Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards

Apple has joined the Fast Identity Online (FIDO) Alliance, an open industry association whose mission is to develop and promote stronger authentication standards and help reduce the world's over-reliance on passwords.


Apple joins existing members Amazon, Facebook, Microsoft, Samsung and others in a common goal to secure online connections and support the adoption of the U2F authentication standard, which the alliance hosts.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or near-field communication (NFC) devices based on similar security technology found in smart cards. U2F security keys can be used as an additional method of two-step verification in online services that support the U2F protocol, such as Google, Dropbox, and Facebook.

Chrome, Firefox, Edge, and Opera browsers natively support U2F. With iOS 13.3, Apple's Safari also supports FIDO2-compliant physical security keys like the Lightning-equipped YubiKey.

With Safari support, the YubiKey 5Ci is a useful tool that can be more convenient than software-based two-factor authentication because there's no need to enter a security code -- you simply plug it in to an iPhone or Mac (there's also a USB-C connector) to authenticate. Support for FIDO2-compliant USB security keys using WebAuthn was previously added to Safari 13 in macOS.

FIDO was founded in 2013 by a group including Lenovo and Paypal to address the lack of interoperability among strong authentication. MacGeneration was first to spot Apple's logo added to the list of board members.


This article, "Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards" first appeared on MacRumors.com

Discuss this article in our forums

Apple Publishes New Apple Platform Security Guide

Coinciding with the launch of its public bug bounty program, Apple today published its new Apple Platform Security guide, offering users details about the security technology and features that are implemented within Apple platforms – including sections on Mac for the first time.


The documentation has been updated to reflect changes in iOS 13.3, iPadOS 13.3, macOS 10.15.2, tvOS 13.3, and watchOS 6.1.1. The Apple Platform Security site also covers hardware and services, providing comprehensive information in a readable format on the following topics:
  • Hardware Security and Biometrics: The hardware that forms the foundation for security on Apple devices, including the Secure Enclave, a dedicated AES crypto engine, Touch ID, and Face ID.

  • System Security: The integrated hardware and software functions that provide for the safe boot, update, and ongoing operation of Apple operating systems.

  • Encryption and Data Protection: The architecture and design that protects user data if the device is lost or stolen, or if an unauthorized person attempts to use or modify it.

  • App Security: The software and services that provide a safe app ecosystem and enable apps to run securely and without compromising platform integrity.

  • Services Security: Apple’s services for identification, password management, payments, communications, and finding lost devices.

  • Network Security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.

  • Developer Kits: Frameworks for secure and private management of home and health, as well as extension of Apple device and service capabilities to third-party apps.

  • Secure Device Management: Methods that allow management of Apple devices, prevent unauthorized use, and enable remote wipe if a device is lost or stolen.

  • Security Certifications and Programs: Information on ISO certifications, Cryptographic validation, Common Criteria Certification, and the Commercial Solutions for Classified (CSfC) Program.
The site can be browsed from the Table of Contents at the top of the page, or a PDF of the documentation can be downloaded here.

Alongside its Platform Security site, Apple maintains a separate site covering the company's approach to privacy, privacy controls on Apple devices, and the Apple privacy policy.

If users believe they have discovered a security or privacy vulnerability that affects Apple devices, software, services, or web servers, Apple encourages them to report it by sending an email to product-security@apple.com along with any relevant videos, crash logs, and system diagnosis reports. More information on reporting a security or privacy vulnerability can be found here.


This article, "Apple Publishes New Apple Platform Security Guide" first appeared on MacRumors.com

Discuss this article in our forums

Apple Officially Launches Public Bug Bounty Program Covering All Apple Software

Apple today officially opened its bug bounty program to all security researchers, after the company announced the expansion plan at the Black Hat conference in Las Vegas earlier this year.


Prior to now, Apple's bug bounty program was invitation-based and non-iOS devices were not included. As reported by ZDNet, from today any security researcher who locates bugs in iOS, macOS, tvOS, watchOS, or iCloud will be eligible to receive a cash payout for disclosing the vulnerability to Apple.

Apple has also increased the maximum size of the bounty from $200,000 per exploit to $1 million depending on the nature of the security flaw. A zero-click kernel code execution with persistence will earn the maximum amount.

Apple says it will add a 50 percent bonus on top of the standard payout for bugs found in beta software, which allows the company to nix the issue before the OS version goes public. It is also offering the same bonus for so-called "regression bugs" – these are bugs that Apple has patched in the past but which have been accidentally reintroduced in a later version of the software.

Apple has published more information on its website detailing the bug bounty program's rules, as well as a full breakdown of the rewards being offered to researchers based on the exploits they uncover.

When submitting reports, researchers must include a detailed description of the issue, an explanation of the state of the system when the exploit works, and enough information for Apple to reliably reproduce the issue.

Next year, Apple plans to provide vetted and trusted security researchers and hackers with "dev" iPhones, or special iPhones that provide deeper access to the underlying software and operating system that will make it easier for vulnerabilities to be discovered.

These iPhones are being provided as part of Apple's forthcoming iOS Security Research Device Program, which aims to encourage additional security researchers to disclose vulnerabilities, ultimately leading to more secure devices for consumers.


This article, "Apple Officially Launches Public Bug Bounty Program Covering All Apple Software" first appeared on MacRumors.com

Discuss this article in our forums

Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack

An Israeli security firm claims it has developed a smartphone surveillance tool that can harvest not only a user's local data but also all their device's communications with cloud-based services provided by the likes of Apple, Google, Amazon, and Microsoft.


According to a report from the Financial Times [paywalled], the latest Pegasus spyware sold by NSO Group is being marketed to potential clients as a way to target data uploaded to the cloud. The tool is said to work on many of the latest iPhones and Android smartphones, and can continue to harvest data even after the tool is removed from the original mobile device.
The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.

This grants open-ended access to the cloud data of those apps without "prompting 2-step verification or warning email on target device", according to one sales document.
Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target's location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.

When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn't specifically deny that it had developed the capability described in the documents.

In response to the report, Apple told FT that its operating system was "the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers." The company added that it regularly updates its operating system and security settings.

The news raises concerns that such spyware could be used by repressive regimes and other shady attackers to monitor members of the public. In May, for example, WhatsApp disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

Security researchers said that the spyware that took advantage of the WhatsApp flaw featured characteristics of the Pegasus spyware from NSO Group, which maintains that its software, costing millions of dollars, is only sold to responsible governments to help prevent terrorist attacks and criminal investigations.

However, the WhatsApp flaw was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack" first appeared on MacRumors.com

Discuss this article in our forums

Researchers and Hackers Use Rare Dev-Fused Prototype iPhones to Unlock Security Secrets

If you've ever wondered how security researchers and hackers manage to bypass Apple's protections and security features to uncover iPhone vulnerabilities and other sensitive info, Motherboard is out today with a new report that has an answer.

Hackers and security researchers use rare "dev-fused" iPhones created for internal use at Apple. These dev-fused iPhones have not finished the production process and have many security features disabled. Motherboard describes them as "pre-jailbroken devices."

A dev-fused iPhone image shared with Motherboard by collector Giulio Zompetti

Dev-fused iPhones are smuggled out of Apple where they can sell for thousands of dollars on the gray market. These iPhones are incredibly valuable due to the fact that they can be used to locate vulnerabilities able to impact release versions of the iPhone.
On the back of dev-fused iPhones seen by Motherboard, there's a QR-code sticker, a separate barcode, and a decal that says "FOXCONN," referring to the factory that makes iPhones and other Apple products. Otherwise, the phones look like normal iPhones. That standard iPhone experience ends when the phone is turned on. When booted up, you briefly see a command line terminal. And then when it loads, gone are the sleek icons and colorful backgrounds of iOS.
Motherboard spent months researching dev-fused iPhones, talking to more than two dozen sources ranging from security researchers and Apple employees to rare phone collectors and jailbreakers, and found that researchers, hackers, and high-profile companies like Cellebrite or GrayKey use these dev-fused iPhones to uncover bugs that can later be exploited by law enforcement agencies.

A dev-fused iPhone was, for example, used in 2016 to study the Secure Enclave Processor, and security researchers were able to uncover valuable details on how it works. These dev-fused iPhones are stolen property and illegal to possess, but are apparently "widely used" in the iPhone hacking scene.
"If you are an attacker, either you go blind or with a few thousand dollars you have all you need," Luca Todesco, one of the most well-known iOS security researchers in the world, told Motherboard, referring to people who buy dev-fused iPhones. "Some people made the second choice."
Motherboard was able to find someone on Twitter who sells dev-fused iPhones, with a dev-fused iPhone X priced at around $1,800. The seller said that he's provided dev-fused iPhones to several security researchers and that he believes major security firms that hack iPhones also use them. Other sellers offer dev-fused iPhones at higher prices, and Motherboard found an iPhone XR priced at $20,000.

Dev-fused iPhones are paired with a proprietary Apple cable called Kanzi that can cost upwards of $2,000, that, when plugged into a Mac, provides access to internal Apple software that offers root access to the phone.

Most of these devices seem to be stolen from and smuggled out of factories like Foxconn in China. Apple is apparently "well aware" of the fact that dev-fused devices are available. Apple has "ramped up efforts" to keep these devices from leaving Foxconn and does go after dev-fused iPhone sellers.

Motherboard's full report can be read over on the Motherboard website, and it is a fascinating look at the world of iPhone hacking for anyone who is interested in how iPhone vulnerabilities are uncovered.


This article, "Researchers and Hackers Use Rare Dev-Fused Prototype iPhones to Unlock Security Secrets" first appeared on MacRumors.com

Discuss this article in our forums

Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program

A German teenager who discovered a macOS Keychain security flaw last month has now shared the details with Apple, after having initially refused to hand them over because of the company's lack of a bug bounty program for the Mac.


Eighteen-year-old Linus Henze dubbed the zero-day macOS vulnerability he found "KeySteal," which, as demoed in the video above, can be used to disclose all sensitive data stored in the Keychain app.

Henze said he decided to reveal the details to Apple because the bug "is very critical and because the security of macOS users is important to me."


After Henze released the video in early February, Apple's security team reached out to him, but the researcher said he wouldn't disclose the details without a cash reward, arguing that discovering the vulnerabilities takes time.

"Even if it looks like I'm doing this just for money, this is not my motivation at all in this case," said Henze. "My motivation is to get Apple to create a bug bounty program. I think that this is the best for both Apple and Researchers."

Apple has a reward program for iOS that provides money to those who discover bugs, but there is no similar payment system for macOS bugs.


This article, "Researcher Gives Apple Details of macOS Keychain Security Flaw Despite No Mac Bug Bounty Program" first appeared on MacRumors.com

Discuss this article in our forums

How to Use Automatic Strong Passwords and Password Auditing in iOS 12

In iOS 12, Apple has introduced new password-related features that are designed to make it easier for iPhone and iPad users to create strong, secure, and unique passwords for app and website logins. In this guide, we'll show you how to use two of those features: automatic strong passwords and password auditing.


Automatic strong passwords ensures that if you're prompted by a website or app to make up a password on the spot, Apple will automatically offer to generate a secure one for you. Password auditing meanwhile flags weak passwords and tells you if a password has been reused for different account login credentials. Here's how to use the two features.

How to Use Automatic Strong Passwords in iOS 12


  1. Launch Safari and navigate to the site asking you to create new login credentials, or launch a third-party app asking you to sign up for a new account.

  2. Enter a username or email address in the first field.

  3. Tap on the Password field – iOS will generate a strong password.

  4. Tap Use Strong Password to accept the password suggestion and save it to your iCloud Keychain.
Pro tip: Next time you need one of your passwords, you can ask Siri. For example, you could say: "Siri, show me my BBC password." Siri will then open up your iCloud Keychain with the relevant entry, but only after you authenticate your identity with a fingerprint, a Face ID scan, or a passcode.

How to Identify Reused Passwords in iOS 12


  1. Launch the Settings app on your iPhone or iPad.

  2. Tap Passwords & Accounts.

  3. Authenticate via Touch ID, Face ID, or your passcode.

  4. Scroll down the list of passwords and tap on any entries with a triangular warning symbol.

  5. Tap Change Password on Website to open the associated website and make the change.
Note that the last screen shows you on which other websites you've used the same password.

Pro tip: You can share passwords with other people directly from the iOS Password Manager via AirDrop. Simply tap the password field and an option to AirDrop the login will appear. The login can be AirDropped to any device running iOS 12 or macOS Mojave.

Related Roundup: iOS 12

Discuss this article in our forums

Apple Says No Personal Data Was Compromised in Australian Teenager Hacking Incident

In a statement, Apple has confirmed that no personal data was compromised by a 16-year-old student from Melbourne, Australia who admitted to hacking into Apple's internal servers on multiple occasions over one year.

The Guardian:
At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats.

In this case, our teams discovered the unauthorized access, contained it, and reported the incident to law enforcement. We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised.
Australian publication The Age reported that the teen downloaded some 90GB of confidential files, and accessed customer accounts, storing information in a folder on his computer named "hacky hack hack." It's unclear exactly what he downloaded during the series of network intrusions.

The student, who cannot be publicly named due to his age and notoriety in the hacking community, reportedly pleaded guilty to his actions in an Australian Children's Court this week, with sentencing deferred until next month. His lawyer later told police that the teen "dreamed of" working for Apple.

The teen reportedly had a method of accessing Apple's servers that "worked flawlessly" on multiple occasions—until he was caught.

The international investigation began when Apple detected the unauthorized access, contained it, and alerted the FBI. The allegations were passed on to the Australian Federal Police, which executed a search warrant on the teen's home last year, and found the software that had enabled the hacking on his laptop.


Discuss this article in our forums

How to Use Automatic Strong Passwords and Password Auditing in iOS 12

In iOS 12, Apple has introduced new password-related features that are designed to make it easier for iPhone and iPad users to create strong, secure, and unique passwords for app and website logins. In this guide, we'll show you how to use two of those features: automatic strong passwords and password auditing.


Automatic strong passwords ensures that if you're prompted by a website or app to make up a password on the spot, Apple will automatically offer to generate a secure one for you. Password auditing meanwhile flags weak passwords and tells you if a password has been reused for different account login credentials. Here's how to use the two features.

How to Use Automatic Strong Passwords in iOS 12


  1. Launch Safari and navigate to the site asking you to create new login credentials, or launch a third-party app asking you to sign up for a new account.

  2. Enter a username or email address in the first field.

  3. Tap on the Password field – iOS will generate a strong password.

  4. Tap Use Strong Password to accept the password suggestion and save it to your iCloud Keychain.
Pro tip: Next time you need one of your passwords, you can ask Siri. For example, you could say: "Siri, show me my BBC password." Siri will then open up your iCloud Keychain with the relevant entry, but only after you authenticate your identity with a fingerprint, a Face ID scan, or a passcode.

How to Identify Reused Passwords in iOS 12


  1. Launch the Settings app on your iPhone or iPad.

  2. Tap Passwords & Accounts.

  3. Authenticate via Touch ID, Face ID, or your passcode.

  4. Scroll down the list of passwords and tap on any entries with a triangular warning symbol.

  5. Tap Change Password on Website to open the associated website and make the change.
Note that the last screen shows you on which other websites you've used the same password.

Pro tip: You can share passwords with other people directly from the iOS Password Manager via AirDrop. Simply tap the password field and an option to AirDrop the login will appear. The login can be AirDropped to any device running iOS 12 or macOS Mojave.

Related Roundup: iOS 12

Discuss this article in our forums

Security Researchers Find Vulnerability in Apple’s USB Restricted Mode for iOS Devices

Security researchers claim to have discovered a loophole that bypasses USB Restricted Mode, Apple's latest anti-hacking feature in iOS 12 beta and iOS 11.4.1, which was released on Monday.

USB Restricted Mode is designed to make iPhones and iPads immune to certain hacking techniques that use a USB connection to download data through the Lightning connector to crack the passcode.


iOS 11.4.1 and iOS 12 prevent this by default by disabling data access to the Lightning port if it's been more than an hour since the iOS device was last unlocked. Users can also quickly disable the USB connection manually by engaging Emergency SOS mode.

However, researchers at cybersecurity firm ElcomSoft claim to have discovered a loophole that resets the one-hour counter. The bypass technique involves connecting a USB accessory into the Lightning port of the iOS device, which prevents USB Restricted Mode from locking after one hour.

ElcomSoft's Oleg Afonin explained the technique in a blog post:
What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been paired to the iPhone before (well, in fact the accessories do not require pairing at all). In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour. Importantly, this only helps if the iPhone has still not entered USB Restricted Mode.
According to Afonin, Apple's own $39 Lightning to USB 3 Camera Adapter can be used to reset the counter. Researchers are currently testing a mix of official and third-party adapters to see what else works with the bypass technique.


Afonin notes that ElcomSoft found no obvious way to break USB Restricted Mode once it has been engaged, suggesting the vulnerability is, in his words, "probably nothing more than an oversight" on Apple's part. Still, at present its existence provides a potential avenue for law enforcement or other potentially malicious actors to prevent USB Restricted Mode from activating shortly after seizure.

Both iOS 11.4.1 and iOS 12 beta 2 are said to exhibit the same behavior when exploiting the loophole. However, expect this to change in subsequent versions of iOS – Apple continually works on strengthening security protections and addressing iPhone vulnerabilities as quickly as possible to defend against hackers.

Apple reportedly introduced USB restrictions to disable commercial passcode cracking tools like GrayKey. Afonin cites rumors that the newer GrayShift tool is able to defeat the protection provided by USB Restricted Mode, but the research community has yet to see firm evidence confirming this.

Related Roundups: iOS 11, iOS 12

Discuss this article in our forums