Apple Makes iPhones Harder to Track

One of the most important features of Apple’s next mobile platform is something the company has barely talked about. When iOS 8 comes out  this fall, it will have the ability to randomize an iPhone or iPad’s Wi-Fi media access control (MAC) address, or network ID.

That’s a huge privacy advantage for people who want to leave their devices’ Wi-Fi active without worrying that their information might be gathered by marketers, police, spies or hackers. However, it does nothing to impede iBeacon, Apple’s own Bluetooth-based proximity-marketing service.

Interestingly, Apple barely mentioned MAC randomization at the World Wide Developers Conference last week, during which it announced iOS 8. It was left to UK-based user-interface designer Luis Abreu to tweet an image of a slide from a conference presentation about iOS 8 privacy that described the process.

“In iOS 8, Wi-Fi scanning behavior has changed to use random, locally administrated MAC addresses,” reads the slide, which can be downloaded from Apple’s servers as part of the presentation. “The MAC address used for Wi-Fi scans may not always be the device’s real (universal) address.”

So how would Apple’s MAC randomization work? Each piece of networking hardware on a computer, smartphone or tablet has a unique, permanent MAC address that identifies that specific piece of hardware on a network. A laptop, for example, will have separate MAC addresses for its Ethernet, Bluetooth and Wi-Fi connections.

MAC addresses are necessary for establishing a network connection and obtaining a temporary Internet Protocol (IP) address to get online, but they’re not so great for privacy, since devices can be identified and tracked by their specific MAC addresses.

If you’re walking through a shopping mall with Wi-Fi enabled on your smartphone, the phone is “scanning,” or simultaneously searching for Wi-Fi networks and broadcasting its MAC address to every Wi-Fi hotspot you pass by, whether or not you intend to connect to any of those hotspots.

Those hotspots are often logging all the MAC addresses they encounter, and marketers can examine those logs to identify repeat shoppers, how long a shopper spent in a store or even potential shoppers who walked by the store many times but didn’t come in.

The phones don’t even have to establish connections to provide their MAC addresses. Just being within range of the store network is enough. If any of those smartphones’ users decide to connect to the store’s Wi-Fi network, then marketers might also be able to assign real names to those harvested MAC addresses. Governments and criminals can set up Wi-Fi hotspots to gather the same information.

All of these practices impinge on people’s privacy, whether desirably or not. To counter the practice of MAC-based tracking, whenever an iOS 8-enabled device scans for Wi-Fi networks, it will use a randomized, temporary MAC address to announce its presence. (If a Wi-Fi connection is established, the iOS 8 device will apparently revert to its real, permanent MAC address.)

This is possible because software can “spoof” a MAC address so that the MAC address presented to a network doesn’t actually correspond to the device presenting it. MAC-address spoofing can be used by malicious hackers use to conduct man-in-the-middle attacks — they can pretend to be both the victim and the Wi-Fi router, positioning themselves to view Internet traffic and capture unencrypted data — but it can also be used to maintain privacy when moving through an environment rich with Wi-Fi networks.

This enhanced-privacy feature won’t stop man-in-the-middle attacks, but it will stop MAC-address-based tracking practiced by marketers — or police departments.

However, it also conveniently removes a competitor to iBeacon, which the company is encouraging retailers to use to target shoppers with hyperlocalized ads beamed to their iPhones. Introduced with iOS 7, iBeacon uses Bluetooth, not Wi-Fi, to track and communicate with iOS devices in a retail establishment.

MAC-address randomization isn’t iOS 8’s only new privacy feature. Mobile Safari users will be given the option to make their default search engine Duck Duck Go, a privacy-centric service that doesn’t store users’ personal information to customize searches. Duck Duck Go also doesn’t tell a Web page which search terms you used to find it, and also connects to the encrypted versions of websites whenever possible.



Paying a malware ransom is bad, but telling people to never do it is unhelpful advice

Paying a malware ransom is bad, but telling people to never do it is unhelpful advice

Paying a malware ransom is bad, but telling people to never do it is unhelpful advice

Posted by   Martijn Grooten on   Apr 26, 2016

 [Original post HERE]

I’m not usually one to spread panic about security issues, but in the case of the current ransomware plague, I believe that at the very least a sense of great concern is justified. And the threat is unlikely to disappear any time soon.

While there are certainly many things we can do to significantly reduce the risk of us getting infected — from applying all necessary patches and keeping offline backups, to running software that alerts us when files are suddenly being modified en masse — ultimately, ransomware does what we all should be doing: encrypting our files. The subtle but essential difference is that it does so with a key we don’t have.

One reason why ransomware is so successful is that the ransom demanded is usually only a few hundred dollars — affordable to most people (ransomware tends to target users in Western countries) and often cheaper than the (perceived) value of the data that would otherwise be lost. However, security experts regularly tell affected individuals and organizations never to pay the ransom.

I think this is unhelpful advice.

For sure, paying the ransom should always be the last resort. We should help victims, and the jack-of-all-trades sysadmins who are likely going to assist them, find other ways to recover the data. Maybe backups have been kept. Maybe this particular ransomware is one for which a decryption tool is available. And maybe losing the data — which could also have happened because of a physical failure of the hard drive — is an expensive but valuable lesson on the importance of keeping backups.

But sometimes, none of this helps and the only sensible business decision left is to pay the criminals, much as it is bad and much as there is never a 100% guarantee that this will work. Crooks will be crooks, after all.

Of course, if everyone followed the advice never to pay a ransom, ransomware authors would come to find that it wasn’t worth their effort, and the threat would eventually disappear. But this wouldn’t happen instantly, and it really would depend on almost everyone not paying the ransom.

And if security experts suddenly had the power to make everyone follow their advice, maybe we should just tell people to patch instead.


Contact us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Questions, issues or concerns? I'd love to help you!

Click ENTER to chat