A new hacking tool, BrutePrint, can unlock lots of smartphones, including some iPhones with Touch ID. Router infections can be hard to remove, and we discuss why Apple might have gotten out of the Wi-Fi business. And we take a close look at whether it’s safe to use an iPhone, if it can no longer run the latest version of iOS.
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, May 25, 2023.
This week’s Intego Mac podcast security headlines include: a rundown of the security fixes in Apple’s latest operating system updates; How dangerous is BrutePrint, a hacking tool that can crack the fingerprint authentication feature of many smartphones? More reasons to check your router for updates. Which makes us wonder: would your home Wi-Fi be more secure if Apple hadn’t discontinued its Airport line? And when does an iPhone become unsafe to use? Now, here are the hosts of the Intego Mac podcast, veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:51
Good morning, Josh, how are you today?
Josh Long 0:53
I’m doing well. How are you? Kirk?
Kirk McElhearn 0:55
I’m okay. Do you by any chance have a rash? (A rash?) Apparently, if you type “rash” into the safari address bar to search, in certain circumstances, it can make Safari crash now you tried before we started recording and it didn’t crash your safari? I didn’t try because I didn’t want to crash Safari. You don’t use Safari as your main browser? I do. This came up a few days ago. And if it’s not crashing now, I think what’s happening is you mentioned that the safari search suggestions have to be turned on. And these are things that comes from Apple servers, right? Like all the Siri information. So it’s probably something that Apple could fix very easily on their side without having to push out an update.
Josh Long 1:36
Possibly I don’t know exactly how this is going to need to be fixed, whether Apple is going to have to release an update or what. But this is a potential problem. Not everybody’s necessarily experiencing this problem. And it may have to do with that search suggestions setting. So if you turn that off, then supposedly that won’t be a problem. But as long as you’re not searching for rash, or words that contain the word rash in the address bar in Safari, then this probably won’t affect you. But just something to be aware of a potential crash
Kirk McElhearn 2:09
If you do have a crash. And you’ll understand why of course, if you type crash, will that also lead to the crash? Because crash has rash in it? I don’t know. We want to talk about some urgent patches. We’ve been having a lot of these urgent patches recently, and this one came out last Thursday. Now, we record a podcast on Wednesday, release it on Thursday morning. So we didn’t catch this one last week. It’s pretty rare that Apple releases patches like this on a Thursday.
Josh Long 2:35
It is. Apple has been all over the place with what day it’s been releasing patches recently. But these updates are really important. Two of the three vulnerabilities that they fixed, were previously fixed. If you had macOS Ventura fully up to date up to that point. Or if you had iOS 16, or iPadOS 16, fully up to date at that point, and you installed the Rapid Security Response that came out on May 1, there was a 17 day gap between that rapid security response that only those three operating systems got and the release of those patches for everything else. There were two actively exploited vulnerabilities that had been patched in the Rapid Security Response updates. And in this round of updates that came out last week, we got both of those patched, plus an additional vulnerability patch that was also actively exploited. And dozens of other vulnerabilities as well that were also patched, these updates came out for all of Apple’s operating systems, including the two previous versions of macOS. However, of course, as we mentioned many times if you are on an older version of macOS, or if you’re on iOS 15 You’re not going to get all the vulnerabilities patched, you will in this particular case, get at least those actively exploited vulnerabilities patched.
Kirk McElhearn 3:59
Okay, we want to talk about BrutePrint. And it has nothing to do with printing, but it’s about fingerprints. Some researchers found that with a $15 circuit board, you can brute force a phone to get through its fingerprint identification in as little as 45 minutes. Worth pointing out that the iPhone was not crackable for various reasons. But I want to mention one thing that’s kind of important here. These phones weren’t the newest models, the iPhone models they tested were the iPhone 7 and the SE. I just looked up a couple of the Android phones and there are several years old, one from 2019 and some older than that. So while this BruteForce finger print cracking system is interesting. It might not work on today’s phones.
Josh Long 4:46
It’s worth mentioning because there are people out there who are still using a first gen iPhone SE or iPhone 7 now those cannot be upgraded to iOS 16 So just be aware of that if you are running one of these older phones. You also have iOS 15 still.
Kirk McElhearn 5:01
And in the second part of this episode, we’re going to talk about when your iPhone is unsafe because it can’t be updated.
Josh Long 5:08
So it at least the ones that they’ve tested with these are old models of iPhone, we don’t know whether these affect newer models of iPhone that have Touch ID. But this is interesting technology and imagine that like that you could spend 15 bucks and brute force a fingerprint. That’s pretty interesting technology at least.
Kirk McElhearn 5:29
Okay, we also want to talk about routers, or as you would say…(“routers”). we have a couple of stories about routers being infected TP-Link router firmware was used to attack EU entities and malware turns home routers into proxies for Chinese state sponsored hackers. And that was a really good article, because it’s so bad that you can’t even find out whether you’ve been infected unless you have really good computer skills.
Josh Long 5:57
Yeah, Kirk sent this article to me via email. And he quoted part of the article he said, “more technical TP-Link users should check the cryptographic hash of their current firmware to see if it matches any of those provided in the write up from this company.
Kirk McElhearn 6:14
Where do I find the hash of my firmware? Right?
Josh Long 6:17
Yeah, right. Like, how is any user supposed to know how to check the cryptographic hash? They do– I mean, to be fair, they say more technical users can do this. But yeah…
Kirk McElhearn 6:26
Well, IT managers and companies would know how to do this.
Josh Long 6:29
Yeah. An IT manager would be able to figure out how to do this. But if I’m not mistaken, I think these are TP-Link models that are being used at home. These aren’t like big iron routers that every big company is going to be using, right? This is something that they may maybe if you have a small home office or something like that, you might be using this, but you’re not using this if you have a big company.
Kirk McElhearn 6:51
We wanted to talk about this because we wanted to briefly discuss why Apple doesn’t sell Wi-Fi devices anymore. Routers and Airport devices and Time Capsules. And they kind of stopped when Wi-Fi was becoming sexy, right? Back in the day, you had Wi-Fi it was boring, and it went down and your internet wasn’t fast and all that. And then mesh Wi-Fi came out. And well, when you’ve got a household for people wanting to watch Netflix on different devices in different rooms, or wanting to play games and have good latency. You need mesh Wi-Fi and Apple kind of missed the boat on that.
Josh Long 7:28
Yeah, I know we’ve had this discussion before. And I remember you feeling like Apple really missed the boat on Wi-Fi. I don’t know, there’s a lot of different reasons, we could speculate why Apple decided to get out of the Airport game. Airport was what Apple called as routers back in the day. So the AirPort Extreme, they did have a model that supported 802.11ac, they never got to ax. ax actually had already been out as a standard, and they were still selling their ac model. So Apple was kind of always behind the curve on that, anyway. And then the other thing was, they weren’t really very good about releasing patches, it took a very long time, in some cases for them to release firmware updates to resolve some serious vulnerabilities. For example, in October 2017, there was this vulnerability called Crack C-R-A-C-K. And this vulnerability although it was patched in Apple’s operating systems, it wasn’t patched for Airport firmware for two months after this vulnerability became widely known. So that’s just one example. Apple wasn’t really on its game when it came to supporting this hardware.
Kirk McElhearn 8:40
My thought is that Apple didn’t know how to market this. The Time Machine. Well, original Airport stuff, I had one of the very first Airport, the flying saucer type Airport things. And I was living in France at the time. And this is so old that when you bought a Wi-Fi device, it came with a form that you had to send into the Ministry of Defense to say where you were that you were using Wi-Fi right Wi-Fi was so new at the time is about 2000 or 2001. And I guess over time, it’s just not something that’s easy to upsell to people because most people get a Wi-Fi router from their ISP, right. So why would you need an additional router. And they probably just never saw this as something they could market when they came out with a Time Capsule. This was security, you can backup your Macs and have Wi-Fi together. And they marketed that for a while. But then they missed the mesh Wi-Fi boat. Eero started the first mesh Wi-Fi in 2016. Apple was already winding down their stuff. I think it was early 2018 that they stopped. But imagine today if every HomePod and HomePod mini was part of a mesh Wi-Fi network and they sell you the additional router base station and you buy six HomePod mini so your entire house is covered with Wi-Fi.
Josh Long 9:55
Yeah, and it might also make sense considering HomeKit right? I mean, that would be the perfect device to be your HomeKit hub. Not everybody’s gonna buy a HomePod, right? It’s just not something that everybody has a need to do. But everybody needs a router. You may get it from your ISP, you may not it depends on where you live and what your ISP is. But yeah, Apple did kind of miss the boat on mesh Wi-Fi.
Kirk McElhearn 10:20
Okay, we want to quickly mention since we’ve talked about ChatGPT, so many times that there is finally an official ChatGPT app for iPhone made by OpenAI, that’s the company behind ChatGPT. So if you go to the App Store, and you’re looking for a ChatGPT app, ignore all the rest, because most of them are scams, get the one from OpenAI, you can use it for free for basic stuff. But if you want to do anything more, you have to pay 20 bucks a month, it’s not cheap. And what I find interesting is it doesn’t work with an existing OpenAI account, I have an account with OpenAI, where I get billed every month for the usage that I make of it going through their website. And you can’t connect this app to that API.
Josh Long 10:59
Make sure that when you search for this, you can either click on the link in the show notes, we will have a link in the show notes directly to the iOS App Store for ChatGPT. If you do search for it, make sure that you are looking very carefully because there may be ads when you hit the Search tab in the App Store app, you may get an ad on that screen for some other thing that kind of looks like ChatGPT, but it’s not. And also when you do the search, as of right now, when I’m looking at this ChatGPT does come up the official app does come up first. Oh no, actually, I just did the search again, and I got some third party app that’s not the official ChatGPT app that comes up as the first result. So be very careful about this. Make sure that you look for the one that says ChatGPT. That’s the only thing in the title. And then it’s subtitled the official app by OpenAI. It’s got a white background, and a black official OpenAI ChatGPT logo.
Kirk McElhearn 11:58
Okay, we’re gonna take a break and when we come back, we’re going to discuss when your old iPhone becomes unsafe to use.
Voice Over 12:06
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 13:22
I’m sure a lot of our listeners have Android phones not well, Apple users have iPhones many people have Android phones because they prefer them or because their companies require them to have Android phones. We found an interesting story that almost 9 million Android phones were sold pre infected with malware. So it means you don’t even have to download the malware yourself. It’s already on the phone.
Josh Long 13:43
Right? So this is within the past five years. So 9 million Android devices over five years. It’s not really a lot. I mean, we know that billions of Android devices have been sold. And this is across 50 Different manufacturers also. So these are probably not the big name brand manufacturers.
Kirk McElhearn 14:07
Do you know how many brands there are that produce Android devices. I did a Google search before we started recording and I found something and this was as of 2015. At CES there were nearly 1300 brands. So I’m sure that there are several 1000 brands. Now making Android devices. Don’t forget China has probably hundreds of companies making Android devices for the Chinese market. And of course we know the big brands like Samsung and Xiaomi and Oppo and brands like that. But we don’t know a lot of the small ones. So this huge amount, but 9 million compared to billions of Android phones. It’s a drop in the bucket. But it does save you the time. You don’t have to download your own malware.
Josh Long 14:45
Right. This is just something to be aware of. I guess one thing that you could take away from this is make sure that if you are going to get an Android phone that it should be from one of the big name brands don’t get some cheap knockoff phone, or Android phones are relative really inexpensive anyway, even if you get one from a big name manufacturer, you can get less expensive models. And so yeah, don’t go with a fly by night, you know, some new brand that you’ve never heard of before, because you may actually get malware pre installed on it as part of the firmware in fact in this case.
Kirk McElhearn 15:19
Another thing to pay attention to when you buy an Android phone is how long you’re going to get security updates. I’m going to talk about this for iPhones in a minute. In the past couple of years, Android phones have started advertising that they’re going to get security updates for this many years that they’re guaranteeing. Now I noticed something the other day, I have a Kindle Oasis. And I was looking at the device information on Amazon. And it says software security updates through 2025. And I scratched my head because I’ve never heard of that on a Kindle. Now Kindle has a sort of web browser. So I guess that they’re guaranteeing now that you’re going to get security updates, that would affect the web browser through 2025. And they have a page and I’ll link to this page in the show notes, where they’re talking about the dates that Kindle devices will get security updates. And these are all Kindles since 2019, they are not talking about anything older, presumably again, this is because of the web browser. And they’re saying that your Kindle e-reader receives guaranteed software security updates until at least four years after the device is last available for purchase on our websites. So I’ll put a link in the show notes. Okay, so we want to talk about how long your iPhone is safe to use. And with iPhones, it’s pretty simple Android manufacturers will say, five years, three years whatever. With an iPhone, it’s only safe to use as long as it’s able to run the current operating system, which now is iOS 16. And what we saw in the last few years, was that the cutoff for iPhones was the iPhone 6S it was the oldest iPhone that supported iOS 13, iOS 14 and iOS 15. When iOS 16 came out Apple dropped the iPhone 6s, 6s Plus, the first iPhone SE and the iPhone 7 and 7 Plus. So now if you have an iPhone 8 or later, you can run iOS 16. But at the end of this year when iOS 17 comes out which ones are going to drop the 8? The iPhone X? The XR, the Xs?
Josh Long 17:20
My prediction is that Apple is going to drop at the very least the iPhone 8 and the iPhone 10. And why is that? Well, those are the two oldest at this point and well and also the iPhone 8 plus I count that in with the 8 as well. But those three phones are the oldest ones that are on the list. And granted, Apple could continue releasing updates for them. One of the reasons that they might want to stop releasing updates for those particular phones, is because they have a perpetual hardware vulnerability that Apple can’t patch. There’s something called Checkmate, which is an unpatched double boot ROM exploit. And this is something that normally the average person doesn’t really care all that much about. Now, jailbreakers really liked this, they liked the ability to easily jailbreak using this hardware vulnerability. But for everybody else, you probably don’t want to be using an iPhone 8 or an iPhone 10 anymore. Anyway, because of this issue. My recommendation would be if you want to make sure that you’re going to be able to run iOS 17 probably at this point, I would guess that iPhone XR Xs and later are probably safe. I would not be so sure about the iPhone 8, 8 plus and 10.
Kirk McElhearn 18:39
So the reason that an old phone isn’t safe is we’ve mentioned many times that Apple doesn’t always release security updates for the previous operating system. Although earlier in the first part of the episode, we pointed out that Apple released the latest updates for the previous two operating system which is very rare. But there are two types of vulnerabilities that are particularly egregious one is called Zero Click vulnerabilities. And I liked this idea because you didn’t download anything. You didn’t get sucked into phishing. Someone just sent you an image or a PDF or a web link. And because of the way certain apps do previews like the Messages app, it’ll do a preview of an image and a link etc. Merely displaying that preview means that the device has to read the information and that this can let someone attack your phone and some of the really well known Pegasus vulnerabilities. Pegasus was a spyware that was used to attack a number of politicians, journalists and activists. Some of these were zero click exploits it no matter how secure you are, no matter how careful you are, you never click links and in emails etc. You can still get infected.
Josh Long 19:49
Right and Pegasus by the way has not gone away. It’s still around. Of course the NSO group, the company that develops it is always looking for and buying exploits that they can use to put Pegasus spyware onto remote phones. So governments buy access to this Pegasus spyware from the NSO group. And then they can do whatever they want with it. Theoretically, they’re supposed to be using this for law enforcement and anti terrorism purposes. But well, sometimes it’s quite abused and is used against journalists and others as well.
Kirk McElhearn 20:23
And the other thing to worry about is WebKit vulnerabilities. And we mentioned this all the time. WebKit is the rendering engine that’s used by the Safari web browser. On the Mac, you can use a third party browser, like chrome or edge or something else, or Firefox, or brave or whatever. You can’t do that on iOS, all third party browsers are basically just WebKit with a skin. Now, Chrome may sync with your Chrome desktop to sync your bookmarks and history and all that. But it’s still using WebKit. So this means that there is only one rendering engine on iOS, and that any vulnerabilities affect all the browsers,
Josh Long 21:00
right, and this is a big problem. Now, this may not be the case anymore, once I was 17 comes out and we get third party app stores. Possibly, we are assuming at this point that that’s probably going to happen because of EU rules. But once we do get the ability to have third party app stores, then Apple doesn’t have that forceful control over what browser rendering engines are allowed on an iPhone. Once that happens, once we get third party app stores, you can expect that Firefox, Google Chrome and other browsers are going to be available in those third party app stores and using their own engine, because then the browser manufacturer can make sure that it behaves the way that they expect their own browser to behave.
Kirk McElhearn 21:48
But then we’ll have to worry about vulnerabilities in multiple browser rendering engines.
Josh Long 21:53
This is true, this is true. There are some pluses and minuses here. But I do think that it probably will be a good thing. I like the idea of having choice in your browser engine, especially because of things like this, right? Sometimes there are vulnerabilities that don’t get patched right away. They’re being actively exploited. And it would be nice if you could just switch to another browser. But right now on iOS, it doesn’t matter which browser you’re using, because they all have WebKit underneath.
Kirk McElhearn 22:23
How old is your current iPhone, Josh,
Josh Long 22:26
I actually just bought an iPhone last year. So I have an iPhone 14 Pro. And before that, before that I had an iPhone 10s, okay, so not too old,
Kirk McElhearn 22:37
I found one trade-in company that said that the average trade-in age of an iPhone is around three and a half years. That’s average. Remember, some people trade in after two years, some after six years, et cetera, et cetera. But a lot of people don’t even trade in their phones, they’ll pass them on to friends or family members or the parents given to the kids. And an iPhone can be used for many years because they tend to last long. If you’ve got Apple Care Plus, and you can fix the screen, you can replace the battery. You could keep an iPhone, I want to say 10 years like your old iMac, which is even older than 10 years, I think you probably could, but it’s not safe anymore to keep it if it can’t get the latest operating system.
Josh Long 23:15
Right? Well, and, you know, I still have a couple of devices like a couple of iPhone sevens like sitting around the house that are there getting iOS 15 updates, but I would never connect that to the internet and use it for web browsing and things like that, I I wouldn’t use that as my main phone. These are just kind of like throwaway devices that we can use for other things and testing and whatnot.
Kirk McElhearn 23:39
So it’s obvious that buying a new iPhone is expensive, right? If you want a good iPhone, you know, we’re looking at $1,000 or more for an iPhone. So not everyone can afford to upgrade. It’s worth looking at what Apple is selling as the inexpensive iPhone because they always sell the current model and a previous model. So right now they’re selling the iPhone 12, which looks like it’s going to be saved for a few years. But Josh is smiling because he knows I’m going to bring up the fact that they were selling the Apple watch three, even after they announced it wasn’t going to get any more updates to watch OS which means that it’s insecure the day you buy it.
Josh Long 24:16
So at this point apples still selling the iPhone 12 and iPhone 13 alongside the newest 14 generation models, and Apple is also selling the iPhone SE third generation. At this point, the iPhone 12 is already three years old. It was released in late 2020. And the latest iPhone S II was released in March 2022. So if you had to buy an older model to save money, it really makes more sense I would say at this point to get the iPhone SE third generation because it’s a much newer phone. And presumably you’re going to be able to get updates a little bit longer a little bit further in the future. I think that’s one thing to always consider better when you’re buying any new model of iPhone or really any Apple product. My recommendation is it’s the best time to buy is right after the model is released, because then you know that you’ll get the maximum number of years of operating system updates out of it however many years that might be. We don’t know because Apple won’t say, but you’ll also pay the maximum price, you will also pay the maximum price. Yeah, if you want to compromise on that, I would say the SE, the latest SE model tends to be a good price and recency compromise, if you’re looking to get a cheaper model iPhone,
Kirk McElhearn 25:39
the problem is it doesn’t have a good camera. It’s a smaller screen. It’s just it’s a less capable iPhone. But for a lot of people, that’s all they want.
Josh Long 25:46
And it’s touch ID instead of face ID which is pro work on depending on your perspective.
Kirk McElhearn 25:52
Okay, we’re going to link to an article on the Intego Max security blog called when does an old iPhone become unsafe to use, and we have a lot of tips about which sort of iPhone to buy in which to not buy avoid refurbished phones or old phones sold on eBay because you don’t know how long they’re gonna last. Avoid the iPhone eight, it’s almost definitely won’t be able to support iOS 17. We’ll know pretty soon in two weeks Apple’s worldwide developer conference launches in Cupertino. And we will then get a preview of the new version of iOS MacOS, all the other operating systems, and they generally tell us what models are compatible when they do those presentations.
Josh Long 26:31
They weren’t mentioned in the presentation, but there will be some hidden away somewhere on Apple’s website we’ll find out which iPhones and iPads are going to be supported with the new iOS 17 and iPad os 17. Okay, that’s
Kirk McElhearn 26:45
enough for this week. Until next week, Josh, stay secure. All right,
Josh Long 26:48
stay secure.
Voice Over 26:51
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
