Bluetooth communications are still not safe in 2023

Multiple active exploits could affect iPhone use of Bluetooth.

Flipper Zero hacker tool could be used to trigger iPhone DDoS attack using Bluetooth signals by AirPods, HomeKit accessories, etc. These signals usually trigger popup on iPhone allowing to connect to headphones or perform other actions. Crafting these signals in a specific way could result in iOS restart.

Newly discovered BLUFFS attack could be used to impersonate devices and trigger disclosure of private information. It is not yet clear, if AirDrop is affected by this attack as it uses more than just Bluetooth to authenticate the device. However, it is still possible to hijack audio or other Bluetooth connection. Fix would require device manufacturers to modify security mechanisms of Bluetooth stack.

References:

Safari could be exploited with new iLeakage attack

Safari now suffers from new exploit allowing malicious website to render arbitrary webpage and extract information out of it.

As of now, there is a workaround requiring access to developer menu on macOS.

Paste the following command in Terminal: defaults write com.apple.Safari IncludeInternalDebugMenu 1

Open Safari and select "Debug" from the menu bar, select "WebKit Internal Features" then Scroll down and click "Swap Processes on Cross-Site Window Open"

AppleInsider

It is expected that this vulnerability will be fixed by Apple in upcoming software updates.

Disclosure: iLeakage

References:

Apple releases macOS Sonoma 14

Apple releases next major release of macOS – Sonoma.

macOS Sonoma brings all‑new capabilities that elevate your productivity and creativity. Discover even more ways to personalize your Mac with stunning screensavers and widgets that you can add to your desktop. Elevate your presence on video calls with a new way to present your work that keeps you a part of the presentation. Safari profiles and web apps help you organize your browsing in all-new ways. Game Mode boosts your gaming performance. Sonoma also brings big updates to Messages, Keyboard, and Accessibility. And when you upgrade, you get the latest security and privacy protections available for Mac.

Screen Savers

  • Stunning screen savers of locations from around the world seamlessly become your desktop wallpaper when you log-in
  • Shuffle settings for rotating through screensavers by theme including Landscape, Cityscape, Underwater, and Earth

Widgets

  • Widgets can be placed anywhere on the desktop and adapt to the color of your wallpaper while working in apps
  • iPhone widgets can be added to your Mac when your iPhone is nearby or on the same Wi-Fi network
  • Interactive widgets let you take actions directly from the widget such as running a shortcut, pausing media, and more

Video Conferencing

  • Presenter Overlay keeps you front and center while sharing your screen in FaceTime or third-party video conferencing apps (Mac with Apple silicon)
  • Reactions layer 3D effects like hearts, balloons, confetti, and more around you in video calls and can be triggered with gestures (Mac with Apple silicon, Continuity Camera with iPhone 12 and later)

Safari and Passwords

  • Profiles keep your browsing separate for topics like work and personal, separating your history, cookies, extensions, Tab Groups, and favorites
  • Web apps let you use any website like an app, complete with an icon in the Dock for faster access and a simplified toolbar for easier browsing
  • Enhanced Private Browsing locks your private browsing windows when you're not using them, blocks known trackers from loading, and removes tracking that identifies you from URLs
  • Password and passkey sharing allows you to easily share accounts with trusted contacts

Messages

  • Live Stickers sync from iOS and iPadOS to macOS, giving you access to the Live Stickers you create on your iPhone and iPad
  • Search filters for people, keywords, and content types like photos or links help you more easily find what you are looking for
  • Swipe to reply inline on any iMessage bubble

Gaming

Game Mode gives games the highest priority on the CPU and GPU, delivering more consistent frame rates and lower latency to wireless controllers and AirPods (Mac with Apple silicon)

Keyboard

  • Improved autocorrect accuracy makes typing even easier by leveraging a more powerful transformer-based language model
  • Inline predictive text shows single- and multi-word predictions that you can add by pressing the Space bar
  • Improved Dictation experience supports using your voice and keyboard together to enter and edit text

AirPods

  • Adaptive Audio delivers a new listening mode that dynamically blends Active Noise Cancellation and Transparency to tailor the noise control experience based on the conditions of your environment (AirPods Pro (2nd generation) with the latest firmware)
  • Personalized Volume adjusts the volume of your media in response to your environment and listening preferences over time (AirPods Pro (2nd generation) with the latest firmware)
  • Conversation Awareness lowers your media volume and enhances the voices of the people in front of the user, all while reducing background noise (AirPods Pro (2nd generation) with the latest firmware)
  • Press to mute and unmute your microphone by pressing the AirPods stem or the Digital Crown on AirPods Max when on a call (AirPods (3rd generation), AirPods Pro (1st and 2nd generation), or AirPods Max with the latest firmware)
  • Improved AirPods automatic switching now detects Mac up to 2X faster (AirPods (2nd and 3rd generation), AirPods Pro (1st and 2nd generation), AirPods Max with the latest firmware)

Privacy

  • Sensitive Content Warnings can be enabled to help prevent users from unexpectedly viewing sensitive images in Messages
  • Expanded Communication Safety protections for children now detect videos containing nudity in addition to photos shared through Messages and the system Photos picker
  • Improved sharing permissions let you choose which photos to share and add calendar events without providing access to your entire photo library or calendar

Accessibility

  • Live Speech lets you type what you want to say and reads it aloud in FaceTime calls or in-person conversations
  • Personal Voice helps users at risk of speech loss create a voice that sounds like them in a private and secure way using on-device machine learning
  • Made for iPhone compatible hearing devices can be paired and used with Mac (MacBook Pro (2021), Mac Studio (2022), and Mac computers with M2 chip)

This release also includes other features and improvements:

  • One-Time verification code AutoFill from Mail helps you quickly sign into sites in Safari, without leaving the browser
  • Inline PDFs and document scans in Notes are presented full-width making them easy to view
  • Grocery Lists in Reminders automatically group related items into sections as you add them
  • Visual Look Up for recipes helps you find similar dishes from photo
  • Visual Look Up in video helps you learn about objects that appear in paused video frames
  • Pets in the People album in Photos surfaces individual pets just like friends or family members
  • Option to say "Siri" in addition to "Hey Siri" for a more natural way to activate Siri (Mac with Apple silicon, AirPods Pro (2nd generation))
  • High performance mode in Screen Sharing supports color workflows and improves responsiveness while remotely accessing a Mac (Mac with Apple silicon)
  • Item sharing in Find My allows you to share an AirTag with up to five other people
  • Activity History in Home displays a recent history of events for door locks, garage doors, security systems, and contact sensors
  • Battery health management updated on 13-inch MacBook Air with M2 chip to better optimize long term battery health

Some features may not be available for all regions or on all Apple devices.

macOS Sonoma also includes several important security fixes.

Apple Newsroom: macOS Sonoma is available today

Release notes: macOS Sonoma 14 Release Notes

References:

Apple lists API that require declared reasons to use

Apple will now require developers to declare use of specific APIs with app's privacy manifest.

Starting in fall 2023, when you upload a new app or app update to App Store Connect that uses an API (including from third-party SDKs) that requires a reason, you’ll receive a notice if you haven’t provided an approved reason in your app’s privacy manifest. And starting in spring 2024, in order to upload your new app or app update to App Store Connect, you’ll be required to include an approved reason in the app’s privacy manifest which accurately reflects how your app uses the API.

Apple Developer

Apple Developer:

Apple releases iOS 16.2 and other platforms

Following recent RC Apple now releases iOS/iPadOS 16.2, macOS 13.1 Ventura, watchOS 9.2 and tvOS 16.2. Xcode 14.2 is also released.

HomePodOS received corresponding update (which is required for Home updates and Matter support).

Apple also releases security bug fixes for previous OS releases - iOS 15 and macOS 11 Big Sur and macOS 12 Monterey.

This update brings several important updates:

Apple Newsroom: Apple launches Freeform: a powerful new app designed for creative collaboration

References:

Apple abandons plans to implement CSAM detection features in Photos

In an interview to Joanna Stern, Craig Federighi confirms that Apple stopped development of previously announced CSAM detection features.

In this interview Craig Federighi discussed new privacy and security features added by Apple to iCloud and their effect on law enforcement ability to extract data from iCloud.

One of the nixed features is Photos CSAM detection which was criticized by many privacy-focused groups and organizations.

https://www.youtube.com/watch?v=M4ZOkWaDxfw
https://www.youtube.com/watch?v=M4ZOkWaDxfw

The Wall Street Journal: Apple Plans New Encryption System to Ward Off Hackers and Protect iCloud Data (Apple News+)

References:

In-app browsers in third-party apps could create significant security risks

Felix Krause published a tool to review how in-app browsers are hijacking user's actions in the web. Tools follows report made by the same developer.

TikTok's browser even captures every key stroke (including passwords) and reports those back to app owner.

Tool provides report on injected JavaScript code that could intercept user's data.

Tool: InAppBrowser

References:

Apple announces Lockdown mode for vulnerable users

Apple made an announcement on ability to increase device safety by sacrificing some of the capabilities:

  • Most of attachments in Messages are blocked;
  • Certain Web technologies are disabled (JavaScript JIT compilation, for example);
  • Some of Apple services (such as FaceTime) are blocked unless user explicitly communicated with the initiator previously;
  • Wired connection to computer is disabled when device is locked;
  • MDM and configuration profiles could not be installed.

Lockdown mode will be in active development, new restrictions and safeguards might be added soon.

Lockdown mode will be available for iOS 16, iPadOS 16 and macOS 13 Ventura.

It is expected that this mode will be used by small number of people who are potentially in risk of targeted cyberattacks, however, feature itself will be available to all users within settings later this year. As of now beta 3 is shipped with Lockdown mode settings available.

Apple Newsroom: Apple expands industry-leading commitment to protect users from highly targeted mercenary spyware

References: