The hack, and it is quite a sophisticated and technically difficult one, appears to have been done with insider knowledge. The process had to follow non disclosed memory locations in a very specific order (including jump backs) and calls that would not be obvious unless the users had been primed already to those steps, it could have come about accidentally but as it is so technical it would seem to be very unlikely a chance happenstance What it did was take control of the device and keep control, totally without the owner having any alert that the phone was a zombie. The only way to avoid it was to make the phone a dumb phone with no telemetry at all to the net. MacOS has the same holes.
Is it possible to issue a patch, yes it is. Apple have already patched the first memory locations necessary for the hack to work into a table with a DENY entry. Without those locations the pathway does not exist. The problem is that Apple can issue a new patch that removes those entries and re-enables the pathway. These locations are built into the hardware, the CPU, it requires a re-build of the CPU to totally remove the vulnerability.
What is being asked by the discoverers is this an innocent mistake or was it intentionally built in and supplied to NSA or similar as a very obscure backdoor. Now discovery has made it obvious and something that will be now looked for, no longer obscure so no longer of use (until it is forgotten)… that may be the angle some are looking at as the reasoning for the patch and the holes.
In a blog post, Kaspersky explained that “the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge” and “did not require any actions from the user”.
Does turning off iMessage also offer a strategy to block the exploit infiltrating a device?
Turning off iMessage only stops the unseen steps that introduce the hack, it seems that there may have been a number of possible initial attack vectors with some not being so “invisible”. Even the Safari hack was invisible to the user of the device, that could have been achieved by a malicious coding in a drive by of a coded page. The iMessage just ensured that the device that they wanted to target was captured and not millions of others that they would need to sift through.
In December a news article advised that Tik-Tok is being investigated by the Information Commissioner over mass breaches of privacy and siphoning and scraping of personal details of users and non users of the product.
It is disclosed that the use of tracking pixels is the method being used. A link to a discussion about tracking pixels for those who may be interested can be found at https://en.ryte.com/wiki/Tracking_Pixel
It will be interesting to see what action, if any, evolves out of the investigation.
Don’t just assume you’re not being tracked if you use a Chrome ‘private’ (aka ‘incognito’) window …
The private window prevents other users of the same machine from seeing your details, but (of itself) it doesn’t block tracking. Chrome is now supposed to tell you about this when you open a private window.
On the topic of tracking, your device’s microphone can hear ultrasound (and you can’t). Be careful which apps you allow to have microphone access:
A link to a post in the topic about data breaches which references a malware setup that could infect visitors to sites and would be hard to detect and remove. The initial para in the post is a bit biblical as it was a reply to a prior post , so you will need to follow the link to see the detail about the article on the malware. The link after that is to the company that has more detail on how the malware is used.
Two articles that raise security concerns over Privacy policies and on-going data collection that look closely at car data collection Many privacy policies seem not to be really about protecting our privacy, but instead are about giving permission for businesses and Governments to have largely unfettered collection rights.
The first The New Daily item was from October 2023
The second The New Daily article refers to CHOICE and their call about the data collection and again it looks at Toyota as example of this collection and sharing of personal data.
Thank you CHOICE for further raising this issue.
For members of the Community and visitors do you own a Toyota?
Were you aware of the extent of the collection and sharing by Toyota?
Do you know what the manufacturer collects and shares about you?
Feel free to leave your comments in response! (remember to remain civil)
We own two Mitsubishi Magnas - we liked the first so much we bought a second. These cars are old enough to lack modern tracking technology - but will eventually need to be replaced.
We are aware of car manufacturers’ desire for data about their customers, to use and sell as they see fit, and this will affect our decision-making when considering our next vehicle. Tesla is off the list, and Nissan and Toyota are looking like rather poor choices at the moment.
More expensive a buy than just the one name. Nissan is a major shareholder.
Staying with the automotive and privacy theme. Noted Repco, Burson and other automotive parts suppliers have ready access to a reverse data base. Input a vehicle rego number and they know the exact model, year etc.
What other details might be linked?
Businesses often share various levels of information with aggregators in their chain or external data resource/analytics providers.
Customer loyalty schemes stand out. For those not a member how often are customers asked for more details to record against a sale for …. supposed customer benefit than legally necessary?
How aware is the average consumer of what they must provide verses what they do not?