to triangulate the location of devices within a small area.

The big news is that Apple is going to randomize the MAC addresses of iOS 8 devices when they are probing for networks. If the device were to probe network base stations A, B, and C they would all see different MAC addresses and think that they were tracking different devices. The iPhone or iPad would still use its real MAC when establishing a full connection, but would not provide it to all of the networks it only probes but never actually uses.

This is a really small change which provides significant privacy gains. It is similar to the decision Apple made to use randomized IPv6 addresses by default, rather than ones which uniquely identify the computer or mobile device.

Of course, Apple is also working hard to track us all with iBeacons at the same time….

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Don't be an Ostrich about open Wi-Fi

Wi-Fi router with lockBack in 2010 I blogged about Google’s legal troubles over capturing sensitive open Wi-Fi data with their Street View cars. In a nutshell, Google was accused of violating the federal Wiretap Act when it intercepted the data on open Wi-Fi networks it passed. The purpose was to capture just the MAC addresses of the base stations to improve their enhanced location services. It appears that recording small amounts of data was accidental. Certainly if they were trying to collect data, they could easily have grabbed much more.

Google lost that case and is now appealing to the Supreme Court, hoping to overturn the decision.

Obviously it was inappropriate for a company like Google to drive around sniffing people’s Wi-Fi traffic, but they are not really the threat. What we all need to be worried about is hackers war driving our neighborhoods, either using our networks to hide their illegal activities, or capturing our personal information for their own purposes.

Whatever the legal outcome of whether it is “OK” to sniff someone’s open Wi-Fi traffic, the reality is that people do, and doing so is trivial. Anyone with a laptop can download free software and be sucking down all the Internet activity in their local coffee shop in just minutes. I think laws like this give a false sense of security. It is like saying that, as you walk down the sidewalk, you can not look in through your neighbor’s big picture window at night when they leave the curtains open.

Thinking that people are “not allowed” to sniff your open Wi-Fi just gives a false sense of security. What we need to do is make sure that ALL Wi-Fi is securely encrypted. Even public Wi-Fi should be encrypted, even if the password is “password” and is posted prominently on the wall. Using encryption changes the situation from looking though a window as you walk by to drilling a peep hole through the wall.

None of should be in denial about this. Open Wi-Fi is insecure. It will be sniffed.

If you find yourself in a situation where you have to use an open Wi-Fi hotspot, for whatever reason, make sure you immediately establish a VPN to protect yourself. I might be biased, but I use Anonymizer Universal for this purpose.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter and Google+.

The Privacy Blog Podcast – Ep.12: The Court Ruling Against Google’s Wi-Fi Snooping, Vulnerabilities in the iPhone Fingerprint Scanner, and Security Tips for iOS 7

Welcome to the 12th episode of The Privacy Blog Podcast brought to you by Anonymizer. In September’s episode, I will talk about a court ruling against Google’s Wi-Fi snooping and the vulnerabilities in the new iPhone 5s fingerprint scanner. Then, I’ll provide some tips for securing the new iPhone/iOS 7 and discuss the results of a recent Pew privacy study.

Hope you enjoy – feel free to add questions and feedback in the comments section.

The Privacy Blog Podcast – Ep.11: Lavabit & Silent Circle Shutdown, Hoarding Bitcoins, and “Spy” Trash Cans in London

Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer. In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.

Please leave any questions or feedback in the comments section. Thanks for listening.

The Privacy Blog Podcast – Ep.2: Website Pricing Tactics and the Dangers of Using Wi-Fi While Traveling

Welcome to our November 2012 podcast. In this episode, I’ll be talking about the tactics websites use to charge one customer more than a customer in a different city, state, or country. After that, I’ll discuss the dangers of using the Internet while on the road - as many of you are likely to do this holiday season. Don't miss our video showing how your Facebook account can be compromised on an unsecured connection. Follow this link to Anonymizer's site and select 'Video 2'.

Download the transcript here.

Facebook Session Hijack Video

We discovered a major security hole in Facebook almost by accident. The exploit is so trivial I can't justify calling it hacking. Any time you are on an open WiFi and accessing Facebook, anyone else on the same network can easily grab your credential and access Facebook as you with full access to your account.

We have posted a video demonstrating this to YouTube as well as putting it in the Anonymizer Labs section of our website.

Sidejacking

Report: "Sidejacking" session information over WiFi easy as pie

While this is not really news, it is a very nice description of a very widespread risk. This issue here is that many websites simply use a serial number in a cookie to keep track of user sessions. The implicit behavior is that if you have the cookie, you are authenticated and logged in. The big problem is that most of these sites are also insecure. With the popularity of insecure WiFi networks, capturing those cookies has become very easy. Once an attacker has the cookie, he can act as you for all purposes on those websites.

The simplest solutions are: enable SSL on the website (if possible), only use WPA secured WiFi, use a VPN, or use Anonymizer with the encrypted surfing option enabled (which effectively makes all websites SSL protected).

More news on Wireless Insecurity

I was just sent a link to an improved attack on WEP for WiFi. WEP (Wired Equivalent Privacy) is no such thing. Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann at the technical university Darmstadt in Germany have a paper and proof of concept implementation of an improved attack on WEP. This attack should be able to compromise WEP security in under a minute under normal conditions with an inexpensive laptop. In reality over half of deployed wireless nodes have no security enabled at all, so WEP is certainly an improvement on that. A much better solution exists called WPA. It is available on almost all WiFi devices, and should be used wherever possible. While WPA is not perfect, there are no efficient attacks against WPA, however experts are still not confident in its security. If you have a high security application, stick with a wire, and/or use a strong VPN within the WiFI connection. I am a belt and suspenders kind of guy, so I like to use multiple layers of security whenever possible.