In this week’s Cyber Blurbs Roundup, we take a look at a critical iPhone update, the president’s bold choice for the FTC, and some subpar security measures from Walgreens.
Update Your iPhone’s Software ASAP
We’re about a week late with this one, but here’s hoping to catch anybody who isn’t always up on software updates: You need to update your iPhone to iOS 14.8. Like, now. Chances are by the time you’re reading this, you’ll have updated your phone to the more-exciting iOS 15 anyway, but here’s hoping to catch a few of you who aren’t paying attention.
Apple released its latest operating system update on Sept. 13, prompting major publications like The New York Times to send out a rare push notification often reserved for massive headlines like (checks phone) critical vaccine decisions from the FDA and the Pentagon acknowledging a tragic military mistake. Suffice it to say this iPhone update is a big deal.
From Apple’s security note, the company states that the update is designed to address “maliciously crafted web content [that] may lead to arbitrary code execution.” The company goes on to say it “is aware of a report that this issue may have been actively exploited.” The update is available for many of the company’s latest devices, including iPhone, iPad, and iPod touch. A separate, related update was also released for the Apple Watch and MacOS computers.
The issue stems from the notorious Pegasus spyware, which was found to be capable of carrying out zero-day, zero-click exploits against Apple’s iMessage. Citizen Lab, a Toronto-based public interest cybersecurity group, discovered the vulnerability, and says the exploit has likely been around since at least February.
"Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them," Citizen Lab wrote in a report. "As presently engineered, many chat apps have become an irresistible soft target."
While Apple believes these sorts of attacks are fairly expensive and unsustainable to carry out against the masses, the company still believes in patching its devices to prevent potential intrusions.
“We continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data," Apple security executive Ivan Krstic said in a statement.
Biden Eyes Privacy Advocate for FTC
US President Joe Biden nominated Alvaro Bedoya, a Georgetown law professor and privacy advocate, for a seat on the Federal Trade Commission.
Bedoya founded Georgetown’s Center on Privacy and Technology in 2014, and is widely known for his criticism of facial recognition technologies. He co-authored a 2016 report detailing the issues with facial recognition tech, stating that one in two American adults can be found in law enforcement facial recognition networks.
Bedoya’s expected nomination could signal a shift in the commission’s approach to handling big tech, which has received its share of criticism in recent years. The FTC settled with Facebook over its Cambridge Analytica scandal in 2019, agreeing on a $5 billion fine (and some changes to company policies) after the commission found the social media giant to have deceived its users regarding privacy. Despite its record-breaking fine, some believed the commission could have lobbied for more from Facebook considering the gravity of the situation
Digital privacy has been at the forefront of the tech industry over the last few years, ranging from industry-shifting changes to Apple’s mobile operating systems to on-device scanning for images being uploaded to private cloud storage.
Nominated last Monday, Bedoya’s nomination will require confirmation from the Senate. If confirmed, Bedoya would replace Rohit Chopra in the FTC.
Walgreens COVID Testing Exposed Patient Data
Walgreens, America’s No. 2 pharmacy chain both in market capitalization and receipt length, did not adequately protect the privacy of patients who received COVID-19 testing services. According to Recode, various security experts have found the company’s digital privacy and security practices to be subpar and generally unfit for the second-largest pharmacy chain in the United States. The vulnerabilities are said to have impacted millions of people who received COVID-19 tests at Walgreens, potentially exposing their names, dates of birth, gender identities, phone numbers, as well as physical and email addresses.
First identified by security researcher Alejandro Ruiz of Interstitial Technology PBC, the vulnerability is rooted in the way the company handles testing registration. Rather than require patients to create user accounts with built-in authentication measures, Walgreens simply asks that patients retain a unique 32-digit ID generated at registration. The user then receives a URL that hosts appointment information.
The problem lies in the URLs, which are virtually identical except for the 32-digit ID. While user information is technically protected by the designed complexity of the 32-digit ID, security experts argue that obscurity is not a strong enough way to protect patient data for medical records. Worse yet, skilled hackers could take the time to create an automated method of generating potential user IDs.
Ruiz says he contacted Walgreens regarding the issue, though the pharmacy giant has yet to address its vulnerabilities.