Checklist 235: A Trio of Topics
On this week’s Checklist, we’ll cover:
- The problem with buying tech from the blacklist
- Apple tightens security on AirTag
- A surprising security change coming for iOS
Know your vendor
Last week, a report from TechCrunch showed that US cities and counties were buying cameras and surveillance systems from two Chinese firms that have been banned by the US federal government!
Hikvision and Dahua were blacklisted by the US government in 2019 over their involvement in China’s persecution of ethnic minorities, as well as concerns that they could be used to help Beijing spy on people in the United States.
So why are local governments buying from Hikvision and Dahua, despite the federal ban on doing business with them?
Turns out that the federal regulation only applies to federal agencies, and to the use of federal funds. Local governments — like states, counties, cities, and towns — are still free to buy whatever they like.
When interviewed by TechCrunch, most government officials said that they didn’t have any direct dealings with the two problematic companies. Instead, they were relying on contractors who handled procurement for them.
In fairness, some of the technology bought by these local governments was sorely needed (case in point: thermal cameras used to check students’ temperatures as a COVID-19 safety measure). But the purchase of other equipment, in particular the surveillance systems, is harder to defend.
Human rights observers are understandably critical of any attempt to justify doing business with Hikvision and Dahua. But Maya Wong of Human Rights Watch points out an issue that runs deeper than just these two companies:
One of the problems is that these kinds of cameras have been introduced … without any kind of regulation to ensure that they comply with privacy standards. There is, again, no kind of regulatory framework to vet the companies based on their track record.
In other words, if a government procures technology from vendors that aren’t subject to meaningful oversight or regulation, it’s impossible for them to know who they’re really doing business with. And that’s something that should concern all of us.
A safer AirTag … for everyone
AirTag is Apple’s tracker for your stuff. It uses your device and the Find My network to help you keep tabs on personal items — and find them when you’ve lost them.
We’ve talked about some of the privacy implications of AirTag before. One of the biggest concerns was the possibility that a bad actor could abuse the technology: for example, a stalker could plant it on their victim and use it to track them.
Now, Apple did think of this before they released AirTag. They included a few built-in privacy protections that were supposed to prevent the misuse of AirTag. The most important of these is a feature that sends you an alert on your iPhone if someone else’s AirTag is traveling with you.
Sounds great, except for one thing. What if you don’t have an iPhone?
Apple thought of this as well: an AirTag that’s separated from its paired device will play a sound to alert people nearby to its presence. Initially, that only kicked in after 72 hours, which critics (rightly) said was way too long. Apple has since changed this: AirTag now plays the sound at a random time between 8 to 24 hours after it’s away from its paired device.
In addition, Apple is reportedly developing an app for Android that will help users receive alerts about hidden AirTags similar to the ones that iPhone users get now. That app is due out sometime later this year.
Of course, it remains to be seen how many Android users will actually install an app just for the purpose of detecting an Apple tracking device, but it’s nice to know that they’ll have the option.
A triple updates update
This week saw a lot of news around updates to Apple’s OSes — some old, some new, and some not-yet-released!
First up, anyone still using iOS 12 should update their device right away. That goes for folks using iOS 12 on an iPhone as well as those running it on an iPad (you’ll recall that iPadOS was only introduced with iOS 13).
The update is numbered 12.5.4, and addresses a few vulnerabilities that could have led to code execution. Or rather, that have probably already led to code execution! Apple says that two of the vulns affected WebKit, and that they “may have been actively exploited”. Apple is always very careful to avoid confirming or denying an active exploit, preferring to couch their security updates in cautious language. But longtime developers feel that when the company says that they’re “aware of reports” of exploitation, it’s a pretty good bet that it’s actually happening.
In other updates news, Apple has seeded the third beta of iOS 14.7, along with iPadOS 14.7, macOS 11.5, watchOS 7.6, and tvOS 14.7. No word yet on the exact date of the full public release of these updates, but we’ll have more info for you when they arrive.
Finally, an interesting move on Apple’s part in anticipation of the fall release of iOS 15 (the new iPhone operating system announced at WWDC21).
When iOS 15 becomes available later this year, users will have a choice in their Settings app: update to the latest, greatest version of iOS, or stay with iOS 14 and continue to receive security updates for that version until you decide to upgrade.
Of course, most people will probably just upgrade to iOS 15. But firms with in-house apps built for iOS 14 will likely appreciate the extra time to get ready for iOS 15; and some cautious users may decide to see how iOS 15 works for others before trying it out for themselves!
Do you have a question that you’d like to have answered on a future Checklist? Write to us and let us know! And while you’re waiting for the next show, be sure to check out our archives so that you can keep learning about digital security and privacy all week long.