Checklist 400: Reboots, PDFs, and Passwords

Inactivity Reboot” Feature in iOS 18.1 Poses New Challenges for Law Enforcement, Enhances Security

A new feature quietly introduced in Apple’s iOS 18.1 update, known as “Inactivity Reboot,” has drawn scrutiny from law enforcement and prompted discussions around iPhone data security. According to recent reports, this feature causes iPhones to reboot automatically after extended periods of inactivity, transitioning them from a more vulnerable “After First Unlock” (AFU) state to a more secure “Before First Unlock” (BFU) state, complicating data extraction for forensic purposes.

The issue first emerged when law enforcement officials in Detroit noted unexpected reboots on iPhones stored in forensic labs, initially suspecting covert communication between the devices. MacRumors and 404 Media report that officers encountered iPhones spontaneously restarting despite being placed in secure environments, including faraday boxes, which block all electronic signals. This led to speculation about a hidden mechanism within iOS that Apple had not publicized.

Security researchers, however, have since clarified that the feature is not a bug but an intentional design aimed at bolstering user data security. Bleeping Computer reports that iOS 18.1’s “Inactivity Reboot” kicks in after approximately four days of device inactivity, reverting the device to BFU, a state that resists forensic unlocking tools commonly used in law enforcement.

Cryptography expert Matthew Green from Johns Hopkins University explained that while this feature may hinder some law enforcement procedures, its primary purpose is likely to prevent data theft from lost or stolen iPhones. “The real threat here is not police. It’s the kind of people who will steal your iPhone for malign purposes,” Green told 404 Media. He argues that this reboot feature adds a layer of protection, making it harder for bad actors to access stored data.

Although Apple has not publicly commented on the feature, sources such as 9to5Mac indicate that technical details of the “Inactivity Reboot” feature are available in iOS 18.1’s open-source code on GitHub. This change represents another instance of Apple prioritizing user privacy, even as it creates friction with law enforcement interests.

North Korean Hacking Group Targets Mac Users with New Malware Campaign

Mac users are once again in the crosshairs of North Korean hackers, as the cybercriminal group BlueNoroff has launched a sophisticated phishing and malware campaign targeting those involved in cryptocurrency and decentralized finance (DeFi). According to a report from SecurityWeek, BlueNoroff is using phishing emails with fake crypto-related headlines to deliver malware to macOS devices, bypassing Apple’s security measures through a signed and notarized Apple Developer ID, which has since been revoked.

The campaign works in two stages. First, the attackers send an email containing a link to a seemingly innocent PDF file related to cryptocurrency, which is actually a macOS application embedded with malware. Written in Swift, the app is designed to appear legitimate, even opening a decoy PDF from Google Drive to avoid raising suspicion. Meanwhile, the malware is downloading a malicious binary from a hard-coded URL in the background.

The second stage of the attack is more selective. As reported by SentinelOne, this stage targets only specific Macs: it operates on Intel-based machines and on Apple Silicon devices with Rosetta emulation enabled. Once executed, the malware establishes communication with a command-and-control (C2) server, sending information about the system’s OS version, hardware, and running processes.

Security experts, including those from SecureMac, emphasize the importance of caution when dealing with unexpected emails, particularly those from unknown sources. “Stop clicking on unexpected links from random senders,” they urge users, as phishing emails remain a common initial entry point for these attacks.

“123456” Tops Worst Password List Again in 2024 as Security Experts Urge Better Practices

Password security has hit a new low in 2024, with the most common passwords globally revealing an unsettling lack of security awareness among users. According to the annual report from password manager NordPass, in collaboration with NordStellar, “123456” remains the world’s most popular password, used by over 3 million personal accounts and 1.2 million corporate accounts worldwide. This same weak password has topped the list in five of the past six years.

The global list of most common passwords in personal accounts also includes “123456789,” “12345678,” “password,” and “qwerty123.” Meanwhile, in the United States, “secret” ranks as the top password for personal use. The report on corporate accounts doesn’t offer much relief: “123456” is once again the top choice, followed by similar weak options like “123456789,” “12345678,” “secret,” and “password.”

CNET advises users to adopt longer, unique passwords that avoid easily guessed information like birthdays and common words. To help users manage complex passwords, password managers are recommended, as they can generate strong, unique passwords and eliminate the need to memorize them. Many of these tools are available for free, including Apple’s built-in Passwords app on iOS 18, iPadOS 18, and macOS Sequoia 15, which offers secure storage and management without extra cost.

For more on creating and managing strong passwords, see Checklist 399 on last week’s show, “Passwords with Allison Sheridan.”