ppietra

About

Username
ppietra
Joined
Visits
66
Last Active
Roles
member
Points
1,513
Badges
2
Posts
288
  • AirTag hacked and reprogrammed by security researcher

    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
    AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
    Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.
    gregoriusmwatto_cobra
  • Apple posts record $89.6B in Q2 revenue on back of across-the-board growth

    seankill said:
    All those stimulus checks going to electronics. 
    well, it doesn’t seem like it. The Americas was the region with least growth, significantly bellow the average. The rest of the world was responsible for more than 70% of the revenue growth
    bageljoeyfastasleepmuthuk_vanalingamFileMakerFellerwatto_cobra
  • Tile bemoans Apple AirTags launch, raises antitrust concerns

    Funny how Samsung is already selling a similar product and service and Tile didn’t complain! Is Apple forbidden to compete with Samsung?
    DnykjpRfC6fnBsJapheyn2itivguypulseimagescaladanianBeatschaickajony0applguywatto_cobra
  • Apple witness says company would need to modify software, hardware to support third-party ...

    Mueller is at least knowledgable about this sort of thing, but he comes from an open source background. He has declared his intentions to only publish Android apps because he disagrees with the Apple approach. He's right that the MDM approach isn't suitable for widely-distributed software (this is by design!), but I would have expected him to recall the Facebook brouhaha involving their "Enterprise" software certificate being used to bypass App Store restrictions (e.g. https://www.cnbc.com/2019/01/29/facebook-paying-users-to-install-app-to-collect-data-techcrunch.html) - so it's definitely possible if the end result is valuable enough to you.

    And, oddly enough, I agree with Tim Sweeney on this single point - it is technically feasible for Apple to allow Third Party App Stores by using the Enterprise Developer Program. But I wouldn't want Apple to be forced to change that Program because of the safeguards it provides - the user must explicitly accept that they do not have full control over their device with respect to the apps that can be installed on it. Ironically, users need to implicitly accept that they don't have full control over their device anyway when they buy it. But the key point is that users make an informed choice, both at point of purchase and at the point of profile installation (although, frankly, for corporate use it's far better to have the corporation own the device and simply make parts of its functionality available to its employees).
    Sorry but what you are describing uses only Apple’s cryptographic keys and certificates that Apple distributes to each developer in its developer program. A new store cannot operate using only one app developer certificate, it would have to have its own set of keys and different certificates for each app on their store, different from what Apple uses; which means that the system would need to be redesigned in order to recognise and trust apps from different stores, and each store app management implementation, if we want to maintain an identical level of security. We can argue wether it’s a lot of work or not, but the fact is it isn’t like what these guys are describing, just remember that the system was designed with only one entity that could be trusted - Apple. MDMs and everything else rely on that!
    Apple would have to completely review the system security to account for these kind of changes, since a lot was done without accounting for this level of flexibility!
    applguyroundaboutnowwatto_cobra
  • Apple witness says company would need to modify software, hardware to support third-party ...

    Being able to install apps outside of the AppStore  doesn’t mean that the System supports another store from another company, it only means that Apple supports some of its signed developers doing distribution, with Apple keys.
    Another store would have its own security mechanisms and its own keys, which means that Apple would have to make sure that the system supports different app management, keys from different stores, etc! Probably Apple would want to change hardware to make sure that its own keys aren’t compromised.
    cornchipwatto_cobra