[ad_1]
Some good news for the security-conscious iPhone user: Apple has incorporated many security and privacy enhancements and patches into iOS 12. The bad news: some updates could have unintended consequences.
First, the good news: iOS 12 has an integrated password manager, blocks USB access to your phone if it is locked for more than one year. time, facilitates the use of two-factor authentication and gives you the ability to set automatic updates.
Now, any bad news: you can AirDrop pass passwords to other iOS and macOS users, creating a potential opportunity for hackers to enter your passwords via Bluetooth or Wi-Fi. And if the function Automatic 2FA code filling still works as in the beta version of iOS 12, this could allow hackers to break into your online banking account.
MORE: iOS Guide 12: Tips, Tricks, and Procedures
Let's do the boring things right away. iOS 12 fixes a number of security vulnerabilities, most of which were so far poorly known. Corrected faults include an "input validation problem" in Bluetooth; buffer and kernel faults that allow applications to read restricted memory; and a leak in the browsing history and a flaw of validation of the address bar in Safari.
iOS 12 also includes new restrictions on browsers and applications, which should limit the surreptitious tracking of the location and behavior of users disclosed last week by third-party searchers. But there is still no solution for the attack of the malicious website unveiled last weekend, which freezes and sometimes restarts iPhones and Macs.
What's the password?
The password management features are undoubtedly the best improvement in the security of iOS 12. The new operating system will offer you complex passwords when you create a new account. New passwords are saved in your iCloud keychain so that they work on all your Apple devices. iOS 12 also marks reused passwords so that a data breach does not compromise multiple accounts. Finally, it automatically fills passwords in the form fields.
Best of all, these new features will work with third-party password managers, which you can use as a password manager instead of the keychain. This is a bonus if you do not exist exclusively in the Apple universe, or if you already use a password manager, because third-party managers also sync with Windows, Android and often Linux. .
Dashlane, LastPass and 1Password are already compatible with iOS 12, and other password managers will be available soon.
For a touch of gray in this story: iOS 12 will also allow you to transfer AirDrop passwords to nearby iDevices. This will allow your visitors to access your Wi-Fi network, or your children will be able to connect to your Netflix account.
It seems very practical. It could also create an opportunity for hackers to detect passwords. AirDrop transmissions are encrypted, but communicating devices do not need to be on the same Wi-Fi network or paired via Bluetooth – they just need to have both their Wi-Fi and Bluetooth radios enabled. There are ways to break the encryption of Bluetooth transmission, and Wi-Fi is not at all secure by default. The Apple encryption protocol is pretty powerful, but nothing is perfect.
AirDrop is also notable for letting people, accidentally or not, receive foreign files – lazy space, nude pictures, nude photos – when the sender and the recipient are in crowded public places.
From what we understand, the passwords themselves will be encrypted before being sent via the already encrypted AirDrop connection, and the sender and the recipient will have to authenticate themselves. same with the help of a face ID before you can share a password. But it is likely that hackers and security researchers are examining this feature. AirDrop has always had security issues.
2FA manufactured E-Z
Good news / bad news occurs with the automatic filling by iOS 12 temporary codes 2FA transmitted by SMS. If your online account provider – Amazon, for example, or your bank – sends you a 2FA code, iOS 12 will enter it and make an autotype suggestion so that you do not have to validate this temporary IN code for memeory .
This is very convenient and we hope this will encourage many more people to use 2FA, which may be the most important security enhancement currently available. (The generated 2FA codes are even better than the textured ones, but that's an argument for another day.)
There is a slightly increased risk that someone will find a way to intercept the 2FA code as it is copied from Messages in the Keyboard application, but it's worth the trade-offs. It increases the absorption rate of 2FA.
But here is the potentially bad part: it is possible that the auto-fill suggestion captures not only 2FA codes, but also special codes that many banks in Europe transmit during online banking sessions, after logging in. with success.
These codes are called Transaction Authentication Numbers (TANs) and are generated whenever a logged-in user actively initiates a financial transaction, such as transferring money between accounts or payment of money. ;a bill. (There is no TAN required for passive things like posting your bank balance.)
The bank sends the TAN to the user's phone to ask him to verify that he really wants this transaction to take place and the user responds in the affirmative by typing the TAN. If the user does not recognize the transaction request, he is then asked to call the bank immediately.
The problem with the 2FA autoloader is that users may not realize that the suggested code is a TAN code instead of a 2FA authentication code. An astute hacker could use this confusion to deceive users by allowing money transfers.
As TANs are not yet used by US banks, we have not been able to verify if the final version of iOS 12 automatically suggests TAN codes and 2FA codes. We asked the researcher who discovered this problem in iOS 12 beta on this, and will update this story once we learn more.
More good things
Other improvements to iOS security are no problem.
The USB Restricted mode that was optional in iOS 11 is now enabled by default. this will prevent anyone from using a USB cable to access your iPhone's data if the phone has been locked for more than one hour. (Before that, the window lasted a whole week.) You will need to provide the password for your device or unlock the phone with your fingerprint (or face on the devices supporting the face ID) to provide USB data access.
Automatic updates to iOS are now an option – you can now be sure that your iPhone always has the latest security patches. While there have been some bug fixes in the past, this is not as much a problem on iOS as it is on Windows. We recommend that you enable this feature.
The screen time feature that tells you how much time you spend on your phone can also tell you which apps your kids use and for how long. You can also limit the time your kids spend on specific applications or entire categories of apps.
Combined with the location sharing feature in the family share, iOS 12 now offers many features of third-party parental control apps. You still can not read a child's text messages unless you know their iCloud password.
[ad_2]
Source link
