Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

Image: Shutterstock.

**Apple** and the satellite-based broadband service **Starlink** each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the **University of Maryland** say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and **Google** operate their own **Wi-Fi-based Positioning Systems** (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the **Media Access Control** (MAC) address that a Wi-FI access point uses, known as a **Basic Service Set Identifier** or **BSSID**.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API _will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested_. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.

They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, _Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups_.

**UMD Associate Professor David Levin** and Ph.D student **Erik Rye** found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the **Institute of Electrical and Electronics Engineers** (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.

Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.

A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.

The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.

A heatmap of Starlink routers in Ukraine. Image: UMD.

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.

“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.

“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.

Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.

UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:

> “In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.

“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”

Apple did not respond to requests for comment. But in late March 2024, Apple quietly tweaked its privacy policy, allowing people to opt out of having the location of their wireless access points collected and shared by Apple — by appending “\_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “\_nomap” to your Wi-Fi network name also blocks Google from indexing its location.

Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending “\_nomap” to the network’s name.

Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.

“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in \[Apple’s\] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.

“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.

“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”

The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.

“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”

A copy of the UMD research is available here (PDF).

Why Your Wi-Fi Router Doubles as an Apple AirTag

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference.

Thursday, May 16, 2024 14:00

While I one day wish to make it to the RSA Conference in person, I’ve never had the pleasure of making the trek to San Francisco for one of the largest security conferences in the U.S. 

Instead, I had to watch from afar and catch up on the internet every day like the common folk. This at least gives me the advantage of not having my day totally slip away from me on the conference floor, so at least I felt like I didn’t miss much in the way of talks, announcements and buzz. So, I wanted to use this space to recap what I felt like the top stories and trends were coming out of RSA last week.  

Here’s a rundown of some things you may have missed if you weren’t able to stay on top of the things coming out of the conference. 

**AI is the talk of the town** 

This is unsurprising given how every other tech-focused conference and talk has gone since the start of the year, but everyone had something to say about AI at RSA.  

AI and its associated tools were part of all sorts of product announcements (either to be used as a marketing buzzword or something that is truly adding to the security landscape).  

Cisco’s own Jeetu Patel gave a keynote on how Cisco Secure is using AI in its newly announced Hypershield product. In the talk, he argued that AI needs to be used natively on networking infrastructure and not as a “bolt-on” to compete with attackers.  

U.S. Secretary of State Anthony Blinken was the headliner of the week, delivering a talk outlining the U.S.’ global cybersecurity policies. He spent a decent chunk of his half hour in the spotlight also talking about AI, in which he warned that the U.S. needed to maintain its edge when it comes to AI and quantum computing — and that losing that race to a geopolitical rival (like China) would have devastating consequences to our national security and economy.  

Individual talks ran the gamut from “AI is the best thing ever for security!” to “Oh boy AI is going to ruin everything.” The reality of how this trend shakes out, like most things, is likely going to be somewhere in between those two schools of thought.  

An IBM study released at RSA highlighted how headstrong many executives can be when embracing AI. They found that security is generally an afterthought when creating generative AI models and tools, with only 24 percent of responding C-suite executives saying they have a security component built into their most recent GenAI project.  

**Vendors vow to build security into product designs** 

Sixty-eight new tech companies signed onto a pledge from the U.S. Cybersecurity and Infrastructure Security Agency, vowing to build security into their products from earliest stages of the design process.  

The list of signees now includes Cisco, Microsoft, Google, Amazon Web Services and IBM, among other large tech companies. The pledge states that the signees will work over the next 12 months to build new security safeguards for their products, including increasing the use of multi-factor authentication (MFA) and reducing the presence of default passwords.  

However, there’s looming speculation about how enforceable the Secure By Design pledge is and what the potential downside here is for any company that doesn’t live up to these promises.  

**New technologies countering deepfakes** 

Deepfake images and videos are rapidly spreading online and pose a grave threat to the already fading faith many of us had in the internet. 

It can be difficult to detect when users are looking at a digitally manipulated image or video unless they’re educated on common red flags to look for, or if they’re particularly knowledgeable on the subject in question. They’re getting so good now that even targets’ parents are falling for fake videos of their loved ones.  

Some potential solutions discussed at RSA include digital “watermarks” in things like virtual meetings and video recordings with immutable metadata.  

A deep fake-detecting startup was also named RSA’s “Most Innovative Startup 2024” for its multi-modal software that can detect and alert users of AI-generated and manipulated content. McAfee also has its own Deepfake Detector that it says, “utilizes advanced AI detection models to identify AI-generated audio within videos, helping people understand their digital world and assess the authenticity of content.” 

Whether these technologies can keep up with the pace that attackers are developing this technology and deploying it on such a wide scale, remains to be seen.  

**The one big thing **

Microsoft disclosed a zero-day vulnerability that could lead to an adversary gaining SYSTEM-level privileges as part of its monthly security update. After a hefty Microsoft Patch Tuesday in April, this month’s security update from the company only included one critical vulnerability across its massive suite of products and services. In all, May’s slate of vulnerabilities disclosed by Microsoft included 59 total CVEs, most of which are of “important” severity. There is only one moderate-severity vulnerability. 

**Why do I care? **

The lone critical security issue is CVE-2024-30044, a remote code execution vulnerability in SharePoint Server. An authenticated attacker who obtains Site Owner permissions or higher could exploit this vulnerability by uploading a specially crafted file to the targeted SharePoint Server. Then, they must craft specialized API requests to trigger the deserialization of that file’s parameters, potentially leading to remote code execution in the context of the SharePoint Server. The aforementioned zero-day vulnerability, CVE-2024-30051, could allow an attacker to gain SYSTEM-level privileges, which could have devastating impacts if they were to carry out other attacks or exploit additional vulnerabilities. 

**So now what? **

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63419, 63420, 63422 - 63432, 63444 and 63445. There are also Snort 3 rules 300906 - 300912. 

**Top security headlines of the week **

**A massive network intrusion is disrupting dozens of hospitals across the U.S., even forcing some of them to reroute ambulances late last week.** Ascension Healthcare Network said it first detected the activity on May 8 and then had to revert to manual systems. The disruption caused some appointments to have to be canceled or rescheduled and kept patients from visiting MyChart, an online portal for medical records. Doctors also had to start taking pen-and-paper records for patients. Ascension operates more than 140 hospitals in 19 states across the U.S. and works with more than 8,500 medical providers. The company has yet to say if the disruption was the result of a ransomware attack or some sort of other targeted cyber attack, though there was no timeline for restoring services as of earlier this week. Earlier this year, a ransomware attack on Change Healthcare disrupted health care systems nationwide, pausing many payments providers were expected to receive. UnitedHealth Group Inc., the parent company of Change, told a Congressional panel recently that it paid a requested ransom of $22 million in Bitcoin to the attackers. (CPO Magazine, The Associated Press) 

**Google and Apple are rolling out new alerts to their mobile operating systems that warn users of potentially unwanted devices tracking their locations.** The new features specifically target Bluetooth Low Energy (LE)-enabled accessories that are small enough to often be unknowingly tracking their specific location, such as an Apple AirTag. Android and iOS users will now receive the alert when such a device, when it's been separated from the owner’s smartphone, is moving with them still. This alert is meant to prevent adversaries or anyone with malicious intentions from unknowingly tracking targets’ locations. The two companies proposed these new rules for tracking devices a year ago, and other manufacturers of these devices have agreed to add this alert feature to their products going forward. “This cross-platform collaboration — also an industry first, involving community and industry input — offers instructions and best practices for manufacturers, should they choose to build unwanted tracking alert capabilities into their products,” Apple said in its announcement of the rollout. (Security Week, Apple) 

**The popular Christie’s online art marketplace was still down as of Wednesday afternoon after a suspected cyber attack.** The site, known for having many high-profile and wealthy clients, was planning on selling artwork worth at least $578 million this week. Christie’s said it first detected the technology security incident on Thursday but has yet to comment on if it was any sort of targeted cyber attack or data breach. There was also no information on whether client or user data was potentially at risk. Current items for sale included a Vincent van Gogh painting and a collection of rare watches, some owned by Formula 1 star Michael Schumacher. Potential buyers could instead place bids in person or over the phone. (Wall Street Journal, BBC) 

**Can’t get enough Talos? **

*   Talos joins CISA to counter cyber threats against non-profits, activists and other at-risk communities 
*   Click Here Ep. #130: A wrinkle in time: GPS jamming in Ukraine and its ripple effects 
*   Talos Takes Ep. #184: Why CoralRaider is looking to steal your login credentials 
*   Generative AI’s disinformation threat is ‘overblown,’ top cyber expert says 

**Upcoming events where you can find Talos **

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1   
**MD5:** fb9e0617489f517dc47452e204572b4e   
**Typical Filename:** KMSAuto++.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** W32.File.MalParent

Rounding up some of the major headlines from RSA

iOS users are reporting that photos they had deleted long ago suddenly showed up again after this week's 17.5 update.

iPhone owners are reporting that photos they’d deleted are now back on their phones, after updating to iOS 17.5.

With so many users reporting similar oddities, it would seem something went wrong, or at least different than to be expected. Here are some examples from Reddit:

> “When in conversation with my partner, I went to send a picture and saw that the latest pictures were nsfw material we’d made years ago”

> “I have four pics from 2010 that keep reappearing as the latest pics uploaded to iCloud. I have deleted them repeatedly.”

> “Same thing happened to me. Six photos from different times, all I have deleted. Some I had deleted in 2023.”

When you delete a photo from an iPhone or iPad, it goes into a “Recently deleted” album for up to 30 days to make it easy to recover if the photo is accidentally deleted. However, the above examples vastly exceed this timeframe, and it’s unclear exactly what’s happened here.

When you delete a file, actually all that happens is you remove the pointer that tells you where exactly the file is located. This makes it hard to find, but not impossible. Until the system uses the location of the deleted file and replaces it with other data, the file can be retrieved.

Apple’s last update for iOS 17.5 and iPadOS 17.5 came out on Monday with a warning to update your iPhone as soon as possible. That’s because iOS 17.5 fixes 15 security vulnerabilities, some of which are serious. Please don’t let this article stop you from installing the update, but it’s good to be prepared for some unexpected behavior.

At the time of writing, Apple hasn’t commented on the issue.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Deleted iPhone photos show up again after iOS update 

Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties.

Talos releases new macOS open-source fuzzer

Google is introducing new AI-powered safety tools in Android 15 that can lock down your phone if thieves nab it.

Billions of Android phones are getting new tools to stop phone thieves from accessing your information and to slow down their criminal behavior, Google announced today at its I/O developer conference. Android phones will soon use artificial intelligence to automatically detect when they have been snatched from your hand and lock themselves, as part of the new changes that include adding extra protections to secure your phone if it has been stolen.

The upgrades—some of which will come with the Android 15 operating system, while others will be compatible with older phones—come as phone companies are increasingly building extra measures into their software to thwart rampant levels of phone thefts and further protect people’s data. As well as the stolen phone tools, Google is introducing new changes to Android 15 that will scan how apps are using “sensitive permissions” in real time to detect potentially suspicious app activities.

Around the world, phone thefts are a huge problem—in London, for example, a phone is stolen every six minutes. Thieves riding electric bikes or scooters can snatch phones out of people’s hands, pickpockets can easily nab devices from bags, and others are known to peer over shoulders to learn a phone’s PIN before they steal the device.

Stolen phones can be resold if they are unlocked or passed on to others who can break them down for parts and sell those components. However, some criminals will also try to access banking or crypto apps and transfer money. “The thieves profit from the physical device themselves, but they also increasingly are trying to get into the content of the device, where the most valuable data is stored,” Jianing Sandra Guo, an Android security and privacy product manager at Google, tells WIRED. Some thieves, if they have a locked phone, spam people with phishing emails and messages to friends to try and get login details.

Google’s anti-theft tools have been designed to add more protection before a phone is stolen, during the theft, and after a phone has been taken, Guo explains. In keeping with Google’s and the wider tech industry’s push, some of these have been built using artificial intelligence as a key component.

Courtesy of Google

Android’s new Theft Detection Lock uses Google’s AI to determine when your phone has been snatched from your hand. If it detects this, the phone’s screen will automatically be locked. Using smartphone sensors, such as the accelerometer and gyroscope, Google trained its algorithms to detect sudden changes in the phone’s positioning and the motions that might indicate it has been snatched.

“There’s a grabbing of the phone, changing hands, and then an attacker running, biking, or even driving away with a device,” Guo says. To train the algorithm, Google’s research staff studied how phones are commonly stolen, then its teams re-created snatching events against each other to collect data about what a simulated theft looks like.

Thieves stealing phones, Guo says, will often open the camera app when they don’t know the phone’s PIN, to stop them from losing access to the device. They also often try to disconnect it from cell networks for a long period of time so they can’t be locked out of the device remotely. The company’s new Offline Device Lock will lock your screen when the phone is offline for an extended period of time, if the setting is turned on.

To increase protections before a phone is stolen, Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

There’s also a new “private spaces” option where you can store sensitive apps, such as banking apps, that require a second PIN or use of your biometrics, such as a fingerprint, to access. There are also extra authentication controls being put in place: If a thief tries to disable Google's Find My Device location-tracking service they will need to also use your PIN, password, or biometric information to unlock it. If a thief does know your PIN, it will also be possible to turn on the need for biometric authentication to make changes to important Google account and device settings, such as a PIN change or turning off anti-theft settings.

The extra authentication features are similar to those introduced by Apple in its Stolen Device Protection system that debuted in iOS 17.3 earlier this year, although Google’s theft motion detection goes further than these tools. The aim of all anti-theft options is to lock down the information stored on phones but also to make it harder for criminals to abuse devices when they have them. Making it more difficult for criminals to resell phones or transfer money may help to deter thefts.

If your phone does get stolen, Android already allows phones to be locked and wiped. However, Guo says, the experience of having a phone swiped from your hands is a “traumatic” experience, and in the aftermath, people may not remember all their Google account login details to close off access to the phone. To address this, Google’s new Remote Lock feature will allow people to lock their phone using just a phone number. “The content of the device is protected, and it buys the user a lot of time … to be able to organize themselves and do further remediation,” Guo says.

Google’s new protections around factory resets will launch with Android 15, while some of the other features will be available later this year. Guo says that, where possible, Google has tried to make the features work on versions of the software as old as Android 10.

Aside from the anti-phone-theft tools, Android is coming with other security and privacy updates. Google’s app safety system, Google Play Protect, scans billions of apps every day to detect malware, but now this is being expanded to do live scanning on people’s phones to better detect suspicious behavior. “With live threat detection, Google Play Protect’s on-device AI will analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services,” Dave Kleidermacher, a Google vice president, writes in a blog post.

Other security-related updates to Android 15 include hiding notifications and one-time passwords from appearing if you are sharing your phone’s screen with others, hiding login details if you are logging in to an app or website while sharing your screen, and identifying when cell connections are unencrypted and alerting people if there is a “potential false cellular base station” or IMSI catcher nearby that is logging a user’s phone.

_Updated 2:45 pm ET, May 15, 2024, to clarify that several new features will be included in updates that are separate from Android 15 itself, according to Google._

Android Update: Theft Detection Lock Knows When Your Phone Is Stolen

Apple Security Advisory 05-13-2024-8 - tvOS 17.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-8 tvOS 17.5

tvOS 17.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214102.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtmQACgkQX+5d1TXa  
IvpH5hAAtZjOJDsDvmKZhDYNv+q147EOgkWQL99zvmBReygAUqk+KoLQQkkfRLP7  
zTw53l3zvcH5Tar065NTIr/9jW3MDlZ9ipKU5pwy2R6tWRkh5zug6T7WINpcLybv  
6U39illkCn4EOyTZSoET/kkbuu/CQ6QUPC/CX5R/FtBmAmLNcImRjIgHqRjQKVhO  
9ACminYR+gUbsSqn5OfU0hwbvX2pXzqzE8LoOmhgpJyJIbyUUPHt5C6DYmJ79dlf  
Ui0rXKF+kwzqDrAPxph3XhCW0F+IvceREMLefUQXxvQ/0eDZhkCGwyw4/zezoXhg  
k/rAGQ7EEd27AqyDGyRoLpmFvIXafTp3OrePNPnyjE7j06syH4NnkwQoLerdrW9x  
KOCWQYJ9v03SfJpzGQOVA+aP2sHe4jSR4mtq7m7dax6qKjKrLWog7aqu6+pZZ4Ga  
9AXLEU7sQgNF8TWosVgpUmQEas8v3GQflUqjHvczPyPr4T8Br5VhiM8FYj9SWsPb  
mO/57/3kdsaU6DrD1C1mf5SAjFFi65ox78n8hdXOe1B02fvpDOXyz278XBuVMWE0  
CfhrwhXicP0itQp/KtgrnT+iUhkuPieNBiped/KHPfe9YXOfpjGrtcPQfximiYsD  
rGPnxm5tCJPobmTzRUdsu9TSInqUP291SOvkyX1DEQUkIszm6ao=  
=oc3g  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-8

Apple Security Advisory 05-13-2024-7 - watchOS 10.5 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-7 watchOS 10.5

watchOS 10.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214104.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleAVD  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27810: LFY@secsys of Fudan University

RemoteViewServices  
Available for: Apple Watch Series 4 and later  
Impact: An attacker may be able to access user data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27816: Mickey Jin (@patch1t)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may output sensitive user data without consent  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-27821: Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit)  
of Kandji

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: An attacker with arbitrary read and write capability may be able  
to bypass Pointer Authentication  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 272750  
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro's Zero  
Day Initiative

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreHAP  
We would like to acknowledge Adrian Cable for their assistance.

HearingCore  
We would like to acknowledge an anonymous researcher for their  
assistance.

Managed Configuration  
We would like to acknowledge 遥遥领先 (@晴天组织) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtuoACgkQX+5d1TXa  
IvoryhAA0MH7dQ2spvGCOs9o90Ha8QfUwkzV6S+x/kjtb+4dVh+Myyyxcq3HfJP/  
71NRMcHvxM2nE7d23D9TSDdkKqEckR/vpgRMR9oPPy+bLnqccu7Rx02dIyOcW0AD  
sOI+puKn2oVSENiQte+Rs5RBBslrzG5G+Ezr2BVyk5jA4q8f2yD3vFlc+4K6u4Xf  
xcM0rgqLTQ1Pe4CiJepLZlm5/I4ub9jNHgYw37lrBg8ptBBOP722Mt+XeuHcE0tr  
SCvoVCDePnbHPNzofgsSlv0bv6CpfvOYKgRouWzb3wf+a9Cg/2fPN39nZtVt7V+l  
WqSJjgGB71QgwtRpmr/nWz3VKzSE9xdnu0H6BOrVAC9qYWn1Qz9S0bfTVhWJDCvk  
XyGhpoHrsKOR/PDjm8nCx7MzqeWxsG/yaYHileud3a9tAx1g63kDrwaPjpG4sNg1  
U5pvYLE942yOoImWyFkfcnf9UCGqwdYiNR8uFyfuPoBFhiCM85CjwD3tM2UG0H5Q  
xxU1iYNIHPeDd4q5DEaFqtC3nNraY3JGoAO5im7vNFv4JcoiMb8ObNTLDkNduThd  
q1uB74m37Pfqq/PT2xtnACHfWpvUpu/Gc0JcUuS+uMB1nUbvPQpNNJqx7WHwk3Q2  
r8OvMZ1Vw+4APbZ7B5Jnj4pkxSAifC2HQ7FqytCGzRzGqHOrF60=  
=+u2d  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-7

Apple Security Advisory 05-13-2024-6 - macOS Monterey 12.7.5 addresses an issue where a malicious application may be able to access Find My data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-13-2024-6 macOS Monterey 12.7.5

macOS Monterey 12.7.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214105.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Find My  
Available for: macOS Monterey  
Impact: A malicious application may be able to access Find My data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-23229: Joshua Jewett (@JoshJewett33)

Foundation  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved checks.  
CVE-2024-27789: Mickey Jin (@patch1t)

Additional recognition

App Store  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Monterey 12.7.5 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtZ4ACgkQX+5d1TXa  
IvqR2g//T7xisOQJEBugIuk4sXS7qt1O1wchiJC99EBhXK4ulCyEcBMIdGSPp3zJ  
QmtwU/0nB5zOd5DsSQh6N+Jj9Wb6bLauR8d4QhyrlemttMSYGHPC47WkF0HIYiLv  
IGL+A/Z+uulb22sRb3MZ8CNDZA2mUVtRZKRnBwBNO2yZEofWvM4KNIyQThR2z17c  
MvZuVBEo9NFMuEeXRLzCwmDfe344j9f3eQyY/5mnYLXQx60Lzg6BZxF1nCbN+mYc  
vGHDPs3744sTmcj8pBLBX6629O/9uLe/IgQX8QDA1aaW9G/x2njICxecVHA9QRti  
BPhbQfh9DWvUo3Wrmk/6kDb/d3kb/arx/HE3x4M+AbXlXA1G8GVOrFig6W9bgJRX  
e1I0ZQhXvPqBAles4XK14x6cXzXGNfPjbwVgAAHSqsiDqBSp7CUPM5i/6yPRz7AN  
uJG54euZ+02i8NErPXbe91kgHNidWQVnUMxDkle2QT3/Wo3mKcLfEGRJU89wiGw3  
dkoclqgKD8vUT+EUiPShOAa5/FUVR9F7PjGDrV91IKBtwC8VoLmSMcu4hIKhlIFW  
xWat/sFCLVz+8nmRKVgn+xoSwtYvAvbImI83QQsf4Q+GH0WsgHG1dRw3VRjXy3US  
lOnT6nKXFCvB3n139cgHLp3Q5ZoRf1xKVv5/EvOIP9jagB13QbU=  
=cPoJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-6

Apple Security Advisory 05-13-2024-5 - macOS Ventura 13.6.7 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-05-13-2024-5 macOS Ventura 13.6.7macOS Ventura 13.6.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT214107.Apple maintains a Security Releases page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.FoundationAvailable for: macOS VenturaImpact: An app may be able to access user-sensitive dataDescription: A logic issue was addressed with improved checks.CVE-2024-27789: Mickey Jin (@patch1t)Login WindowAvailable for: macOS VenturaImpact: An attacker with knowledge of a standard user's credentials canunlock another standard user's locked screen on the same MacDescription: A logic issue was addressed with improved state management.CVE-2023-42861: an anonymous researcher, 凯 王, Steven Maser, MatthewMcLean, Brandon Chesser, CPU IT, inc, and Avalon IT Team of ConcentrixRTKitAvailable for: macOS VenturaImpact: An attacker with arbitrary kernel read and write capability maybe able to bypass kernel memory protections. Apple is aware of a reportthat this issue may have been exploited.Description: A memory corruption issue was addressed with improvedvalidation.CVE-2024-23296Additional recognitionApp StoreWe would like to acknowledge an anonymous researcher for theirassistance.macOS Ventura 13.6.7 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmZCtJoACgkQX+5d1TXaIvrg7hAAr/7mbBr3n+eJIP7aXfLdQWZb/NQLK7i87jk0RDCweCeWf2ZDGSjEXn3I0t8qS9bFjouQi3c6Zgu96zIbZ7QHS2KZ3w+41Cjzknb+wKoxb6UkbDe8gaay/QODBQH/GVcFjdEKLJCbnBBjatpf9PgBTkMJQ7UvXbfCUksowN6dUnTcRyxB8fPyFp7yZrKfGLe2mfO3E6kx+lcqThgiKsKuuZNju0A0d8wFyEkKqcQOPtg6PYiM4MTkI+GsckdB1sYy9dK219Gx3s9kj/RUmjBl/rNweC6s85ltqQgzhO0vZtwlcoThM7eMmCAHddjx3YMbh2iv2ypE44xv7XzGik5PjNhWHbVqA2dvFsTuA1K1ZYy04dKQ7i9A/LAcs1THVT29cIA4Xzj1lWBviVHjmFYZG2xkssKf1haqs9H0YB0coZGrNMKVwrW5HBf71oYCr49z/iypIpM4dc7bC7VTPe25Q/Ri5da1D7tTtElY33Vi0uPTqcSQgIwAEN+kYNEbJrH1itk/kyW0y44TRSlo477UyDWXaNZXh8N7ClU1svAl7qUnDstLIPve+watsvlr2/nLwUEvV/3wbja3D6X35M/lwEX8rDA1HVjlNKEDfhV76xRae6Tx36y/5hGDCb6b666e9vh7p7KcaFd54TX+gnH8swkENhVBLV+mZWfSq0fMPTs==xqZE-----END PGP SIGNATURE-----

Apple Security Advisory 05-13-2024-5

Apple Security Advisory 05-08-2024-1 - iTunes 12.13.2 for Windows addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-05-08-2024-1 iTunes 12.13.2 for Windows

iTunes 12.13.2 for Windows addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214099.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: Windows 10 and later  
Impact: Parsing a file may lead to an unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2024-27793: Willy R. Vasquez of The University of Texas at Austin

iTunes 12.13.2 for Windows may be obtained from:  
https://www.apple.com/itunes/download/  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmY78cYACgkQX+5d1TXa  
IvrzDBAAlfeS0odTgHy5AqrW8H47U7kDb6Mob0XW7RF/eii3C3M07a+zZ6fqXrws  
NrR85Az++0l0LICFINyG2uqNlJP831J3ib4MQLmCp0awX5UPLdZ1JZE5afu4GAZk  
t0rDDfUYuhVrArYC1BaSMm3OjiSD3CctLxHPY4PDsLbaeq/J7kSz03Lr42TyLuIU  
wO/c0hxiNSPrrq6vlSO2yCFzuISkB+HkJMPNFst6h7lpCAfimw2pHXhzGKAHUzAG  
ra2TEi4/Zpd5heDhC8rXbVYAgc9q5YCkPT5EDPa4aIYqZynICNugrY5Y0OSV05sp  
l8LuuEsTJY/Vmf4+1xx+ZI2E8LReP/QMCA0pPOGEJXT5PifdrEVIRvV7vAGClWk3  
C9t4FpcYBIt4e3AwSoaQoykdPRCB5mEL+D+gfycLvJBmbng+PnE2T+oQYd6IkVu4  
toYaJ+jo6fNmHHFueBT7ecsCG6kDyJyd1tDTLLxCaTDVPvJ10uk/k68FYbpTy1rY  
EzBbKGnaHKrr2DNFQPiqFnonaLRvUUJXlH5RtlrWVH9/cAXE8sIPfrrO+NPIAEG2  
WoCKA0jOYhR/SO5O4VLqAi0yTSzrvWp7Gp//ov9J0f2S28kUP0kdUGL/Z8Lsbro9  
un3U1C3pgDwcsGrYXpU+Ye/98gUjz5bEu2dMbT5u2fVwkbOQBVs=  
=NV/p  
-----END PGP SIGNATURE-----

Tag

#apple