There’s a lot of news about Google this week. Chrome will move to weekly security patches, because of the many vulnerabilities in the browser. Google is encrypting RCS chats by default. A $5 billion lawsuit against Google highlights misunderstandings about private browsing, or incognito mode. Meanwhile, Amazon sells expired Chromebooks, and a new acoustic attack is 95% accurate at stealing your keystrokes.
If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, August 10, 2023.
This week’s Intego Mac Podcast security headlines include: browser makers get ready to get busy as Chromium will start releasing more frequent and regular updates. QR code parking scams may be coming to a parking meter near you; Google and Amazon have been accused of selling so-called “new” but actually outdated and updatable Chrome devices. And you may have heard that Apple can lock users out of their accounts for bad behavior. It happens more often than you think. Why? And should you be worried? Now, here are the hosts of the Intego Mac Podcast, veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:56
Good morning, Josh. How are you today?
Josh Long 0:57
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:59
I’m doing just fine. Can I throw in a personal event here? My cat Titus is 10 years old.
Josh Long 1:04
Wow. Congratulations. Happy Birthday, Titus.
Kirk McElhearn 1:07
Titus often interrupts while we’re recording podcasts. We want to talk about security updates for Opera because Josh has been on this anti Opera kick lately. It’s fair pointing out that Opera doesn’t update things in a timely manner. And then what do they update once a month or something like that? And there have been a number of zero day vulnerabilities for Chrome. So any browser that uses the Chromium engine of which Opera is one? And actually Was it you who tweeted and that Opera went to update the browser because you reminded them that they hadn’t updated?
Josh Long 1:42
I’m not too surprised that Opera didn’t actually respond to me on Twitter. Today is officially seven days since chrome released a bunch of security updates. They were released as part of the Chromium update. Chrome is based on Chromium and several other browsers are also based on Chromium. And Google released an update for its Chrome browser on that day. It fixed 17 security issues. Nine of those were high severity vulnerabilities. The following day, Brave and Vivaldi, which are both Chromium based browsers updated their browsers. And then just two days ago now as of when we’re recording this, which was August 7, Microsoft finally released a corresponding Microsoft Edge browser update. But as of yesterday, I noticed that still nothing from Opera. And so I tweeted about it and tagged Opera and Opera GX, which is a suppose a gaming browser, and no response. But then today, interestingly enough, they finally did release Chromium update into their browsers. So if you are on Opera, and you update it today, then you will get the latest Chromium updates. However, this is kind of an unfortunate pattern, it does seem that Opera typically takes longer than the other browsers to implement the new Chromium versions, which means it takes longer to get security updates. So I would recommend if you really care about security and privacy, don’t use Opera as your main browser.
Kirk McElhearn 3:21
I was going to say if you’re on Opera, why are you still using Opera? Because we’ve seen this, we talked about this a couple months ago, a similar situation. And we…they took 10 days at that point, to release an update. It’s because they generally release updates according to a schedule rather than when they’re needed. And this brings up an interesting thing about Chrome itself, Google was going to start issuing weekly updates to Chrome to the stable channel of the Chrome browser, because they realized just how much of a problem it is for security. I think, you know, they’re probably doing this because they might risk losing market share in the enterprise market. If they’re too slow getting these updates. And they really want to keep that market share, don’t they?
Josh Long 4:04
Yeah, that could be one of the reasons. I do think this is interesting to see. Because now you’re going to have companies, like everyone who implements Chromium. Now they’re going to feel even more pressure to quickly update their browsers because otherwise, they might be two patch cycles behind if they wait a week. Now they’ve got to be extra careful about this, starting with Chrome version 116. Once that becomes the stable version of Chrome, then they’re going to be on this weekly release cycle. It will be interesting to see how the other browser manufacturers decide to handle that. Are they also going to start patching on a weekly basis? I would guess that most of them will Opera, maybe they will, but they might always be a week behind. I don’t know. We’ll see.
Kirk McElhearn 4:51
How long do you think it will be before we get to Chrome 116?
Josh Long 4:54
Version 116 will be promoted to the stable channel on August 15. For this is coming from developer.chrome.com, apparently the official Chrome Developer website, and that means that we’re going to start seeing Chrome updates on a weekly basis. Just next week.
Kirk McElhearn 5:12
In other Google Chrome news—and this is totally unrelated—we found a story in Ars Technica, the title is “Absurd. Google, Amazon Rebuked Over Unsupported Chromebooks Still for Sale”. Now, Joshua has been on a crusade for years talking about old devices, particularly routers, which are very important, but also Apple’s Apple Watch 3 that they were selling, even after announcing that it wouldn’t get the latest version of WatchOS. We’ve talked in recent episodes, about the danger of using old iPhones and old Macs, and what you can keep up to date in many different ways. So this is an interesting story for us. And initially, you can assume well, it’s third parties selling used and refurbished devices, but it wasn’t in one case, it was a Chromebook, released in 2017, that was listed as being sold as new by Amazon and fulfilled by Amazon.
Josh Long 6:04
When we saw this article, my first reaction was, this is probably marketplace. And sure enough, that’s what it is, in the screenshots that they provide in this article. The first screenshots is sold by direct distributor, which is the name of a company and fulfilled by Amazon. So that was the first thing I saw, and I go, Yeah, but this stuff happens all the time. And sure, maybe Amazon should still have some culpability if they’re selling these expired devices to people. But what got even more interesting was when I checked out one of the listings, because they do link to a couple of these things on Amazon and Walmart, it actually told me that I could now get this Chromebook brand new, not just chips from Amazon, but sold by amazon.com. So Amazon, the company is selling this Chromebook brand new, quote, unquote, new because it’s not been opened yet. But it’s not new in the sense that it’s actually out of date and not going to get updates anymore. But $550 Wow.
Kirk McElhearn 7:09
For something that’s already out of date, that when you buy it and take it out of the box, it’s already vulnerable to all sorts of zero day vulnerabilities that have been patched.
Josh Long 7:18
It was one thing when some third party was selling this for 65 bucks, like maybe some people don’t really care about security. And you know, they just want some cheap thing that they can get on the internet with really fast and, and they don’t really care about those implications. But $550, and it’s actually coming from Amazon, in this case, like, now, that’s actually absurd.
Kirk McElhearn 7:41
Yeah. I think that the company should have liability for this. But we talked about that, Cyber Trust mark in our last episode, right. And this is something with the QR code that would allow you to get information when you buy a device, whether it’s still getting updates, and etc. Now, you wouldn’t see this on the Amazon website, unless they’re forced to link to information, which would be good. But when you get the device, you’d see the QR code. And this would give you an idea that it’s unsafe, and you can return it to Amazon. I have to tell you something. Since we talked about the Cyber Trust mark, I actually saw an item with a QR code and an official mark like that. It was not the Cyber Trust mark, it was an—you’re gonna have to tell me the name—the thing you put on a toilet for a little kid to use a toilet? What do you call it, they call it a potty here. On the side of the device., there’s a little mark, I believe it’s a T U V, which is a German standards organization, with a QR code. And I found that interesting. And I was thinking, I think that child car seats also have QR codes for the same reason. So you were saying initially that the Cyber Trust mark, why are people going to assume that this QR code gives information? But I think it’s being used already in a number of areas? Maybe not in the US. But I think this is something that is probably they didn’t just make it up. I think this is starting to be used in a lot of areas.
Josh Long 9:02
Yeah, there are regulations in other industries. It makes sense for child safety reasons. But you know, we have internet safety reasons to have such a QR code and such a mark. It’ll be nice when we have those standards, as long as—like I was talking about last week—as long as they don’t imply that it’s indefinitely safe. That’s the thing that’s a little concerning.
Kirk McElhearn 9:23
We want to quickly talk about something and we’re not really sure about this. “Another User Locked Out of Their Apple Account”. We’ll link to Michael Tsai’s blog. Michael has a wonderful blog about Apple related stuff. And it’s a link blog, but he has multiple links about stories and comments. And we don’t know the true story here. A user may have done some sort of fraud with multiple chargebacks. This links to a Hacker News story and it’s really not clear what’s going on, but someone got locked out of their Apple account. The reason I want to talk about this is first don’t put all your eggs in one basket. I mentioned to Josh before we started recording that the reason I will not host my personal email on Apple on iCloud is for this reason. If for some reason my iCloud account is locked for any reason, let’s say someone tries to get in, and it’s locked for security reasons, then I can’t get either of my email addresses, right, my mac.com and my personal email address. The second thing is backup all your stuff. Yes, if you get locked out of your account, you can’t use your apps, but you gotta have your data. If you’re using iCloud Drive, make sure you’re backing it up. If all you have as an iPhone, it’s not really easy to do. But if you’re using a Mac, make sure you use, I don’t know, Intego Personal Backup, for example, to backup your stuff regularly. Because if you do get locked out, and you lose access to your files, that could be problematic.
Josh Long 10:44
And that’s a good point. Because some people use their Notes as their personal journal. What happens if somebody either hacks into your account and then you lose access to it, or you pass away and you don’t have a legacy contact set up for your Apple ID, that journal may be gone forever. If you have things like that, that you’re recording for posterity make sure that you’re actually backing them up someplace outside of the Apple cloud.
Kirk McElhearn 11:09
Okay, you know what skimmers are right? When people will stick a thing over an ATM so they can read your card? Well, criminals have a new way of doing this. They use QR codes that you scan to pay for parking. And they just, I mean, it kind of sounds dumb. All they have to do is paste the fraudulent QR code on top of the QR code on the parking meter or whatever. And then you get scammed because you think you’re paying for parking. Now over here, a lot of places there are specific apps that you can use to pay for parking. So it’s not like a QR code, take them to the web. It’s a QR code opening an app that you have. I’m not sure how it is in the States. But we have an article here from the Better Business Bureau warning about a spike in QR code parking scams.
Josh Long 11:50
Right Some clever trickster decided I can make a website that looks a lot like the legitimate parking site. And I can trick people into giving me their credit cards. They stuck a bunch of custom QR codes over the top of other QR codes. And this is the thing that I was also talking about last week on the podcast that if you’re starting to stick QR codes on all these products, I have seen legitimate products where somebody has stuck a sticker label over the top, usually that’s the actual company behind the product, and they realize they made a mistake or something has been updated. And so they stick a sticker over the top. But you don’t know when you see a sticker over the top of another QR code. I mean, this really could be something exactly like the Better Business Bureau was talking about here where somebody may actually be trying to defraud you.
Kirk McElhearn 12:42
Alright, we’re gonna take a break. And when we come back, we’re going to talk about a really interesting way that hackers can steal data from the sound of your typing.
Voice Over 12:52
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 14:08
So a team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%. Now imagine this you’re on a Zoom call with someone, you’re on a Zoom call with 300 people you ever do one of those webinars or something or someone’s presenting a product and it’s 100 people, maybe one of them’s listening to some of the people as they type, you know, they type into the chat window and they’re able to get a profile of the sound of your keyboard and later, maybe someone I don’t know, they send you a Zoom invite or something and how do they trick someone into actually entering a password?
Josh Long 14:48
Well, I think this would be harder to do over Zoom Zoom I think filters out some ambient room noise. However, this is something that you could plausibly pull off in a Real World attack scenario, which is what they’re really doing with this research.
Kirk McElhearn 15:04
But the researchers say that when Zoom was used for training the sound classification algorithm the prediction accuracy dropped to 93%, which is still dangerously high.
Josh Long 15:13
That’s actually really surprising. (Yeah.), Because I would, I would expect, you wouldn’t even be able to pull something like this off necessarily over a Zoom call or some similar type of calling system. The whole idea behind this attack, they describe the attack scenario, and basically, you have to train based on their actual keyboard. So if you know that somebody’s got a particular model of MacBook Pro, as they mentioned, they tested on, then, you know, maybe you don’t necessarily have to get a sample from their actual MacBook Pro, because you can find a similar enough device and kind of recreate it. But then yeah, just recording some audio, that might be enough. The whole idea behind this really is they talk about acoustics and how there’s a slightly different echo a slightly different pattern if you hit one particular key versus another key. And so they can get a fairly good idea of what keys you’re typing, especially if it looks like you’re typing English words. Of course, this this was a series of British universities that got together and did the study. So if you know what language the person’s writing in, and you know what kind of keyboard that they’re using, then just having a sample of that audio of them typing might give you a way to find out exactly what they’re typing.
Kirk McElhearn 16:34
So it’s not so much the language, but it’s the keyboard layout. In the US we have a QWERTY layout in France, they have an AZERTY. I use a Dvorak layout, so I’m not typing the same letters on the keyboard that the keyboard is displaying. So that would trip them up a little bit.
Josh Long 16:51
How do you even get an Apple device that has a Dvorak keyboard?
Kirk McElhearn 16:56
Apple has supported the Dvorak since the 1990s, probably the early 1990s, or the mid 1990s. I’ve been using Dvorak. Since 1996, when I became a freelancer, I decided to teach myself to touch type. And I had read up on Dvorak saying, it was more efficient. I’ve been using it ever since then.
Josh Long 17:15
So you can get this built into your Mac or you get an external keyboard?
Kirk McElhearn 17:19
Oh, no, no. My keyboard says QWERTY, I just don’t look at the keyboard, I touch type. So I’ve set it in system settings, I’ve set the keyboard to Dvorak layout. And you have all kinds of layouts as long as I touch type. And of course, I remember that the A is the A and the S is the E and the D and the GSCI. And all that so I can look and make the translation in my mind when I need to like when I’m pressing Command V, I know it’s Command K, that sort of thing.
Josh Long 17:43
So basically you’re Rain Man (On the keyboard sort of.) No way I could do that that sounds complicated…
Kirk McElhearn 17:50
I’ve been doing this for more than 25 years. So you get used to it. But the point is that they wouldn’t be able to detect among the small percentage of people who are using Dvorak, or other alternative layouts, or one handed layouts, because those exist as well. I think they would have difficulty depending on typing styles. Because, you know, there’s some people who type really hard with two fingers, and there’s other who typed really soft with a lot of fingers. It would probably be easier with a built in keyboard on a MacBook or MacBook Air. Because they’re familiar with that model, than let’s say a mechanical keyboard or third party keyboard.
Josh Long 18:24
They do mention in this article, some possible mitigations. So if you suspect that somebody might be recording your keystrokes like you know, like the audio of your keystrokes, then what you could do is like when you’re typing in something extra sensitive, you could change your typing style, you know, so maybe you poke extra hard, you know, one finger at a time using only your index fingers if you’re used to typing with all of your fingers. Or you could use they say if you’re trying to prevent people from getting your passwords, you can use randomized passwords rather than passwords based on dictionary words, which you probably shouldn’t really be doing anyway. But another thing that you could do is you could use a virtual keyboard because built into the Apple operating system on the Mac and really, I think you could do this on Windows and probably Linux as well. You can get an onscreen virtual keyboard, and then it’s going to take longer to type that way. But at least it prevents people from being able to figure out what you’re typing based on acoustic attacks at least until they figure out how to determine where you’re clicking on your screen based on acoustics and then you’re in big trouble.
Kirk McElhearn 19:35
Right because the virtual keyboard is not a touch keyboard, you’re actually clicking your mouse on each key. And this is something that you occasionally use when there’s a special character just can’t remember where it is. So you display the virtual keyboard you press Command Control option whatever to see the characters like that the TM trademark character or the R registered etc. Another mitigation is just learn to use a Dvorak layout and then it’ll be fun.
Josh Long 20:01
Quick pro tip. If you hit the function key or Fn key on your keyboard, if you press it once or twice, so depending on what keyboard you’re using, if it’s built in or external, it might be one touch, it might be two touches.
Kirk McElhearn 20:15
Right. I have mine set to turn on dictation with that key, because I always ac—because I accidentally pressed it so many times and got the emoji picker and I don’t want to see it. Okay, you liked the Brave web browser. It is a quote unquote privacy focused browser, and they are launching their own image and video search. Brave already has their own search engine, I must not have noticed when we did an episode talking about that.
Josh Long 20:41
Right. I don’t personally use Brave Search. But you know, maybe I’ll start to give it a try. Because it does seem kind of interesting that originally, like most search engines that are not Google and Bing, they usually based on some other search engines. So they’ll get some of the results from one of the main search indexers. Right, that’s the thing is like, you need a good reliable index. And there’s not very many companies that have indexed the entire web and done a very good job of it. So frequently, other search engines will just, you know, base their results on something that another previous engine has already done. So Brave announced back in April, that they were no longer going to be using the Bing index. So they were going to start phasing that out. And so this is the next phase in that plan. So if you go to search.brave.com, you can try it out, you can do searches there. Now, they also have their own image and video search as well as part of their search engine. And you can do this in any browser, you don’t actually need the Brave browser in order to use Brave Search, you can do this in any browser.
Kirk McElhearn 21:52
Well, that’s interesting. What’s the end game for Brave then? To get more people to use the browser?
Josh Long 21:56
So on the Brave site, they actually say that Brave Search doesn’t track you, doesn’t track your searches, doesn’t track your clicks. And they’re not beholden to Big Tech. And so they offer Brave Search premium for $3 a month, which allows you to support them and their mission. So I guess that’s the idea behind this is that they’re hoping that you’ll get so used to using Brave Search that you’re going to be like, Oh, this is cool, I want to support them, and you’ll pay for Brave Search Premium. So they’ll get their $3 a month from you.
Kirk McElhearn 22:26
Three bucks a month isn’t a lot. Its probably cheaper than a box of Cracker Jacks.
Josh Long 22:31
Well, and you know what, I think this is a good thing to do. If if you want to support, you know, independent companies that are not giving all your data to big tech that are in support of your privacy. Three bucks, it’s it’s a pretty good donation.
Kirk McElhearn 22:45
Okay, speaking of Google and big companies that snarf up your data, there’s a $5 billion Google lawsuit over the Incognito Mode, which is private browsing, which apparently, when people were using Google’s private browsing, they weren’t private, because Google tracked internet activity, even after users turned on private browsing mode. And this goes back to at least 2018. As always, it takes a long time for these lawsuits to actually get to court. And I don’t know, it seems like Google’s arguing that people didn’t read the terms and conditions. And so it’s okay.
Josh Long 23:18
Yeah, I feel like this is I know, we’ve talked about this before, because yeah, and this has been going on for a long time. But this is one of those things where I think people had an expectation of privacy where they probably shouldn’t have had an expectation of complete and total privacy. However, I sort of understand if you’re not reading the fine print, you might believe that a private browsing window is going to keep you completely private from all the things everywhere. And well, it doesn’t exactly work like that. Because in a typical browser, private browsing window, you…it doesn’t hide your IP address. So you know, somebody can know where you are in the world, sometimes even down to your neighborhood, depending on how granular your internet service provider indicates, based on your IP address where you are. But there’s, it’s more than that, right? They’re saying, Well, you shouldn’t have been able to track anybody doing anything at all if they were in a private browsing window. So even if they signed into their Google account, while in a private browsing window, you shouldn’t have been able to track them in any way whatsoever. And well, I think that it mostly comes from a misunderstanding of what private browsing windows are supposed to be. And some of that just comes from the language of private browsing, right? If you make assumptions when you hear private browsing that perhaps you shouldn’t make.
Kirk McElhearn 24:47
Okay, more Google. Now, we talked about the infamous green bubble last year about how Google wants Apple to do things Google’s way so people don’t get embarrassed by having a green bubble in chat messages. They’re now encrypting RCS conversations by default. Now, RCS is the Google standard for Instant Messaging, which is the competitor to iMessage, essentially. And it’s actually a technology that Google sells, they will sell you a server, if you’re a phone company, to use RCS. Encrypting conversations by default, that’s kind of interesting, especially because we were talking last week about how the UK wants Apple to put backdoors in Messages and FaceTime. If Google is now encrypting RCS conversations by default, the UK is going to want them to do it too. And this is going to be a bit of a problem for all the companies who won’t do this in the UK.
Josh Long 25:39
Yeah, that’s actually a really good point. Because, you know, if everybody is using a relatively recent Android device, you know, two people with Android are gonna be texting each other using RCS with encryption by default now. So yeah, I don’t think that UK is going to be very happy about that either. So we’ll see what happens there. Again, as we mentioned recently, this is a proposed law in the UK. So we’ll see whether this actually passes. But that could be a problem for them. What’s really interesting about this is that we’ve got Google doing their encrypted RCS you know, Apple has been using encrypted, end-to-end encrypted iMessages for years. So they’re kind of killing off the text message, that plain old SMS text message. They’re still going to be around for a while, I presume, because you know, you’ve got people with older devices or non Android, non iPhone devices, not there. Not that there are that many of them anymore. But that so that old SMS standard, unfortunately, is going to still hang around for a while not to mention that unless Apple ever adds RCS functionality into its Messages app, you’re still going to rely it’s going to fall back on SMS whenever you as an iPhone user text an Android user, which is just terrible. I mean, just add RCS at this point. You don’t have to like you can still make it green bubbles. But at least then there’s like encrypted end-to-end conversations that you’re able to have with Android users. I mean, that’s, that’s better, it can still be a green bubble, you can still exclude all the features that you don’t want Android users to be able to get. But at least it’s it’s better for people’s privacy that way.
Kirk McElhearn 27:22
I’m going to disagree with you about SMS disappearing because there are I want to say billions of what are called edge devices, Internet of Things devices that communicate by SMS. In other words, this is the the simplest way of sending data of let’s say, temperature, and you know, other sorts of data like that. And they use the most basic way of sending data and this is used in enterprise an awful lot. So I can’t see SMS dying out anytime soon, because it is kind of a lowest common denominator.
Josh Long 27:51
True, true. However, if you are relying on SMS for anything important, maybe reconsider that.
Kirk McElhearn 27:57
No, not important, but I’m talking about data collection of things like a daily or an hourly temperature reading or things like that, the kind of data that’s not important, but the kind of data that needs the simplest method of transmission that doesn’t require 5G for example. Okay, that’s enough for this week. Next week, we’re going to take a deep dive into private browsing and look at which browsers are the safest and the most secure for private browsing. Until next week, Josh, stay secure.
Josh Long 28:25
All right, stay secure.
Voice Over 28:28
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
