- 🗒️✅ Your Security Checklist
- 🏆🎖️ Test Your Security Skills
- 📰 Your Weekly Security Update
- 🤨 This Should Be on Your Radar 📡
- 🙈 Security Fail of the Week 👎
- 🍎📱 Security Updates from Apple 🍎
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use a password manager. Your iPhone has a great password manager pre-installed, called the Passwords app. We highly recommend you use it to create and store passwords.
- Turn off Visited Places in Apple Maps. Apple Maps has a new feature called Visited Places that tracks every place you visit, giving you a history of your location. If you don't want your iPhone tracking your every move, you may want to switch it off.
- Ignore virus warnings on your iPhone. The iPhone is unlikely to be infected by viruses through the web browser, so if you see a pop-up warning you of a virus, it's likely fake, and you should close the tab right away.
What should you do in the following scenario?
You're browsing the web when, suddenly, your whole screen freezes, and a window opens telling you that your computer has been infected with a virus. The window displays a phone number and instructs you to call it for assistance with removing the virus. What do you do? 🤔
-
Restart your computer and run a malware scan.
-
Call the number.
-
Call Apple.
-
Force quit your web browser.
-
Something else (email us your answer).
Scroll to the bottom to see how you did!
This week, the US Supreme Court heard arguments about how law enforcement has used geofencing data to charge people with crimes. Geofencing is the practice of using location data to detect when a device enters or exits a certain area. In 2019, after a bank was robbed in Virginia, local law enforcement served a warrant to Google for geofencing data of phones that were in the area during the time of the robbery. Based on the data Google turned over, law enforcement made an arrest. The alleged bank robber has since challenged the legality of the warrant, arguing that it violated his Fourth Amendment rights because his location data was pulled from his Google account, which would normally be safely locked behind a password, and that law enforcement did not have probable cause to obtain that data.
The Supreme Court appears divided on the legality of the warrant, with some of the justices arguing that there is no reasonable expectation of privacy when you willingly allow Google to access your location, while others believe that the data you store in your Google account should be considered private. Justice Neil Gorsuch also worries that if the location data stored in a Google account is considered public, the government could potentially access other Google account data, like email or photos. You can read a concise summary of the case at NPR or head over to the SCOTUSblog for a more detailed write-up.
The Bottom Line: How the Supreme Court rules on this case could have an impact on how law enforcement can legally obtain the data of American citizens. For now, you may want to create offline backups for any important data that you've been storing in the cloud. If you exclusively rely on cloud storage, it's possible that this Supreme Court ruling could affect the privacy of your data.
Three Arrested in SMS Blaster Scheme
In Toronto, Canada, law enforcement arrested three people suspected of participating in an SMS blaster campaign. SMS blasters are essentially devices that imitate cell towers, causing nearby phones to automatically connect to them (since the connection is stronger than towers that are further away). The SMS blaster then (as its name suggests) sends out phishing or advertising texts to every device connected to it, allowing it to obtain credentials, financial information, or other personal data from thousands of phones at once. However, it also makes it easy for police to locate criminals using these devices, since they just need to follow the very obvious signal it broadcasts. This particular incident in Canada caused 13 million disruptions to the local network. Read more at Tom's Hardware.
The Bottom Line: SMS blasters are becoming more common but are relatively easy to thwart. Phishing texts are only effective if you willingly provide the information that the text requests. If you ever receive a text asking for banking details or to log in to an account, it is likely a phishing scam. One of the most common scams is the post package text scam. If you learn to identify this kind of scam text, you should be equipped to spot most phishing scams.
Data Breaches at Itron & Checkmarx
This week in data breaches, there was an incident at a utility technology company called Itron. The extent of the damage done by this breach and what systems the hackers accessed is not known at this time, but it does not appear that the hack caused any disruptions to electricity, water, or gas operations. Itron says that the hackers did not access customer data. Meanwhile, Checkmarx, a security company, had one of its GitHub repositories breached, resulting in the theft of some company data.
The Bottom Line: Data breaches will continue to happen to all sorts of companies, so it's important to take preventative measures for when your data will inevitably be leaked in one. Using a password manager and freezing your credit are great ways to ensure you're prepared.
Disneyland Using Facial Recognition
Disneyland has begun using facial recognition technology in its park. According to Disney, the tech captures images of guests' faces and matches them to images captured from the first time they entered the park in order to make entry faster. The park keeps the images for 30 days (unless they need to be kept longer for legal or fraud‑prevention purposes). Read more at The Hill.
The Bottom Line: If you want to opt out of Disneyland's facial recognition, you can enter the park through an alternate entrance along the Esplanade, where you can have your ticket manually verified.
Malicious Software Distributed to Users via Update
An open-source software called Elementary, which is a command-line interface (CLI) that helps companies with complex networks monitor the performance of their systems, was compromised last week. Attackers were able to modify the software and push an update to users, which was likely automatically installed for those with automatic updates enabled (and those without automatic updates enabled probably installed it without giving it a second thought). Once installed, the malicious software then stole any sensitive user information it could find. The attackers exploited a GitHub vulnerability to gain access to Elementary's developer account. The developers have since pulled the infected software and changed their login credentials. Check out the full technical breakdown at Ars Technica.
The Bottom Line: We always recommend only installing software from reputable developers. However, even trusted apps can be compromised, and just like in this story, malware can be pushed to your computer through a seemingly ordinary software update. Keeping a malware scanner, such as Malwarebytes, installed on your computer and doing regular scans can help protect you against this type of attack.
Apple Fixes Bug that Exposed Signal Messages
A couple of weeks ago, we reported on a story about the FBI accessing Signal messages through iPhone notifications. Last week, Apple pushed out an update to fix the exploit that the FBI used to access cleared notifications on a suspect's iPhone. The update notes refer to the exploit as a "logging issue," implying that this behavior was unintentional. Now, when you clear notifications, they should disappear permanently and will presumably no longer be accessible by any third party. You can read the full update notes at Apple.
The Bottom Line: Apple’s fix should have appeared in the regular update feed: Settings > General > Software Update. It may have installed automatically, but if it hasn’t, updating should only take a few minutes, and, as always, is worth doing.
Security Breach Affects Bitwarden App
That Checkmarx breach we mentioned a few stories back affected our favorite password manager, Bitwarden. Bitwarden has a command-line interface (CLI) that allows users to interact with their password manager using a command terminal—this CLI is an uncommon app made by Bitwarden, which most Bitwarden users never install. The hackers responsible for the Checkmarx breach managed to compromise it, and may have been able to access the password vaults of Bitwarden customers who had the CLI installed. Thankfully, the standard Bitwarden app and its browser extension are not affected. Read more at Socket.
The Bottom Line: If you use the Bitwarden CLI application, you should change your most important passwords right away. The CLI is not the regular Bitwarden app, so for the vast majority of Bitwarden users, there's nothing to worry about. We continue to recommend Bitwarden.
Software Company Loses Entire Database to AI
PocketOS, a company that makes software for car rental services, has lost its entire database. The company had been using an artificial intelligence coding agent powered by Claude to handle a variety of normal, everyday tasks. The AI ran into a problem that it could not solve and decided of its own volition that the only solution was to delete PocketOS's production database. This caused significant disruptions at the car rental businesses using PocketOS, as the deleted database contained customer records. It apparently took only 9 seconds to complete the deletion, giving PocketOS no time to respond or stop it from happening. Thankfully, the company was able to restore a backup a couple of days after the data loss. Read the full story at The Independent.
The Bottom Line: When using AI tools, it's best to ensure they don't have access to critical systems like an entire customer database. Even if you instruct the AI not to delete anything so important, there's always a possibility it could ignore your instructions and do what it thinks is best anyway.
- The most recent iOS and iPadOS is 26.4.2
- The most recent macOS is 26.4.1
- The most recent tvOS is 26.4
- The most recent watchOS is 26.4
- The most recent visionOS is 26.4
Read about the latest updates from Apple.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Interested in keeping your iPhone secure? Check out:
|
