Apple’s latest response to the EU’s anti-trust regulators could be a bit of a stretch. A Chinese group claims to have been able to hack Apple’s AirDrop, a shocker if true. Password manager LastPass makes its passwords more secure, something experts say should have been done a long time ago. And new gear is in the spotlight as CES gets underway and Apple gets ready for the debut of its Vision Pro headset.
- Belkin Auto-Tracking Stand Pro with DockKit
- Samsung’s Ballie robot is now a projector that follows you around
- Rabbit r1
- Wi-Fi CERTIFIED 7
- Apple Vision Pro available in the U.S. on February 2
- Apple disputes EU rules labeling its 5 App Stores as one service
- AirDrop ‘Cracked’ By Chinese Authorities to Identify Senders
- AirDrop crack: Apple was made aware of the vulnerability in 2019
- Apple removes nine cryptocurrency apps from India App Store
- LastPass Increases Password Minimum Character Limit to 12
- 4 Best Password Managers in 2024: How to choose the right one for you
- Unlock 1Password with a passkey (beta)
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Transcript of Intego Mac Podcast episode 326
Voice Over 0:00
This is the Intego Mac podcast—the voice of Mac security—for Thursday January 11, 2024.
This week’s Intego Mac podcast security headlines include: Apple’s latest response to the EU’s anti trust regulators could be a bit of a stretch. A Chinese group claims to have been able to hack Apple’s AirDrop, a shocker if true. Password Manager LastPass makes its passwords more secure. Something experts say probably should have been done a long time ago. And new gear is in the spotlight. As CES gets underway and Apple gets ready for the debut of its Vision Pro headset. Now, here are the hosts of the Intego Mac Podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:54
Good morning, Josh, how are you today?
Josh Long 0:56
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:57
I’m doing just fine. Do you know what this week is?
Josh Long 0:59
Well, yeah, I think you’re talking about it being CES week.
Kirk McElhearn 1:02
Exactly. CES, the Consumer Electronics Show actually still exists. A lot of people have been asking particularly since COVID, whether it’s worth continuing these sorts of things, because you can get all this information online. But there is the advantage of journalists getting, you know, demos of products of hardware products right in front of them. And also coming home with a cold or flu, which is very common “CES Flu”, isn’t it?
Josh Long 1:25
Yeah, unfortunately, that is a thing, the conference flu, right? I do like going to conferences like this, it is a little bit draining. First of all, CES especially is a very large conference. It’s hosted in, you know, multiple buildings all around town in Las Vegas. If you’re going there to cover the show and talk about the things that are on display there. It’s a lot of work, a lot of walking. It’s very draining, but just to casually hear about it online is a much more pleasant experience. So I do agree with you from that perspective.
Apple has announced the shipping dates for the Vision Pro headset
Kirk McElhearn 1:58
So we want to talk about a few interesting things from CES. But of course, Apple decided that they would try to get all the attention. Instead of older people with CES with their little toys. Apple announced shipping dates for the Vision Pro, which is going to be February 2, I believe, preorder start on January 19. So if you have $3,499, plus whatever cost for your custom glasses, then you can pre order the Vision Pro I guess, for the custom glasses, you have to go into an Apple Store. And I don’t know how it’s going to work. They are apparently going to be sold at all the Apple Stores in the US which is surprising, you would have expected that they would be select Apple Stores. My guess is they’re doing and all the Apple Stores to get it in front of as many eyes as possible, not expecting to sell many. But so as many people as possible who don’t follow the news, like we do will know about the Vision Pro, you notice something interesting that it only has 256 gigabytes of storage?
Josh Long 2:56
Well, at least that’s what the press release kind of hints, but it’s a little bit vague. So the way that Apple put it, they say Apple Vision Pro will be available starting at 3499 US with 256 gigabytes of storage, period. There’s no mention of whether there’s going to be higher storage models or not it starting at 3499 with that amount of storage that doesn’t say if it will go up to some amount, the starting out might just be a reference to the fact that like you’re talking about so you know, some people will want the reader inserts or the prescription inserts. Maybe that’s the starting at price because they’re talking about their the other accessories you can buy. But 256 is not a lot. Because if you think about it, you know you’re going to be recording Apple calls it 180 degree three dimensional 8k recordings. So these video recordings that you can do with your Vision Pro are really high resolution that takes up a lot of space.
Kirk McElhearn 4:00
Okay, they’re not actually 8k, it’s two times 4k.
Josh Long 4:03
That’s what we assume. Yeah, exactly. Yeah. The point is, that’s still a ton of space that these things are taking up and 256 gigabytes is going to be gone in the blink of an eye when you’re recording videos.
Kirk McElhearn 4:15
It’s only got two hours of battery life. So you can’t record that much. Doesn’t that make you think of the earliest Apple laptops. My first Mac was a PowerBook 100. And I think it had maybe two or three hours of battery life and it was only in black and white.
Josh Long 4:28
That was really impressive. But battery technologies obviously improved quite a bit since then, these things will improve. And obviously I would expect that we’re going to get a much better second generation Vision Pro at probably a much lower price point at some point. I do want to get back to that that whole storage thing. So there are definitely ways that Apple could solve this if Apple decides to only released in 256. Or if they really are just, you know, kind of quietly saying between the lines that they’re going to come out with higher storage versions of this at a much higher price point than the already 3500 that it’s starting at.
Kirk McElhearn 5:03
Plus $99 for the reader glasses, and 149 for the prescription glasses. What this means is the reader glasses just like you can buy $5 reading glasses in a supermarket, right? plus one plus two, etc. prescription glasses 149 Doesn’t sound excessive 99 for basically $5 glasses does sound a bit excessive.
Josh Long 5:23
But maybe what Apple is doing here is they’re maybe they’re going to leverage your iPhones existing storage to some degree. Because if you think about it, you remember, like one of the use cases that they talked about, that they demoed when they first showed this off was you can sit on an airplane and watch your videos, you watch your movies, you know, while you’re on the plane, if it’s less than two hours here, right, right. Well, yeah, right, you’d have to bring multiple batteries, or a lot of airplanes do have power that you can use while you’re in your seat. Maybe you want to watch multiple movies while you’re on a flight. Well, guess what those take up a ton of space too, especially if you’re talking about 4k videos. My guess is that a lot of that storage is going to be leveraging your existing iPhone storage. And so you can maybe store movies on there and AirPlay it to your Vision Pro or something like that. And maybe offloading will be a thing to where you’re recording these high resolution videos on your Vision Pro, and maybe those will somehow get offloaded to your iPhone. The other possibility is remember that the cord that you’ve got, when Apple first demoed it, and people were like, there’s a cable like sticking out of the back of VisionPRO going down to the battery? Well, that’s USB-C. And I don’t see any reason why it couldn’t be a battery plus storage device that you have on the other end. Maybe that’s an accessory that Apple will sell, maybe third parties will I have a feeling we’re going to have other options for storage, it’s just that Apple kind of doesn’t want to inflate the price any more than they absolutely have to for a device that they already know is really expensive.
Interesting products introduced at CES 2024
Kirk McElhearn 6:56
Just a quick mention of a few other things that we’ve spotted at CES. I found it really interesting that Belkin is releasing an iPhone stand that leverages something called Dock Kit. So the iPhone will move around to track you the way a camera on an iPad does, since, I believe, iOS 16. On certain iPad models, I didn’t know that there was something called Dock Kit. But it’s a framework that Apple released last year for this exact purpose. It’s a magnetic connection to this dock, which I guess has batteries in the bottom and it can rotate and it can tilt and all that. And it connects to the iPhone over NFC, which is a really interesting way to send data. And so this is for like if you are a quote-unquote content creator and you’re standing in front of your iPhone, you want to be able to move instead of being in a fixed position. The iPhone will move around with you. I think this is really clever. And this idea of Doc Kit, I’m curious about what people can do with this. I had no idea this existed.
Josh Long 7:52
Yeah, it’s not something that I remember hearing about either, if you’ve ever wanted to get a feature similar to what the iPad has, but on the iPhone. Well, this is now possible with Belkin’s new stand, there were a couple of personal AI assistants that were announced. One of them just seemed really gimmicky to me, the Samsung Ballie, which I’m guessing is supposed to sound like Wally, you know, like the Disney Pixar character. Ballie is this thing that like rolls around and has a projector built in and stuff. And it seems really gimmicky. The other thing that was a little bit more interesting to me, although it’s probably not a device that I’m likely to ever buy is the Rabbit R1. There’s a company called Rabbit AI and the R1 is their new product that only costs $199. And it’s got all of the kind of AI capabilities built in that you might expect from some of these things like the Humane Pin that’s going to cost $700 And these other AI enhanced wearables that are starting to emerge in the market. So Rabbit AI is coming—guess what—Easter, not too surprisingly, they decided to tie in with their name a little bit there. So the Easter Bunny is coming. (He’s got a built in Easter egg.) Yeah, yeah, the Easter Bunny is going to deliver you a Rabbit R1 for the Easter holiday. Basically, it’s just a little device that you can talk to, and how to do a bunch of the things that you could do with any chat bot on your phone. (It’s a cute looking little device.) It is kind of a cute looking little device., it can either use Wi Fi where it can use a SIM card. So you can have this thing always connected to the internet. And it’s not meant to replace a phone they say you know it can integrate with your phone, whatever smartphone you have, whether it’s an iPhone or Android, it sounds kind of interesting. And one of the other use cases for it is you can actually program new functionality into it and they say it doesn’t require any coding experience at all. It’s a relatively easy way of training. It is how I think they put it to do new types of tasks. It sounds pretty extensible. And for that price point, I think there’s going to be a lot of people who want to play with it. thing.
Kirk McElhearn 10:00
Okay, Wi Fi 7 standard has been adopted. And you’re like, Oh, this is so exciting. And I’m like yawn because it’s going to be years before we get all the devices before all the routers are there before the iPhones and iPads and Macs and Apple does kind of catch up on these things quickly. But it’s likely that the next iPhone won’t have it will work eight months away, maybe they have time to put it in. It’s faster, it better wait and see. It’s got all the things that Wi Fi does, but it’s a little bit better. It’s rebuilt from the ground up.
Josh Long 10:30
Yeah. Which is not really true, because obviously it has to be backwards compatible with all existing Wi Fi standards. Anyway, Wi Fi 7, at least it’s the standard is official now. And that means that we’re going to see a lot more devices, a lot more routers, first of all, there were already some that were kind of based on the draft specification. That’s kind of a thing that router manufacturers typically do to try to get ahead of the game and release their products first to market. Now it’s official, and so we’ll start seeing chipsets, including in you know, eventually Macs, iPhones. The one thing that I’m a little interested in here that I may not get Wi Fi 7 very soon is iPads because Apple never released iPads in the entire last calendar year. We expect that there’s going to be new iPads coming very soon, probably within the next few months. And I just don’t think that there’s enough time to stick Wi Fi 7 in these iPads. We may not see Wi Fi 7 and iPads for very long time.
Kirk McElhearn 11:29
Okay, the last one we want to point out we’re gonna do this quickly. There’s a smart lock called Walkley that uses facial recognition. I don’t trust facial recognition with most devices. I trust apple with Face ID because all the banks trust Face ID right. But I don’t trust a smart lock where you could just maybe, you know, hold up a photo of someone and open a door. I had a locksmith come some months ago to fix a lock in my house. And we were talking about it. And he said I don’t put smart locks in. I don’t trust them.
Josh Long 11:58
I’m the same way I don’t like the especially on my front door. Like if it’s if it’s inside lock. I mean, that’s one thing, right? There was another lock that somebody was showing off that you could unlock with the fingerprint. And they were recommending that for like indoor use, like for an office or something like that. And I think that’s more practical. I don’t really want any kind of smart technology allowing people to easily get into my home. I think I would stay away from that one, personally.
Kirk McElhearn 12:23
You know, lock tumblers and keys are a very good technology they’ve been around for I think 1000s of years. It’s hard to improve on a technology like that.
Josh Long 12:33
I mean, there are lock picks like it’s not like it’s invulnerable.
Kirk McElhearn 12:36
There are there are locks that are extremely difficult to pick. If you need really strong security. There are walks that are not easily pickable of course the same locksmith told me pick a lock, no problem. I’ll get your door open in five minutes. Yeah, if even that All right, we’re gonna take a break. When we come back, we’ve got some interesting security news.
Voice Over 12:57
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Apple disputes EU regulators characterizing its stores as a single store
Kirk McElhearn 14:13
So we’ve spoken before about this new EU regulation is going to require Apple to allow third party app stores on its devices. Well Apple has come up with a clever way to describe their app stores and their appeal. They say it’s not one app store but it’s five different app stores. I kind of think this is the bit twisting things because you know Yes. Okay, technically got five platforms. You got the Mac, the iPhone, the iPad, the watch and the Apple TV. But it’s really one app store.
Josh Long 14:43
Looking at it from Apple’s perspective, I guess where they’re going with this is that you can have an app that’s exclusively for any one of those platforms. And you could also have an app that is available cross platform. So if you buy it on one then you get in on all rest, as long as it supports those others but, but from Apple’s perspective, though, if you get an Apple TV app, you can get Apple TV apps that are only available on Apple TV. So therefore that’s a different store. It’s a totally different experience.
Kirk McElhearn 15:15
How many accounts do you have for Apple’s App Stores?
Josh Long 15:18
Well, you have one, right?
Kirk McElhearn 15:19
If it was five app stores, you’d have to have five different accounts.
Josh Long 15:22
Okay. But by that logic, then, whenever you are signing into any site that uses Google as a login, or meta as a login, then Are those all part of Metis platform or Google’s platform?
Kirk McElhearn 15:37
No, that’s just they’re providing a service for login, they have nothing to do with the operation of the platform itself. I see your point there, like WordPress, you could log into WordPress blogs using a single sign on. But it’s obviously just they’re opening a door for you. That’s all they’re doing. Anyway, if we’re not going to agree on this, but I think it’s a little bit ridiculous that Apple’s doing this, especially because we know that they’re already they’ve already developed everything they need for these third party app stores. So they can roll them out on time. Are they just trying to waste a little bit of time distract from something?
Josh Long 16:09
Well, it could be it could be that they’re trying to buy a little more time. The other thing that they might be doing here is if if it turns out that they end up losing against the EU and are going to be forced to allow third party app stores, then at least they are hoping that they don’t have to do that for all five of these platforms, right? That maybe they’ll only be forced to do it on one or two and not all five.
Kirk McElhearn 16:34
Actually, it’s six.
Josh Long 16:36
It’s six. Oh, what’s the sixth one?
Kirk McElhearn 16:38
Vision Pro. It’s going to have its own app store?
Josh Long 16:40
Ah, yes. Upcoming Yes. Yep.
Hackers claim to have hacked AirDrop
Kirk McElhearn 16:44
On which you will be able to run many of the apps that you’ve already bought for your iPad, and iPhone and Mac and Apple TV and Apple Watch. Anyway, we’ll follow this. I just think it’s funny. AirDrop, this is really weird. We’re trying to figure out why the Beijing Municipal Bureau of Justice would come out with an article which we haven’t read the original because it’s in Chinese, saying that they have cracked, AirDrop that they can bypass the protocols encryption and reveal identifying information that they can find who is sending, and who is receiving things that they figured out a way to compare the hashes with, I’m assuming a database that they have of people’s phones and Apple IDs and email addresses, etc. And they can tell who is sending illegal content via AirDrop. Now the whole idea that a police police department, I guess we’ll call it would actually come out and publish an article saying, hey, look what we can do, rather than keep quiet so they can keep doing it seems suspicious, doesn’t it?
Josh Long 17:44
Well, yeah, that’s that’s what’s very bizarre about this. And maybe part of the reason that they’re doing this is first of all, to sort of flex because they sound like they’re the you know, they call it a technological breakthrough. Well, the reality is that this vulnerability, if you can call it that has been around since at least 2019. security researchers have been warning Apple about the risks of the way that they’re encoding phone numbers and email addresses. There was a researcher who contacted apple in 2021, and had a whole private drop plan, they proposed a way that they can, Apple could modify the airdrop protocol if they wanted to, to make it more private. So it wasn’t accidentally kind of leaking phone numbers and email addresses when it worked. Now Apple never adopted that they did say that they were going to they responded to him when they were developing iOS 16. They apparently didn’t really fix the issue. Because it seems like it’s it’s still a thing. So it’s not that iPhones are actually leaking your phone number and email address in plain text. Whenever you AirDrop something, what’s actually going on is that they’re essentially hashed in in such a way are encoded in such a way that somebody’s not going to get it in plain text. But it’s possible for somebody who captures those packets of data. And remember, they’re being transmitted over the air. That’s the whole point of AirDrop. If you capture those, you might be able to crack that later on and figure out what phone number or what email address associated with an Apple ID was used to send a particular file over AirDrop.
Password Manager LastPass updates requirements for master passwords
Kirk McElhearn 19:27
So we talk a lot about password managers, and we’ve recommended password managers many times and I’ll link in the show notes to an article on the Intego Max security blog where we talk about the password managers we recommend including one we no longer recommend LastPass because they had data breaches which actually allowed people to get into user vaults. Well LastPass has introduced a minimum character limit for the master password. That’s the 1Password that you type in. I didn’t say 1Password intentionally but that’s the password you type in to unlock your vault and it has to be A minimum of 12 characters. Now, this wouldn’t have prevented the data breach, right, it would have prevented perhaps someone from accessing user vaults. But it’s kind of late after no one trusts LastPass anymore, at least no one who pays attention to the news trust LastPass to come in with a minimum limit of 12 characters, which is actually probably longer than most people use for that sort of thing too,.
Josh Long 20:27
Well, a 12 character minimum is not exactly necessarily ideal. But at least it’s better than the eight characters or whatever they were requiring before as the minimum. So it’s, I guess, the step in the right direction, but it’s still way too little way too late. And it’s also there’s no other requirements as far as these passwords go. So you could literally just type like 01234, you know, you see, the problem here is you can still have very weak 12 character passwords, and they’re not enforcing anything else either. I’m not generally in favor of putting a bunch of arbitrary, you know, additional requirements in place for passwords, but you got to have some standards, right? Like just just any 12 characters will do. I mean, you’re protecting all of your other passwords, like you need to have better security for your password vault.
Kirk McElhearn 21:22
So worth pointing out that on 1Password, the requirement is 10 characters, do you think that’s too short?
Josh Long 21:28
I wouldn’t use a 10 character password, I would definitely recommend something longer than that.
Kirk McElhearn 21:32
The problem is, if you get too long, it’s hard to remember. Now, obviously, you could, let’s say type three words with hyphens in between, right, and that’s pretty secure. But if the password gets too complicated, you won’t remember it, you’ll write it down, you’ll look it up someplace. And that’s not very secure.
Josh Long 21:48
This is the long standing criticism of password managers, right is that there’s 1Password that you do have to remember, or you lose access to your password database, which then means usually that you’re going to pick a somewhat weak password in order to be able to memorize it. There’s a lot of different schools of thought on this. Some people even say don’t use a password manager, I definitely think that password managers are generally much better than not using one at all. Because then you’ve got to memorize weak passwords for every single one of the sites and services that you use, which is I think, far worse. So better to use a trusted Password Manager, again, link in the show notes to some examples of ones that we trust. And you know, definitely use something strong. If you’re going to use 12 characters, at least make them really complex, right, like use upper lower numbers, special characters, you can memorize one single password that has all those qualities. And that’s not going to be easily guessed or cracked.
What is SpectralBlur spyware?
Kirk McElhearn 22:49
Again, worth pointing out that 1Password currently has a beta, which allows you to use passkeys as your Master Password instead of a password itself. Of course, the problem is here, what if you lose all your devices and you need a recovery code which they can provide. But you’ve always got, you have to have some sort of net, right, you can’t do this without a net, you’ve got to have some sort of security. I think obviously passkey is a much more robust. And if you can get access to a recovery code, such as I don’t know you put it in online in a secure location that’s maybe protected by another password. But there are passwords all the way down right and 1Password protects another password protects another password. So okay, spectral blur. This kind of sounds like I don’t know one of those iTunes visualizer things when you play music, you get lights flashing around what is SpectralBlur?
Josh Long 23:39
Well, SpectralBlur is not a light show. It’s not a new filter for Photoshop. SpectralBlur is the name of this new malware that is suspected to be a cousin of candy corn you might remember that we talked about that when in the past candy corn spelled with Ks of course, because why not? SpectralBlur is believed to come from the AP T group known as balloon or off we’ve talked about them before as an organization that at least has ties to the Lazarus group which is a North Korean hacking group. SpectralBlur seems to be implant malware, so it’s something that like can run surreptitiously on your machine and monitor you. It can potentially interact with with your computer. It’s designed to avoid detection. And so it’s it’s nation state spying malware basically for MacOS, it is sophisticated malware. It has backdoor capabilities as one would expect from this type of malware. It can upload and download files can run shell commands update its own configuration, it can delete files, they can do a number of other things based on commands that it receives from a command and control server. So the operator of the malware can send commands to it and tell it if that whatever they wants to do on your computer.
Kirk McElhearn 25:02
So I’m assuming that if people were running into go virus barrier they are protected from spectral bar.
Josh Long 25:06
Yes, we’re always on top of this and we make sure the Virus Barrier always detects the latest malware.
Kirk McElhearn 25:11
Boom. Good to hear it. Okay, until next week, Josh, stay secure.
Josh Long 25:15
All right, stay secure.
Voice Over 25:18
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn, and Josh long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.