Security Newsletter | 12/11/25

If you take nothing else from this newsletter, just do these three things to protect yourself:

1. Enable Private Wi-Fi Address. If you see a Privacy Warning next to your Wi-Fi network name, we recommend enabling Private Wi-Fi Address.
2. Stop apps from tracking your activity. Apps sometimes request permission to track your data across different apps, but you can disable app tracking altogether and never see these requests again.
3. Lock your Private Browsing tabs with Face ID. If you don’t want others to be able to access your Safari Private Browsing tabs, you can lock them with Face ID.

The US Cybersecurity and Infrastructure Security Agency (CISA) has just released an update to its guidance document for how to best protect your iPhone from data theft. It’s only a two-page document, so it’s a quick read. Guidance about using a password manager, encrypted apps for messaging such as Signal, and a privacy-preserving web browser are all unchanged—still good ideas. The one thing that CISA has changed about its recommendations, and the one area in which those recommendations differ from what we teach in our security course, is they now say firmly that you should not use a consumer VPN. 

We at iPhone Life think this is very interesting guidance that should probably be taken with a grain of salt. They offer two main complaints about consumer VPNs: 
1: There are many on the market with poor or very poor security practices. Some are even malicious! Even if a consumer VPN has a good reputation and is not actively spying on its users, a consumer VPN may still be easier to hack than an Internet Service Provider (ISP).
2: Using a consumer VPN only shifts your trust from your internet service provider ISP to the VPN. To explain that, normally your ISP can see everything you do on the internet. When you use a VPN, the ISP is blinded, but the VPN can still see everything. Since most consumer VPNs are less trustworthy than ISPs, using a low-trust VPN actually makes the user less secure.

This is basically sound logic, but there are advantages to a VPN that the report doesn’t address. For example, if you’re not using a VPN, then your IP address may be visible to every website or web service you use, from Facebook to Zoom to OnlyFans, to a multiplayer game of Call of Duty. That may not be safe for you or your family, especially if your IP address is linked to your physical address (it usually is). Your IP address may also be used to track your behavior and build a profile of you for advertising and other purposes—profiles which are a gift to scammers and identity thieves. For these reasons, it may still be useful to employ a consumer VPN.

The Bottom Line: CISA’s concerns about consumer VPNs are legitimate and need to be taken seriously, but we suggest softening their final recommendation. Rather than “don’t use a consumer VPN,” we’d say to be cautious about which VPN you use. Make sure to use only the best VPNs with the best reputation, protected by data sovereignty laws and strict no-log policies. Do not use free consumer VPN services.

Porsches in Russia Rendered Inoperable

All across Russia, Porsches as old as 2013 were disabled throughout the past month. These particular models are all equipped with an anti-theft system that requires satellite connectivity to operate. It is assumed that the Porsches in Russia have been completely disconnected from the satellite service, rendering the vehicles inoperable, though the exact cause is still unknown. Drivers have found various workarounds to get their cars rolling again, such as disconnecting and reconnecting the battery. Read more at Autoblog.

The Bottom Line: This story demonstrates why requiring a constant internet connection to use important devices, such as your car, is a bad idea. We recommend avoiding purchasing vehicles that need to maintain a constant connection to satellites to work.

Should You Try Out an AI Web Browser? Security Experts Say Never

A new breed of web browser has appeared on the market lately, so-called AI Browsers such as Perplexity, Comet, or Opera Neon. The big idea is that the browser will use generative AI to actually fulfill tasks on your behalf. For example, you ask the browser for a recipe to cook for dinner, and then it can actually order the groceries necessary for that dish. Security experts at Gartner have examined this new breed of browser to identify its risks, and say that the technology cannot be safely used on corporate networks because it fundamentally prioritizes user experience over security. Gartner notes in its report that this is likely to stay true for the foreseeable future. The problem is the browser’s AI agent is essentially as vulnerable to social manipulation as if it were a person, except unlike people, the same strategy will work on every single instance of the AI. Thus, it is very easy to manipulate the AI into performing tasks that would compromise your computer, private data, or safety. While Gartner’s advice is targeted at executives and large companies with company secrets to protect, we would add that the same risks apply at a smaller scale to individuals. 

The Bottom Line: Do not use AI Browsers. An AI Browser is defined, in this case, as one that allows the AI agent to take material actions. It doesn’t just generate text, it actually performs tasks on web pages—a feature called agency.

Smart Toilet Camera Not as Encrypted as Originally Claimed

What could go wrong with having a smart camera in your toilet? No, seriously. Earlier this year, Kohler released a device that attaches to the side of your toilet, with a smart camera pointing downward into the bowl. The idea is that the camera can capture images of your waste, analyze it, and give you information about your health that you might not even know yourself. It’s a nice idea in theory, but like most smart devices, it means entrusting a private company with private, sensitive images. Initially, when the product launched, Kohler claimed that the images captured by the device were end-to-end (E2E) encrypted.

Traditionally, E2E encryption means that the data is encrypted on your device and cannot be unencrypted by the companies that transmit or store it, only by the intended recipient—in this case, you—meaning not even Kohler should be able to access the data. That’s how iMessage and WhatsApp work. However, a security researcher recently published a blog post claiming that while the images captured by the smart toilet camera are encrypted on the user’s device and while in transit to the company’s servers, Kohler does have access to the images on its server. Not only that, but if users opt in, the company can de-identify the images and use them to train AI. This falls outside the definition of E2E encryption. However, according to TechCrunch, Kohler has since updated the product page for its toilet camera to remove any mentions of E2E encryption.

The Bottom Line: Encrypted or not, most of us probably don’t want cameras pointing at our toilet bowls.

The correct answer is 1: set up the passkey. Passkeys are far more secure, and also more convenient, than passwords. Use your password manager to save the passkey. If you don’t use a password manager (you should!), your new passkey for Amazon will save to the Passwords app, which comes with your iPhone. 

If you’d like to know more, here’s How Passkeys Work & How to Use Them on iPhone

Want to keep your passwords secure? Check out:

• How to Make a Strong Password & Things to Avoid
• Best Password Manager for Your iPhone