WSJ Live on Apple TV 4.4, an underrated update?

With all the noise about iOS 5 today, it’s been pretty easy to miss the updates for the Apple TV.  In fact, with all the news surrounding Apple, the iPhone, it’s iCloud service, etc, you would almost forget that Apple still had this TV “hobby”.

Most users will be focused on two new features.  Display mirroring and iCloud sync for photos.  However I think the Wall Street Journal Live addition should get top billing for the new feature set.

When Apple added the NBA and MLB subscription services back on March 9th this year, this is the first showing of a streaming “channel” approach that would compare to the live streams on other “web enabled” television devices.

Obviously the hardware is prepared and can handle it.  I’ve watched quite a bit of today’s WSJ live programming (and not because I was interested in the content) and was impressed with the implementation.  Now it’s in the hands of Tim Cook to see if he can leverage Apples ability to deliver the content and persuade other broadcasters to get on board also.

I will eagerly await the next quietly deployed set of Apple TV features…

(Hey Tim, Apple TV App Store?  Anyone?)


Why is my iPhone logging my location?

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

Apple officially acknowledged the growing controversy over the logging of location data on the iPhone and iPad. They have published a Q&A on their website which clearly states:

Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

It then goes on to address the other concerns that have been commonly used in articles hyping the issue:

Quote from acknowledgment:

The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

Interestingly Apple does admit that this wasn’t entirely well thought through and are considering the lack of ability to completely disable the function a “bug”

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

Apple has now released IOS 4.3.3 which:

  1. makes the location cache size smaller, thus limiting the amount of data collected on your location (and presumably the amount of time that can be traced back)
  2. No longer backs up the cache information to your iTunes account on your computer.
  3. Allows for complete disablement of the cache when you turn off the location option in your settings.
If you are not using an application that needs location services, why not take the safer route and turn off the feature until you find you need it?  As odd as that sounds to many iPhone users, a quick check of a few iPhones near me revealed that 3 out of 7 users (highly informal poll I know) did not have their location services on and were quite happy with their iPhones.

iOS 4.2 is out! Update your iDevice!

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

While many people (me included) are happy to update their devices to iOS 4.2 for the new features enabled, most are not aware of the security fixes included that are also necessary.  iOS 4.2 (like many iOS updates prior) includes fixes to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information on your iPhone, iPad, or iTouch.  (While there is an update for AppleTV also, I’m not aware of what, if any, vulnerabilities were addressed with that update).

A quick overview of these fixes includes fixing an issue with the new iAD service where the ads could send you to malicious sites, fixing mail issues where properly formatted HTML emails could send information back to the sender of the email, and a network issue where properly formatted PIM messages could cause a denial of service situation or the device to completely shut down.

To see a full list of the vulnerabilities addressed, please see Apple’s security page here:

Related Articles

Cell Phone Contract With Your Kids

I am not one to address cell phone etiquette. As an adult and parent these are areas of your responsibility where I am not an expert. What I can offer advice on are security concerns as a parent and as a security professional and that is what I’ve done in the companion article to this one.

I have read quite a few articles online and I am using information from many of those articles also. I am providing links to those articles at the end of this article so you can review each of their perspectives and offerings on the information as well as giving them credit for their contribution to the general online discussion and presentation of this material.

While I’m one for trying to be thorough, I would think twenty-one terms with as much wording as I’ve included below would be a bit much for most kids.  It isn’t that they can’t live by the principals, but as an adult, look at it like the contract you signed to purchase your house.  It’s difficult for most to understand every single item because of volume alone.  So my suggestion would be to distill the information down to what you think is necessary for your child and try to get it to about seven rules that you can state in a sentence each.  Again, you are the parent and should best be able to determine which rules work (or are needed) for your child and how you can best present them.

    1. You can only provide your phone number to those whom Mom and Dad have given explicit permission to.
    2. Do not answer any calls or reply to any texts unless you know who it is (approved by Mom and Dad from above).
    3. Keep cell phone on when out with friends so Mom or Dad can reach you if needed and always answer when we call.
    4. You can only call or text those who are on your contact list. Any additions to your contact list must be approved by Mom or Dad.
    5. No downloads (apps, ring tones, etc) or using the internet without permission ahead of time — this costs extra.  Perhaps a prescribed number of apps or ring tones as incentives?
    6. Phone MUST be turned off by 9pm each evening and left in the kitchen for charging. It stays off till the next morning after you’re ready for school and/or chores are done.
    7. The phone may be used after homework and chores are completed.
    8. No cell phone till your homework is done after school and during family times (dinner, family night, etc).
    9. The phone is to be turned off when visiting with relatives or friends, or at other inappropriate times (movies, museums, etc.)
    10. When at home, use the regular phone instead of cell phone to make calls.
    11. When asked to turn off phone, it must be done immediately. If a second request is needed, phone will be taken away for a day.
    12. Sending pictures to anyone requires permission by Mom or Dad at first. Once judgement is demonstrated additional privileges can be granted.  If you send or receive any pictures that may be inappropriate or even questionable, please inform Mom and Dad immediately.
    13. If gossip, bad language, or immodest pictures are taken, phone may be taken away for a specific time period or permanently.
    14. Phone must be on “silent mode” during school hours and left in your backpack (unless you are leaving the school for a field trip or something similar — then keep it with you). The phone cannot be used at school during school hours unless you have your teacher’s approval first. Know your school’s rules for cell phones and follow them.
    15. If grades go down, and are not corrected quickly, cell phone privileges will be lost until grades are back up.
    16. Mom & Dad have the right to inspect your phone at any time.
    17. There is a 2 hour (or some prescribed) limit for your cell phone use for the month. If you go over that time you must pay for the overage.
    18. Mom and Dad may ask you to be responsible for a portion of the monthly bill or to pay for the additional services (text, Internet, etc) if you wish to have them. You may have privileges suspended at any time you are behind in payment terms.  (This is probably only appropriate for older children and helps teach financial responsibility along with the use.)
    19. Determine if you will allow texting. Kids can rapidly run up a large phone bill with texting.
    20. Web surfing is disabled.  If not disabled (e.g. an iPhone where it’s necessary) then surfing is restricted and monitored.
    21. If any rules are broken, Mom or Dad may put your phone on “time-out” for as long as we feel it is necessary.

This is a one-month trial period, if all rules are followed for thirty days, Mom and Dad will increase hours on weekends.

This contract will be reevaluated every six months to possibly receive more texts, web surfing or extra money for ring tones etc.

We agree to the above by signing our signatures here: _______ ________

Thanks to many online resources for the aggregate of this information.  Please see many specifically referenced here for more info:

Does my cell phone have a virus?

Many users aren’t worried about viruses or malware on their cell phones.  However, most companies are.

To date, there isn’t any exploit based malware for the major smartphone OSs (Andriod, Symbian, iPhone, Windows Mobile, Blackberry and… oh yeah.. Palm).  What this means is that, unlike the Windows operating system, there isn’t piece of malware that has been written that takes advantage of a weakness in the code or device which would allow for an exploit to occur (at least not yet).

This means that all attacks on your cell phone require an action by the end user for them to work.  I think alot of people are still hung up on this point, so I’m going to restate it.  I can take advantage of a web server exploit and place malware in an iframe.  When, from your PC, you simply browse to that site, you can become infected assuming you don’t have an AV scanner or content filtering service that would protect you from the redirect and download.  In browsing the website, you have “done” something.

GREAT! Make sure everyone knows not to do anything to allow themselves to be compromised (or pwned)!

Rickrolled iPhone

Rickrolled iPhone

If only it were that easy, right?

What we have is a combination of a social engineering problem and end user education/awareness.

In many aspects, all malware delivered via email, web, sms, etc. has some context of social engineering to it.  One would either used a compromised account from a friends device and delivered messages to the contact lists, therefore making it seem like a trusted source or falsify the origination of the email to make it appear that it’s coming from a large trusted source (e.g.  Either way, they are trying to not raise any red flags and get you to open the email, the attachment, or follow the url.

We try to mitigate this with device control policies and the above mentioned user education/awareness.  By providing our users with examples and scenarios we try to make sure they are as informed as possible so they don’t fall prey to these attacks.

I have written a list of best practices for cell phone use to help protect you and your information.  If you are interested in those recommendations, please check out my post on Cell Phone Security Best Practices – keeping your personal information personal.



But wait, there’s another big hole here!  These are smartphones.  It’s not about email, text, and phone anymore.  These things can have applications installed on them!


And so we have the app stores.  Each major manufacture has them for their respective OS (see list above).  What we have now is a channel by which a malicious person could deliver their application (aka malware) to your device.  What makes this more interesting is that you are willingly downloading and installing this application (aka malware).

These are supposed to be trusted channels.  Each manufacture has a process by which they test and verify some aspects of the application before they sign the app and publish it to their respective store.  This may range from, does the app start?  Does it crash my phone OS?  Or is it secure?  We can’t really assume they are checking for the security of it’s actions.

And why is that you ask?

Let me give you an example of a published application, that you would very likely not want.  Let’s just call this app “Flex(insert a vowel here)spy” and the vowel rhymes with the word try.  This company writes this application.  Submits it to an app store and says “This is a personal backup app.  It backs up your files, emails, contacts, etc to a website for you”.  Sounds good.  App store tests it and approves for sale.  It was posted in the app store and sold for a period of time.  Until our good friends at F-Secure notified them “um, you guys are selling an app that allows someone to spy on another users phone use”.  What????

What may have been presented to the app store as one thing, was in practice quite something else.  The app could be deployed directly to the phone or just put onto a memory card and slipped inside a phone to be activated.  So if you wanted to track someones usage and get their info, all you needed was 30 seconds of access to their phone.  What’s even more interesting is this is what the company’s website indicated you could do with the product.  If only the app testers had read it…

While not perfect, the app stores do provide a level of protection that should help keep users from putting malicious applications on their phones.  That is, until the users decide they need to “assert their freedoms” and jailbreak their devices so they can do things like install application not reviewed by the manufacturer.  Are you jailbreakers still sure your in the right here?

Even the new and highly touted Droid has seen issues with developers posting “apps” to help you connect to your online banking site.  Seriously though, when I want to connect to Citibank, do I need an app from 09driod that costs $.99 to do so?

Mobile Device Management

Mobile Device Management

Where does that leave us?

  1. Have policies for your device
  2. Use management applications for the device to enforce those policy settings
  3. Educate your users

This should look remarkably like any policy for managing a PC.  Well it is.  Lets take the approach that, as smartphones continue to mature and gain functionality, they will be under attack as much (if not more) than our PCs.  Since we have the perspective of having dealt with PC security issues, let’s try and stay in front of the smartphone security issues.

Why you should hack your iPhone

or really why you shouldn’t.

I know quite a few people who have jailbroken their iPhones.  And I will apologize to many of them now, but I can tell you that most all of them should not have done it.

I realize that in their frustration to have the iPhone be all the things that it is capable of being, many users feel the need to bypass the constraints put in place by Apple.  Unfortunately they also bypass a lot of the security functions (roughly 80%) built into it also.  I see the stat that nearly 7% of all iPhones are jailbroken.  Given that 90% of those probably have not done anything to increase that security posture, there are roughly 2.1 million “vulnerable” iPhones in use today (given 34 million in use Q9 2009).

So, for you to have the ability before anyone else to teather, MMS, Google Voice, etc you open yourself up to the following:

  • Default SSH password setting –  since this is often not changed by users who jailbreak their iPhones, this is the easiest port to access the phones OS.
  • Use of iPhone to proxy your connections

Via those vectors “one” can easily connect and:

  • See the iPhone OS file system… hmmm what files can I see and copy over from there?  How about:
  • Email
  • SMS Messages
  • Voicemail in .amr format
  • Addressbook/Contacts
  • Call History
  • Notes
  • Bookmarks
  • History
  • Cookies (could really find some interesting things with persistent cookies here)
  • Even more fun?  What about recAudio?  Remotely, from the command line, enable the audio recording feature of the microphone.  The audio is then stored to a local file (.aiff) that I can now SCP from the iPhone to the machine I’m on.  Bamo… you have your own remote bugging device and no one will think twice about it sitting in a conference room while they are talking about… well anything.
  • Uber stalker?  You can also query the iPhones GPS API to return HI RES latitude/longitude information in XML format.  Put those coordinates into Google maps and you can (with a tremendous amount of accuracy) track the path of an iPhone user.
  • Make phone calls?  What about making the remote phone make calls?  You can make someone prank call without their knowledge.  If you know them, you can make them call you and give them a hard time about calling and not saying anything.  The uses are endless, eh?
  • Remember the use of your phone as a proxy connection?  How many users connect their iPhones to their office or home wireless networks?  Since there are multiple interfaces on the iPhone and you can route between them.  “One” could now use this as a bridge into a private network.  So much for your firewalls and perimeter devices protecting your network.

Sweating yet?

Well believe it or not, there is good news for you jailbreakers out there.  AT&T has begun to filter addresses on their NAT’d wireless network.  But only quite recently.  Prior to this, “one” could pop an AT&T aircard into a laptop, get onto a mobile wireless segment, get “one’s” own IP address and quickly scan that entire segment for users.  A port scan will tell you which of those devices are iPhones.  With this filtering in place (and only in some places) you are limited and not able to (as easily) map the devices around you.  So this is a hurdle, but don’t take too much comfort in it being high enough to keep very crafty people out for long.

So the long a short of it?

Given how much information is contained on your iPhone, I don’t think there’s any application you need so badly that you’d be willing to give up access to all your personal information.  So suck it up and use the apps/functions/features that Apple has available.  When it can be provided securely (and probably profitably for Apple) it will be released.  Until then, go play outside.

Special thanks to Trevor Hawthorn for his research and demonstration of these exploits at Schmoocon 2010.