- šļøā Your Security Checklist
- ššļø Test Your Security Skills
- š° Your Weekly Security Update
- š¤Ø This Should Be on Your Radar š”
- š Security Fail of the Week š
- šš± Security Updates from Apple š
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Do not interact with spam texts. Spam texts can be hard to identify, but any text informing you about lost packages, unpaid tolls, or unbelievable job offers is usually a scam.
- Use passkeys for any account that supports them. Passkeys are the most secure way to log in to your accounts, because they are encrypted keys saved in your password manager, inaccessible to anyone else.
- Avoid spam emails by using Hide My Email. The Hide My Email feature allows you to create a dummy address that will forward all messages it receives to your primary email address. Then, when you donāt want to receive those messages anymore, you can disable the dummy account.
What should you do in the following scenario?
You get a phone call claiming to be from the IRS (or your regional tax authority, if youāre not in the USA). They say you made a mistake with your taxes and are in danger of legal action if you donāt follow their instructions. What should you do? Ā š¤
- Follow their instructions.
- Hang up and call the IRS on their official line.
- Hang up and call your lawyer or tax preparer.
- Hang up and go on about your business.
Scroll to the bottom to see how you did!
Metaās Ray-Ban smart glasses are becoming increasingly popular as of late. With more and more users adopting the smart glasses, Meta plans to implement facial recognition, according to a New York Times report. On the surface, that doesnāt sound like the worst idea in the world; afterall, your iPhone can use facial recognition to unlock the device. However, that is not how Meta plans to use the technology. If implemented, Metaās facial recognition feature would scan the faces of everyone the glasses see in public and identify which people the wearer is connected with on social media, and which have public accounts. While the documents reviewed by the Times said the feature could not be used to identify everyone the user sees, it is trivial to use it beyond its intended scope, as demonstrated by researchers who set up the glasses to identify everyone they looked at. Theoretically, there would be no way to opt out, since all it would take is a chance encounter with someone wearing Metaās smart glasses in public. As if this massive violation of privacy wasnāt enough, the company is intentionally looking to launch the feature while activists and civil rights groups are distracted by other social issues. Meta believes these groups will not be able to devote time and resources to attack the company, allowing the feature to go public with little pushback. Read more at Electronic Frontier Foundation.
The Bottom Line: Thanks to the New York Timesā report, privacy groups like the Electronic Frontier Foundation will likely set their sights on Meta. The more attention that is brought to this privacy-invasive feature, the more likely it is that the company will reconsider its plans.
Homeland Security Issuing Subpoenas to More Tech Companies
Last week, we reported that the Department of Homeland Security was investigating social media accounts that were critical of Immigration and Customs Enforcement (ICE). Now, the New York Times has published a more detailed report about this particular situation, citing four government officials and tech employees who wished to remain anonymous. According to the NYT, Google, Meta, Discord, and Reddit have all complied with hundreds of administrative subpoenas from the DHS, requesting āidentifying detailsā about accounts that have criticized ICE. Of the four mentioned tech companies, only Google responded to these regulations, stating that it prioritizes user privacy while complying with legal obligations, and it will often notify users when information is turned over to law enforcement.
The Bottom Line: We always counsel caution in choosing what to share on social media: everything you post is effectively shouted from the rooftops, and even seemingly banal details like what you had for lunch can be analyzed to help stalk, harass, or scam you. That said, the USA has strong free-speech protections intended to allow anyone to criticize the government.
Meta Patents AI Doppelganger Tool
Meta wants to take over posting to Facebook and Instagram for you during long periods of inactivity, whether itās because youāre taking a break from social mediaāor because you died. The company recently patented a large language model that is capable of imitating a personās social media habits. Your AI doppelganger can like and comment on posts and respond to direct messages. Thankfully, a Meta spokesperson told Business Insider that the company is not actively working on this project.
The Bottom Line: While Meta isnāt working on the AI doppelganger tool at this time, the patent means it could implement it at a later date. If having an AI pretend to be you isnāt weird enough, using a tool like this would require you to allow it to access all of your personal information, which is incredibly invasive to anyoneās privacy. We advise caution in sharing information with AI agents, and weād recommend never allowing an AI to pretend to be you, even just for social media.
Social Security Numbers Left Vulnerable
A little over a year ago, the Trump administration established the Department of Government Efficiency (DOGE). The Departmentās goal was to eliminate waste and, as its name implies, improve government efficiency. Whether or not it achieved that goal is up for debate, but one misstep that many can agree on is DOGEās approach to Social Security. The Social Security data of US citizens is stored in a secure database, accessible only by limited elements within the government itself. However, DOGE allegedly copied this database to its own unsecured cloud server, without oversight, making it vulnerable to theft.
Social Security number leaks are nothing new, unfortunately, ever since the National Public Data security breach in 2024 leaked over 270 million Social Security numbers. More recently, a security breach at an IT company called Conduent, which services companies like Volvo, exposed millions of customer and employee Social Security numbers. These days, itās hard to argue that Social Security numbers are a secret, and since theyāre not really secret, they probably shouldnāt be used as a form of authenticationābut lots of places still use them that way.
The Bottom Line: While itās possible, maybe even likely, that your Social Security number could be floating around the dark web, there are steps you can take to protect yourself. Freezing your credit is always a good one. You can freeze your credit indefinitely and temporarily unfreeze it any time you need to undergo a credit check. Additionally, you can create a Social Security account at SSA.gov or ID.me, which will help prevent identity theft.Ā
Ring Cancels Partnership with Flock
Security camera maker Ring has canceled a proposed partnership with traffic camera maker Flock after intense backlash from the public. Originally, Ring and Flock had planned to work together (in an unspecified way) on a Ring feature called Community Requests, which allows local law enforcement to ask private Ring camera owners to volunteer videos from their systems. How this would have integrated with Flock, whose traffic cameras are already law enforcement tools, is a little unclear, but in any case, the partnership has been canceled for now. At least some of the public outcry against Ring seems to have come in response to a Super Bowl commercial (watch it here and read about why people found it dystopian here, some of which is confirmed here). Read more at The Verge.
The Bottom Line: Security cameras can improve the physical safety of your home, but when installing them, always ask yourself what the consequences would be if an unexpected third party were to gain access. Ring considers collaboration with law enforcement to be core to its missionāconsider for yourself whether that is appropriate in your own jurisdiction. Consider alternative security camera systems that do not require a cloud subscription to store video and instead save the recordings locally in storage you control, such as Eufy.
Discord Still Canāt Find a Safe Way to Verify User Age
Many countries have now passed some variation of a law requiring web services to verify the ages of their users. It started with the UKās Online Safety Act (OSA), but Australia, the UK, France, and others have either passed or are likely to pass laws forbidding social media websites from serving kids. The practical meat of those laws is that allowing users to simply click āIām over 18ā isnāt going to cut it. Websites and web services are now going to have to verify that their users are adults, and that is not easy to do. The chat app Discord has become the repeated poster child for getting it wrong. Initially, Discord rolled out a system that kids could fool with a 3D model of a face. Then it tried a system that required users to scan their government ID, but that system got hacked, and the hackers made off with the IDs. Recently, Discord was experimenting with a third-party age-verification tool called Persona. Persona is backed by Peter Thiel, the controversial founder of Palantir, a figure so unpopular that Discord is now facing backlash and has abandoned that idea, too.
The Bottom Line: It may be a good idea to keep kids off social media. However you feel about that, the technical question of forcing social media platforms to do it from their end is challenging. If every social media service is required to collect and store potentially sensitive identity information, that greatly increases the number of places a hacker could go to steal identity information. On the other hand, parents can implement family safety plans for their childrenās devices using Appleās Parental Controls.
Phone of Kenyan Activist Compromised by Cellibrite
The Citizen Lab has a new report out on how cellphone-hacking tools licensed to police were used to break into the phone of an activist in Kenya. Cellibrite is a tool that police can license to unlock the phones they seize during arrests. There is a legitimate need for police to unlock seized phones, but this case illustrates how the same tools can be abused when police become politicized.
The Bottom Line: Similar tools, such as Graykey, can be defeated using iPhone Lockdown Mode. If you are an activist or journalist carrying potentially sensitive information on your phone, consider activating Lockdown Mode (Settings > Privacy & Security > Lockdown Mode) and disabling biometric locks such as Face ID and Touch ID (Settings > Face ID [or Touch ID] & Passcode > Disable iPhone Unlock).
How Do Hackers Steal WhatsApp Accounts?
CyberHUB reports that WhatsApp users in Armenia have seen a wave of account takeovers. Itās a pretty common pattern: The hacker takes over the WhatsApp account and then uses it to send spammy messages to the accountās contacts. If youāve been on the internet for any amount of time, then youāve probably seen something like that happen, whether with email, Facebook, or elsewhere. What makes this report interesting is CyberHUB thinks it knows how it was done: Hackers gained access to the countryās SMS system and were able to intercept text messages sent with the older SMS protocol. When you create a new WhatsApp account, you are sent an SMS message to verify that you control the phone number used to create the account. The hackers were able to intercept these messages and use the links in them to add themselves to the WhatsApp accounts. Itās always interesting to hear how these work-a-day hacks are accomplished, as the methods are constantly evolving.
The Bottom Line: While better than no MFA, SMS verification codes and links are not especially secure. When setting up a new account or setting up MFA on an existing account, SMS verification should be a last resort.
Programmer Accidentally Hacks into Thousands of Robot Vacuums
An amateur programmer wanted to control his DJI Romo robot vacuum with a video game controller and instead accidentally discovered that he was able to control nearly 7,000 vacuums from the same manufacturer. When the programmer attempted to reverse engineer his DJI Romoās communication protocols, he found himself in the companyās backend servers, able to access the cameras and microphones of other robot vacuum cleaners. He was also able to generate floorplans of the homes each vacuum belonged to. DJI has issued multiple patches to supposedly fix this flaw, though the programmer claims the vacuums are still vulnerable to other exploits. Read more at Malwarebytes.
The Bottom Line: Robot vacuums generally work by mapping the layout of your home, making them an inherent privacy and security risk. Many robot vacuum cleaners do this using LiDAR (a type of radar that uses lasers), but some, like DJIās, use cameras, making the risk to your privacy even greater. If you plan on getting a robot vacuum, consider investing in one that does not use cameras or microphones. You should also research how secure the device is and check the companyās privacy policy.
Everything you need to know about Appleās latest software updates.
- The most recent iOS and iPadOS is 26.3
- The most recent macOS is 26.3
- The most recent tvOS is 26.3
- The most recent watchOS is 26.3
- The most recent visionOS is 26.3
Read about the latest updates from Apple.
The correct answer is D: Hang up and go on about your business. Calls claiming to be from tax authorities are scams. If the tax authorities discover irregularities or mistakes, they will notify you in writing, by post, not in a phone call.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byĀ Cullen ThomasĀ andĀ Rhett IntriagoĀ and edited byĀ August Garry.
Interested in learning how to use a password manager? Check out:
|
