Site icon The Mac Security Blog

Vintage, Obsolete, and a Few Anniversaries – Intego Mac Podcast Episode 338

Apple calls old devices “obsolete” and “vintage;” what exactly do these terms mean? Alternative iPhone app stores will soon be available in Europe and new details suggest that some extra effort will be required from users. And all of Apple’s M-series processors all have a newly discovered vulnerability that can’t be patched without some compromises on speed.


If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.


Transcript of Intego Mac Podcast episode 338

Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, April 4 2024.

This week’s Intego Mac Podcast security headlines include: The designations “obsolete” and “vintage” are used by Apple for certain kinds of older devices. What exactly do the designations “obsolete” and “vintage” mean? Alternative iPhone app stores will soon be available in Europe and new details suggest that some extra effort will be required from users. And Apple’s M-series processors all — that’s right, all — have a newly discovered vulnerability that can’t be patched without some compromises on speed. We have the details. Now, here are the hosts of the Intego Mac Podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s chief security analyst. Josh long.

Kirk McElhearn 0:58
Good morning, Josh. How are you today?

Josh Long 1:00
I’m doing well. How are you, Kirk?

This week contains significant dates in tech history

Kirk McElhearn 1:01
I’m doing just fine. We have two anniversaries this week. We had one anniversary on Monday. And it wasn’t an April Fool’s joke. We’re recording on April 3. So Monday was April 1. And we have another anniversary today. Which do you want to talk about?

Josh Long 1:13
Well, let’s go chronological. What was the first anniversary we’re celebrating this week?

Kirk McElhearn 1:17
Well, actually, it’s a double anniversary. The first was the founding of Apple in 1976. And the second was the introduction of Gmail. In 2004 20 years gone. I remember that day well, that everyone thought it was an April Fool’s joke. What free email with one gigabyte of storage, no one believed that at the time. And by the end of the day, people were realizing that Google was doing this intentionally April 1, haha. And I would argue that this is one of the biggest changes to the Internet. In the past, when he used the fact that anyone could get a free email account with a lots of storage. Did you get a Gmail account immediately when that came out?

Josh Long 1:55
I don’t think it was on that day. But I did get one shortly after that. And I’ve been using that account ever since, in spite of you know, potential privacy concerns, and all those kinds of things. But as we’ll talk about later, in the show, at least Google is moving in a better direction in some areas on privacy.

Kirk McElhearn 2:14
So the other one was Apple’s founding in 1976. We won’t talk about that. Now. We’ll talk about that in two years, because that would be the 50th anniversary of Apple. And that’s a big deal. And so what about the anniversary today?

Josh Long 2:26
Today, as we’re recording this on Wednesday, April 3, this is the 14 year anniversary of when the first iPad shipped, not a round, you know, five or zero ending number, but 14 years is a long time for a product to be around. Now, this is also roughly 18 months since the last time that the any iPad and the product line was refreshed. It’s a little long in the tooth. And by the way, the recent rumors have been saying that Apple has decided that it’s not going to release iPads until May.

Kirk McElhearn 2:57
That’s what the rumors are saying. But as I’ve been saying, I think that this is pointing to a massive refresh across the iPad wine that’s affecting all devices, not just, you know, they would do two devices here and two there, the pro here, the mini there. And I think that something is going to change across all of them. Now, this gets us close to the worldwide developer conference in early June. And, you know, Apple is bringing in AI features and iPads do have chips that have that neural engine or whatever to do AI. And I’m wondering if it’s somehow related to that what we see in new iPads is going to be related to the new features we’re going to see and the operating systems in the fall.

Josh Long 3:38
If you’re waiting for Apple to release a new iPad to get a new model or debating about whether you should I would say at this point. Yeah, I mean, I guess it’s like it’s a month away, theoretically. But we’ve also been hearing that for the last like seven months or so. So I’m pretty sure that Apple’s coming out with a new model pretty soon. But you know, who knows, really at this point.

What do Apple’s designation of “obsolete” and “vintage” mean?

Kirk McElhearn 3:58
Okay, we want to mention that on April 1. And this was not another joke. Apple announced that the iPhone six plus was obsolete and the iPad Mini four is now vintage. We wanted to discuss what obsolete and vintage mean in regards to these old devices. And vintage doesn’t mean it’s better because it’s old, like, you know, a 20 year old bottle of wine. Josh, you want to explain?

Josh Long 4:18
Well, there’s a lot of misconceptions about what this means every single time that Apple adds something new to the vintage or obsolete list. I see people talking on social media about this. And they go Oh, you mean I can’t use my whatever insert product here anymore. And I’m like, Oh my gosh, you’re still using that product. It hasn’t been getting security updates for years now. Because there’s there’s a kind of a disconnect between what Apple considers vintage and obsolete and devices that they are no longer releasing security updates for typically they stop releasing security updates for products well before they ever get on the vintage or obsolete list. So when Apple calls a product vintage So that means that more than five years have passed since the company stopped distributing that particular device for sale. Now obsolete is seven years. And the difference is basically that once it hits that obsolete mark, then Apple’s not ordering products, they’re not going to stock them in Apple stores. And so it’s less likely that you’ll be able to get one of those devices service or they will will refuse to surface it. If it’s been more than seven years past the last time that Apple was distributing the device for sale.

Kirk McElhearn 5:32
And you talk about them not getting security updates, it’s not just that they haven’t been getting operating system updates. So both of these devices can only run iOS or iPad os 15. That means that the last two versions, they can’t install at all, this doesn’t mean that they don’t work. This doesn’t mean that you can’t still use them to, I don’t know, read books or play games or things, it’s just not a good idea to use them on the internet, because they’re out of date so far is out of date the operating systems out of date, and you know, they don’t get security updates. But don’t throw them away, they’re still useful.

Josh Long 6:05
And it’s very likely that you probably know somebody who would be happy to have a device like that.

Alternative App Stores will require extra effort from users

Kirk McElhearn 6:11
Okay, we’ve been talking recently about the alternative app stores that the European Union has forced Apple to create that has twisted Apple’s arm, The Verge has a very interesting article today, a first look at Europe’s alternative iPhone app stores. And you know what this isn’t as simple as it could be to install an Alternative App Store. Now we mentioned how, when you’re in the European Union, and you open your device with I guess it was iOS 17.4, you got a screen allowing you to choose a default browser, and it may or may not be Safari that you choose, it was one tap right to get the browser to set it as a default. And to download it here. It’s a much more complicated process.

Josh Long 6:52
According to The Verge, the process goes something like this, you first of all have to click a browser base link to load the alternative store. And then you get a pop up informing you that your installation settings don’t allow marketplaces from that developer. So behind the scenes, this means that Apple has to have approved that developer to distribute its own app marketplace, you can’t just have any random developer decide, okay, well, I’m gonna make my own app store, they have to get that approved by Apple first. So assuming that you’re using an app marketplace that has been approved by Apple, then you get this prompt. And then you have to go into settings, you have to enable that marketplace, then you return to your browser, then you click the download link again, then you receive another prompt asking you to confirm the install. And then finally, you can open the store and browse whatever apps might be available in that store. So it’s a very annoyingly difficult process. I think Apple does this very intentionally. By the way, it’s it is an annoying process to be fair on Android to maybe not quite so many steps. But if you want to install apps from a third party, outside of the Google Play Store, or whatever particular app store comes with your device, there is a process that you have to go through. And it is a little bit annoying, and a little bit obscure. Android also tries to kind of hide that too, because it’s for your safety.

Kirk McElhearn 8:19
It’s for your safety, but it’s also for the company’s income. The share of Apple’s revenue that comes from services has been slowly increasing over the years. And we’re gonna link to an article on Apple Insider. And it points out that in 2015 9%, of Apple’s income came from services. 2024 is 24%. So it’s going to be 25%. Next year, if not even more, and Apple is morphing into a services company, which I’ve been saying this for years, because you can see once Apple became willing, you knew Apple wanted to be a bank, once they realized how much money there was in in app purchases for games. And if 25% of their revenue comes from services, they’re going to be paying more attention to how to increase that services revenue, rather than worrying about selling hardware. What do they need to sell hardware for anymore? I mean, razors and blades, right? If it gets to the point where they’re making so much money from services, maybe the cost of the iPhone will drop, because Apple is making so much money? Probably not, they won’t drop the cost of the iPhone.

Josh Long 9:16
No, they won’t drop the cost of the iPhone. But this is actually interesting, though, to consider that at least in some parts of the world, at least for now. It’s just EU countries. Once these third party app stores or app marketplaces, whatever Apple wants us to call them start to become available, then that’s going to chip away a little bit at the services revenue that Apple’s getting because now they won’t be getting the in app purchase revenue from apps purchased or downloaded from the these third party marketplaces.

Can Apple AirTags detect other brands of trackers?

Kirk McElhearn 9:47
Okay, we have a couple of stories about AirTags, iOS 17.5, which was just released in beta two developers might expand and I’m stressing the might here it’s not sure that this feature will actually be included. It might expand the found moving with you alerts to third party item trackers. Now you get one of these alerts. If you’re near an AirTag long enough, not just five or 10 minutes, but if you’re, for instance, I have an AirTag in my car, if someone’s riding in my car long enough and they have an iPhone, they’ll get no word that there is an AirTag found moving with them. But they wouldn’t find this. If I had a tile tracker. Of course, if my car got stolen, the title track would be useless to find the car, unlike the AirTag. So it kind of sounds like Apple wants to extend this to other devices, other trackers, but it also kind of sounds like you’re trying to head off potential European Commission regulations to say, Well, you’re not interoperable enough.

Josh Long 10:41
It could be maybe it’s a little bit of both. I would like to think that Apple was probably already planning this sort of thing because privacy, that’s iPhone, right? That’s what Apple wants us to believe. So specifically, and I was 17.5, the new beta that just came out, the text now reads, you can disable this item and stop it from sharing its location with the owner to do this, follow the instructions provided on a website by the manufacturer of this item. So basically, Apple is implying that they’re going to start working with other device manufacturers. And there’s a number of manufacturers that have all kind of said that they’re interested in following along with this industry specification that Apple proposed last year. So if you happen to have one of these other trackers that could potentially in some future version of iOS, whether it’s 17.5 or sometime after that, it may be possible to use these third party trackers with Apple’s found moving with you feature as well.

Kirk McElhearn 11:45
Okay, one more AirTag story. Ff you live in Vermont, the Vermont authorities have been warning you to check for hidden AirTags if you have taken a road trip to Canada. Now we’re trying to figure out what’s the relationship between AirTags in Canada and stolen cars. But it’s important to know that Canada’s maple syrup reserve has hit a 16 year low. It’s designed to hold 133 million pounds of maple syrup. But in 2023 It fell to 6.9 million pounds. Now it could be that maple syrup bootleggers are trying to find some way to replace the income and they’re trying to steal cars.

Josh Long 12:19
Hmm, yeah, that seems like the most logical answer to this.

Kirk McElhearn 12:23
Okay, you didn’t know about the Canadian maple syrup reserve?

Josh Long 12:26
No, I didn’t. So this is this is really important information. The strategic reserve in Canada. Yeah. Okay, so So I think what’s going on here is that there have been reports of cars being stolen in Canada. And you know that thieves in Canada or putting your tags on other people’s vehicles and tracking them so they can know where to go and rip it off later. Okay, yeah, but that can happen anywhere. It’s not a Canada’s specific problem.

Kirk McElhearn 12:53
And that’s why I have an AirTag in my car. Let’s take a break. When we come back we’ll talk about a serious vulnerability and Apple’s, M-series processors and more.

Voice Over 13:04
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

Is there a “best” way to avoid multi-factor authentication attacks?

Kirk McElhearn 14:19
Last week, we talked about something called MFA bombing. And just to give a recap, MFA is multi factor authentication and when you go to sign in on an Apple device, it sends a request to another Apple device. In this case, it’s a Reset Password request and people have been getting dozens of these and the goal of the attack is to get you to be frustrated by all these and eventually tap yes instead of no or accept instead of deny on one of these awards. Now we have an article on nine to five mag says here’s how to protect against iPhone password reset attacks and we’re gonna say right up front, you can’t protect the way that they’re talking about, but they do say something They say, nine to five Mac has heard from an Apple spokesperson about this issue. The company knows about the few recent cases of these phishing attacks, and Apple has taken action to solve the problem. Now, couple things bother me here. There’s nothing in quotes. We don’t know what sort of how many few recent cases there are, what kind of action they’ve taken. Later in the article. They mentioned that some people have been talking about this for at least two years. So it’s not new. Why did it come to the head? Now? I think because Brian Krebs wrote an article about it. The other problem is that nine to five Mac tells you here’s how to protect against it. Well, the first is to decline every one of these password requests. That’s good. But when you see a lot, and you’re busy, you might slip and, you know, except one of them. The second thing they say is don’t answer phone calls. Don’t answer phone calls, you have a phone, it’s for getting phone calls. So if you want to prevent these attacks, don’t answer phone calls. Right? What’s the point of having a phone?

Josh Long 15:54
Well, okay, I think the context is, if if you’re getting a whole bunch of these password reset related alerts, like if somebody basically what’s happening is somebody has your password for your Apple ID, right? And so they’re trying repeatedly to get you to give up and and just allow because you think, well, maybe one of my devices is malfunctioning or whatever, or they they’re hoping you’ll accidentally tap on the wrong button or something like that, right. And so if you are not responding, or you’re repeatedly denying these requests, then the next step in the attack is somebody’s going to call you. So I think what nine to five Mac means to say is that don’t answer phone calls. At that point, even if it says it’s from Apple support, because they will try to spoof their phone number and make it look like they’re actually calling you from Apple support.

Kirk McElhearn 16:45
Interestingly, when I get a phone call from Apple support, it doesn’t say Apple support. In fact, here’s what happens when you open a case with Apple Care support, you go to the website, and you have Apple call you right, so you’re initiating the request for the call. And here, it comes with a number from Cork, Ireland, because that’s where Apple’s European Service Center is. So it doesn’t even say Apple support. But you know, because you’ve just initiated it, and then you hear this voice. This is Apple, are you ready to take the call, etc. Anyway, the third thing that nine to five Mac says, and this is a good one, temporarily change your phone number associated with your Apple ID. I’m just gonna go out and buy a new SIM card. I’m going to just burn this existing phone number and not use it. And I’m sorry, I don’t know. I don’t know. And of course, the person says Keep in mind this will interfere with iMessage and FaceTime. Was this article published on April 1? No, it was published on March 28.

Josh Long 17:35
Okay, well, that last one, I can’t make any justification for that point. That doesn’t make any sense.

What is “Darcula”?

Kirk McElhearn 17:40
Okay, we have a new phishing service, I’d like the use of service even the article that targets iPhone users via iMessage. It’s called Darcula. It should have come out in Halloween, although maybe it did start in Halloween, right? Darcula sounds really scary. Anyway, Darcula is a fishing as a service, P H, A S and it’s using 20,000 domain to spoof brands, and steal credentials from Android and iPhone users in more than 100 countries.

Josh Long 18:08
Okay, so here’s, here’s the one thing you need to know about this. This is kind of your standard thing where they you get a text message, and it’s got a link, and they’re trying to get you to click on it. And they’re telling you that some package that of yours has been delayed or whatever, it there’s a number of other things besides package delivery services that they might use. But they give you a link to click on or tap on on your phone. And then it takes you to a phishing website. And they try to get you to put in personal information so that the attacker can can get that from me. So what’s different about Darcula is that it doesn’t use SMS. So it’s not the plain ol ordinary text messaging service. So you might treat this a little bit differently theoretically, because oh, look, if I respond to them, I’ll get a blue bubble. Well, it doesn’t really make any difference. The reality is that likely what they’re doing is they’re just creating a bunch of Apple IDs on mass associated with an email address rather than a phone number. But you don’t necessarily have to have an Apple ID tied to a phone number. And so they’re creating these Apple IDs, and then that allows them to send I messages. So that’s all they’re doing. It’s it’s not really any different from any other phishing attack, except that now you’ll see an email address. And you might notice that if you respond to them, you’d have a blue bubble instead of a green bubble. So that’s, that’s really the only difference. But but it is something to watch out for.

Kirk McElhearn 19:43
That’s what’s dark about it that it’s blue instead of green.

Josh Long 19:45
You know what, I don’t know. Maybe just because of the color difference, maybe that’s enough to convince people that this is a legitimate attack. I don’t know. I don’t know what the logic is there, but at least they’re using a slightly different method than the typical SMS scams.

Apple’s M-series chips all contain a vulnerability

Kirk McElhearn 20:00
Okay, some researchers have found a new side channel attack I like this side channel, it makes like, makes you think like you’re driving along and someone pulls up alongside you and opens your backdoor and steals your stuff, right? And it’s one of these things that’s just built into the design of the way the CPU works. And it could allow hackers to extract secret encryption keys so basically could access your password information or get into a cryptocurrency wallet or get into your banking information. Even more, couldn’t they?

Josh Long 20:41
Sure. Okay. And so, a really brief explanation of the technical side of this from Ars Technica, they say, by loading the contents of the CPU cache before it’s actually needed. This feature, this prefetcher feature that’s part of the M-series processors, reduces latency between the main memory and the CPU, which is they say, a common bottleneck in modern computing. So the whole point is, this is a feature that’s designed to speed up processing on the M-series chips. And just like other things that are meant to speed up processing, this can be exploited through side channel attacks. And therefore the only way to mitigate this would be that’s that is if you already have one of these M-series chips, there’s not a supposedly there’s no firmware update that could fix this. So the only thing that Apple could do, if they wanted to prevent people from exploiting this newly discovered vulnerability is they would have to release a software based mitigation meaning that it’s no longer going to have that ability to do this thing that makes it faster. And so therefore, it would reduce the speed of your machine. So my prediction on this, and this is also somewhat based on what Apple has done in the past with similar side channel attacks, is Apple’s just not going to do anything about it, with the possible exception of if Apple becomes aware that this attack is being actively exploited in the wild, then they might do something about it. But more likely, they would just roll this into lockdown mode and say, Look, if someone’s really targeting you, and using this crazy vulnerability, then just enable lockdown mode if you’re really worried that someone’s going to exploit this. So I think that’s what’s probably likely to happen here. I don’t think that Apple is across the board, just going to release a security update for all Mac OS versions and just say, oh my gosh, like turn off this major speed up feature in the processors like that. It doesn’t really make sense from Apple’s perspective to do that.

Kirk McElhearn 22:48
This is similar to the Specter and Meltdown vulnerabilities we saw a few years ago. Right. Right.

Josh Long 22:52
Right, exactly. It’s a very similar type of side channel attack. It’s something that really can only be mitigated with software. And it does reduce the speed of your machine if you choose to implement this mitigation. So yeah, like I said, I don’t think Apple’s likely to even do anything about this, it sounds kind of scary. Also, it’s not something that Apple wants to do. They don’t want to nerf their all their machines and make them significantly slower.

Google’s Chrome browser hopes to mitigate cookie-stealing hacks

Kirk McElhearn 23:18
Okay, we have a story about Google, which actually makes Josh very happy. He was so delighted when he saw this, the new Chrome feature aims to stop hackers from using stolen cookies. And Josh has been on a crusade for session cookies to be protected somehow, basically, a session cookie is a tiny file on your computer, that if a hacker was able to copy that file, they installed some malware and they were able to exfiltrate the files Josh likes to say, they could insert it on their computer and go to a website. And it would look as though they were you would have your session information, logged in with your username and your credentials. And they would be able to do anything that you could do on that website, even though they never had to login. So Google has announced a new feature for Chrome that could fix this. But it looks like it’s a bit complicated the way it’s supposed to be implemented.

Josh Long 24:08
Right. I’ve done a lot of research into these cookie stealing attacks. And in fact, I gave a talk about it at virus bulletin last year. And one of the things that we’re seeing a lot of in Mac malware this year is Stealer malware. This was really big last year, and it’s really big still this year. And it’s only increasing for the time being. And as I said, when I gave my talk like this is something that the industry really needs to focus on, because it’s not going to go away. Like if nobody does anything about this, then Stealer malware is going to continue to be a really big problem. And so Google is trying to solve this with this new feature that they’re calling Device Bound Session Credentials or DBSC for short. And it’s good, but it also kind of really requires the server to do some to make some changes. Is to behave in a certain way that will interact with your Chrome browser once it finally gets this feature. By the way, it’s not rolled out to everybody yet. They’re just starting to test this right now, once this does roll out to all Chrome browsers, it’s not just a matter of okay, well, now I’m protected. And now nobody can steal my cookies. Unfortunately, it doesn’t really work that way, based on the information that’s been published about it, what really needs to happen is that the server operator needs to decide that they’re going to behave in a certain way, if you have a new enough browser and the right type of browser that’s going to work with this public key encryption, that’s going to do this extra validation to make sure that your cookie is legitimate. And if not, if you don’t have that, then it’s just going to fall back to standard cookies. And so that’s kind of a problem, too. So it’s not a fix that’s going to be universal or immediate. But at least it’s nice to see that industry players like Google are doing something to try to mitigate this big problem.

Google settles class action lawsuit by agreeing to erase “surreptitiously obtained” user data

Kirk McElhearn 25:59
Okay, we have one other Google story we want to talk about at Google is an a, quote, agrees to do the impossible to settle class action dispute. And this is from an article on the Intego Max security blog. Google is deleting billions of records of private browsing information, is that true? They’re actually deleting data. And are they also deleting the backups?

Josh Long 26:19
Well, so this is based on the results of a class action lawsuit that was filed in 2020. Google was accused of continuing to track collect and identify users browsing data in real time, even when they’re using incognito windows. Oh, my gosh, in incognito mode. You mean, it’s possible for people to tell what I’m doing when I’m in incognito? Well, yeah, it’s been in the fine print all along. But unfortunately, people don’t read fine print. And they assume that it’s a it’s private browsing mode. This means nobody can see what I’m doing in private browsing mode right now, all it really means is that it’s not saving it in your browsing history. And it’s not keeping cash and other, you know, information cookies beyond that private browsing session. That’s all it really means people were signing into their Google accounts and private browsing windows and thinking that Google wasn’t going to keep that information. And that’s really where this lawsuit comes in is that there was a case being made that people should have a reasonable expectation that Google should keep their information private when they’re using a private browsing window. And that’s what led to this result. So Google basically is having to delete records that according to their data, were collected when the browser was in incognito mode. So that’s what’s going on here. By the way, if you’re interested in private browsing, one of the other things that you can do is to use a VPN, which will hide your IP address. We’ve mentioned this before. Intego Privacy Protection is a VPN it’s available for Mac and Windows, and there’s lots of other VPNs out there. We’ll link in this article to some other VPNs that we recommend so that you can have a few different options.

Kirk McElhearn 28:03
Okay, that’s enough for this week. Until next week, Josh, stay secure.

Josh Long 28:07
All right, stay secure.

Voice Over 28:10
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.

Share this: