Thriving with Technology Podcast: Contact Tracing on Your Smartphone. Should You Worry?
Available here too:
We asked USA Forensic our Cybersecurity specialist to chat with us about if we should update or not. Listen to the PODCAST here!
Here's the full transcription of the coversation:
August Brice: I'm so excited to have Matt Erickson and Bryan Neumeister, the cyber-team from USA Forensic.
August Brice: I always like to talk about some really fascinating thing that you're working on right now. Is there anything that we can talk about today that's exciting? Have you taken apart any phones recently to find something fascinating?
Matt Erickson: Generally speaking, we're using the exploit to jailbreak iPhones to get a lot more data than what the standard forensic processes can give us and it's way, way more data. Those are phones that are on older hardware and older operating systems. It's scary what you can see. You can see which applications were opened and where they were opened from. If it was the home screen or if it was running in the background, we opened it from there. There's a lot of new details we have access to now.
August Brice: Now, you said on older operating systems. Does that mean if we keep updating, maybe we can keep people, who might want to find out our business, from finding out our business, if we keep updating?
Matt Erickson: That's true in anything newer than an iPhone 10. iPhone 10's even on the latest operating system are still vulnerable to exploit for the jailbreak rather. The newer phones and the newer software combined are really, really the best thing for you.
August Brice: The main reason that we talk about this on Tech Wellness is because I want people to feel really comfortable that their phone is their phone and not somebody else's information. You know what I mean?
Matt Erickson: Correct.
August Brice: Tell me, if we do continue to keep our updates, because in part of our recommendations from you, Bryan, we talk about how important it is to keep updating our phones so that hackers can't get into them. So, Matt just talked about how easy it was with this new, whatever software/hardware you guys have, to see really, really incredible specifics about what people do on their phones. So if we keep updating, can we keep the hackers away?
Bryan Neumeiste...: The idea of an update is a couple of things. One is to plug leaks in the ship, so to speak. The second would be to add new abilities to a phone. The idea with an update is to limit the amount of access people have to your operating system. So with each new update, you're plugging exploits. However, people are always working on new exploits, so it's a continuing battle.
Matt Erickson: Yeah, that's exactly right. Currently, if you have an iPhone newer than the model 10, then you definitely want the latest operating system. Currently, that is not vulnerable to the exploit. However, iPhone 10 and older, regardless of the operating system, those can still be jailbroken without really much effort at all.
August Brice: Matt, this leads us to the whole controversy. There is a controversy going on about 13.5.1 because of the new contact tracing. Apple and Google have both said it's not actually an app but an API.
Matt Erickson: Correct. It requires an official app to function properly, which up to this point, there is not one released for this country. So, those settings are visibly disabled by default within iOS 13.5.1 and newer.
August Brice: Okay. Right now, what you're saying is we're safe from anybody using that API inappropriately.
Matt Erickson: I don't know if that's a guarantee, but-
Bryan Neumeiste...: Safe is a relative term. The genie has been let out of the bottle. That is available to people to run with as they please. Once you let a genie out of a bottle, there's no telling where it's going to end up.
August Brice: Somebody who probably shouldn't be doing what they're doing could use that API. Am I referring to it correctly?
Matt Erickson: Yes.
August Brice: Okay. Could use that API to install something on some phone to find out something that they really shouldn't be sharing.
Matt Erickson: It's a possibility. I think it would probably be awhile before something, I guess, develops, but the code framework is there. So, I think it's only a matter of time.
Bryan Neumeiste...: The other thing is who really wants something like this. Law enforcement, of course, would love to have it because you could literally see who's hanging out with who if you're doing drug interdiction or something like that. The question is, does everybody want somebody looking at where they are and who they're with? A lot of apps can do that anyway. They track your habits like Foursquare and those kinds of apps track where you go using the data for regional advertising. The question is, how much of your privacy do you want to give away? I think, it's the coin here.
August Brice: How much of my potential privacy would I be giving away if I did the update? By the way, I'm still on 13.3. I'm very happy there for now. Because I understand with 13.5, you're very vulnerable. And so if you are on 13.5, you should update to 13.5.1.
Bryan Neumeiste...: One thing that's important to know is it depends which model iPhone you're using and which software revision you're using, or version you're using because each one has... As Matt just said, the newer iPhones are less vulnerable than the older one. There's so many variables here. It's such an interesting field. It depends on what you mean by vulnerable and who's after you to get what because it does take some handshake between an app and a phone, especially on a jailbroken phone, to access stuff that you have that's private.
Matt Erickson: Yeah. 13.3 version iOS is vulnerable to an exploit for jailbreaking on every model except the iPhone SE generation two. All other models running that iOS can be jailbroken. Jailbroken phones are going to give you a lot more access to databases that are otherwise not accessible on a standard forensic process. So if law enforcement gets your phone, they're going to be able to jailbreak it very easily and see pretty much everything that happens on your phone, and everything you've done and your passwords, and everything like that.
August Brice: Okay. Technically, what does jailbreak mean and who can do a jailbreak?
Matt Erickson: Basically, it's just an altered version of the operating system, to put it simply. It tears down security walls basically, so software can run and do things that otherwise it was not permitted to do.
August Brice: Can anybody jailbreak my phone? Can somebody get into my phone without holding onto it and jailbreak it?
Matt Erickson: There's not a method I'm aware of currently that would allow that to happen. It's a method that they have to have your phone in hand to do that.
August Brice: Okay. That makes me feel a little better.
Bryan Neumeiste...: Another quick thing is you can set your dataport in such a way that it is not transmitting data unless it's unlocked, so that's an important thing to do on the newer iPhones.
August Brice: Hey. Can we put that tip on a blog? Can you send that to me-
Bryan Neumeiste...: Sure.
August Brice: ... step by step how to do that?
Matt Erickson: Yeah, absolutely.
August Brice: Great. Also, I'd really like to make this easy for everyone. So, can we get some sort of a chart or a schematic showing if you have this iPhone, you should be doing this version? Because you said all the versions we're different.
Bryan Neumeiste...: Yes.
Matt Erickson: Yes, that's correct. There's a snippet of what I sent yesterday that I'm happy to provide that's hosted publicly on a Reddit page that is used directly by one of the big forensic tools that we use.
August Brice: I'm shy about updating to 13.5.1 because I feel like it's opening up for not somebody who might jailbreak my phone but just for my health insurance company to eventually know something about me that probably should be private.
Bryan Neumeiste...: Well, there's a way to shut off the actual Bluetooth update that they installed. I think we can send you a map or a graphic of that.
August Brice: You mean just how to turn off auto updates? Is that what you're saying?
Bryan Neumeiste...: No, how to turn off that particular vulnerability for Bluetooth that if they do have a national app they can use the iOS update with, there is a way to shut that particular piece of data down.
August Brice: We will do that as well. Great. Okay. But like you said, Bryan, before, if it gets into the hands of the wrong person or the wrong mega developer and they somehow can access this information because of this new API that was put in, what's something that could happen to just about anybody?
Bryan Neumeiste...: Well, again, it's not a matter of if, it's a matter of when, as it always is when new technology comes out. That's just the nature of the business. It's really a Pandora's box. There's no way to tell how it can be used at this point, but there is a way to shut it off with the current operating system. Even if somebody does download an app, there's a current way you can shut it down. We'll send you a graphic on that so that it's very easy for people to make sure that even if they do get the app, that they're not transmitting their data.
August Brice: Okay. This is interesting because at this point, I'm not updating. But as I get more information, and this is what I've told my community, if you're unsure about it, give it some time. Let's get all the information on the table. Let's find out other people's experiences. Because as these things roll out, generally within a month, you know all of what are they, they're not-
Bryan Neumeiste...: Well, they're very often in the computers. For example, if you're running a Windows or Mac computer, you're going to get constantly updates. It's best usually to wait a bit, especially on Windows updates, to see what the community out there thinks of the update. Because with every change, there are programs that may not interact well with the frame network, frame updates or something of that nature. So very often, programs aren't compatible right away with the update and it might take them a little bit to catch up. So, you might not want to update your computer right away to the latest, greatest until you find out if the programs you're running are compatible with the update. That's going to be pretty apparent by what people are saying online.
August Brice: Right. We're going to get more information about this particular one. You know what's interesting? I've turned off my auto updates. I typically do not ever go on Wi-Fi, so that's a good thing. But, I do connect to the internet. My auto update hasn't come through. However, I've had several people comment on the post that I said, "Hey, be careful about auto updating to 13.5.1." Tell me that their phone auto updated even though it was disabled, the auto update function was disabled. Have you heard about that? Is there anything we can do to prevent it just in case?
Matt Erickson: I have heard about that. I've seen many cases where people are very unhappy about that. They confirm their auto updates are off and they did get the update.
August Brice: What happened and how can we stop it? How can we tell people to stop it and how come I'm so lucky that it hasn't auto updated?
Matt Erickson: I suspect it's the people that are already on 3.5 that are getting pushed to 3.5.1.
August Brice: Oh, okay.
Matt Erickson: This isn't confirmed, but I suspect it's because Apple deemed update critical to patch the new vulnerabilities. I think that's just something they push through for people that are on the preceding operating system.
Bryan Neumeiste...: Now, the workaround would obviously be if you turn off your Wi-Fi and you're on LTE data, you turn off your LTE data so it's just for voice. You're shutting down your data in and out over your phone system. There's a way to do that inside, a very simple way to just switch off what the phone does. It was originally put there for people that had limited data plans, but also a good way to shutdown stuff from coming into your phone because it just-
August Brice: Great.
Bryan Neumeiste...: ... does it for communication.
August Brice: Okay. And so, what will I lose if I turn that off?
Bryan Neumeiste...: Literally, any data from texts to whatever coming in.
August Brice: Okay. So, am I taking away too much functionality?
Bryan Neumeiste...: If you're using your phone as a phone and you're out there driving or whatever, that's one thing when you're out there. This is one thing I think we do just because we are in this field is we shutdown Wi-Fi and Bluetooth when we're not using it. We don't walk out the street with Wi-Fi and Bluetooth on. It's just senseless. You're just a beacon. So, it's a lifestyle choice. It's very simple to do. It's like picking up your car keys, you just do it before you walk out the door.
August Brice: Exactly. I do it because I don't want to be exposed to the EMF.
Bryan Neumeiste...: Yeah, everybody's got their own reasons. But if you want to be reasonably a little bit more secure, turn off your Wi-Fi and Bluetooth while you're walking around. I don't connect my iWatch to my Bluetooth except for updates.
August Brice: That's another important point, Bryan. The iWatch, it's updating as well, right?
Bryan Neumeiste...: Yeah, it should. The tracker is supposed to be able to work with the iWatch as I understand it too. There is no app that will accept or will use that new update yet because there's no national app that's been approved for it. So, it's just kind of sitting there lurking, but your iWatch is just as much of a beacon as your phone is in many cases.
August Brice: Can I read you one of the comments from someone who was very frustrated because they got an auto update?
Bryan Neumeiste...: Sure.
August Brice: Okay. This is part of the comment. She says, "I check my Apple Health tab daily to make sure the CV tracking remains off. I'm aware that it's just the API though I don't trust them." So, do you think it's important, after you've downloaded it, to check your Apple Health tab every day to make sure it's not running somehow in the background?
Matt Erickson: There's definitely no harm in checking. I don't think there's going to be any possibility for it to be enabled or functioning until that national app is released to the public. No one knows when that's going to happen. But yeah, there's no harm in checking. You just go through your Health settings and make sure the COVID tracking is disabled. It's got some way doing that.
August Brice: Every day, just in case, that's what she's doing. And then, she says, "When I go out, I have changed my normal behavior where I used to use my iPhone for many things like notes, lists, calendar, store, coupon apps, et cetera. Instead, I've invested in a Faraday bag and I put my cell phone on airplane mode and in my bag," which is awesome. She got one of my bags and you guys use a Faraday every day as well. That's how I roll that it's really interesting. Because as I read this, because this is the way I operate, because I read it from somebody else, I think, "Oh my gosh, really? The problem is it's not our phone, it's their phone." You know what I mean? It's like, "It's Apple's phone." She can't use it for notes and lists because she understands now it really isn't her information. It could be anyone's information.
Bryan Neumeiste...: I think people forget to read the ULA agreements and we're all guilty of that. Because for example, if you upload a photo to Facebook or to any app like that, they own it. That's in the ULA agreement. It could end up on a billboard and you have no rights to it depending on which app. So, these are the things you have to understand. But in general, I think just one of the things when you're mentioning that Health app there, in forensics, when you're doing a cellphone, the most data is going to be in the Health app. The thing that takes the longest is the Health app. It just eats up data on your phone. Matt, you deal with that every day. Why don't you walk through that?
Matt Erickson: Yeah. It processes steps and flights climbed and heartbeat, and all that. That amount of data is just massive on a device. I think the quantity of entries is really what takes it so long to process. But when you have that enabled, it is tracking as much as it can track at all times.
Bryan Neumeiste...: Yes.
August Brice: And so really quickly, you go into settings and you scroll down, and you find the Health app and you disable. Is there anything other than that to do?
Matt Erickson: That should cover it.
August Brice: But, this person looks everyday just to make sure it isn't somehow toggled on, which is interesting because sometimes, things just update automatically. All of a sudden, you're looking and you're like, "Wait, I didn't have Siri on for anything. Now, Siri's on for everything." It's crazy how it is out of our control.
Bryan Neumeiste...: Literally, every time there's a computer update, I go through my privacy on my computer and spend 20 minutes making sure that everything is shutdown because there's so many ways they want to grab data from you, from browsers to whatnot. But every time you do an update, they usually want to reset all the privacy settings. That's the first thing you've got to do is go through that. That's just nature of the beast.
August Brice: Exactly. That's why, as a rule, I don't auto up and I turn auto update off on everything. But then, I go in. I look and I go, "Oh, hey, it says that Instagram needs an update." And so of course, I want to update Instagram because I just want to make sure that they're protecting my safety to whatever extent they can. And so, I'll do the update and then I'll find that other things are affected. It's crazy.
Bryan Neumeiste...: Yeah. It's very much that way with computers and I say for Windows users. For me, NET Framework update's always been the thing that causes issues with the type of programs we run. That's just something that the developers for forensic materials aren't huge companies, so they don't often get the framework to work with before it comes out or very shortly before it comes out. So, there's all of a sudden catch up in lag time. So, you don't want to be updating until that's patched by the manufacturer of the forensic software.
August Brice: Right. We're talking about iPhone, but actually this is an Android update as well. I understand with the Android, you didn't even get the opportunity to say no, don't update. Is that true?
Matt Erickson: I haven't seen Android version that released that directly, but that's what I'm reading as well. It's just basically on for Android.
August Brice: Right. It's on. You don't even get a chance to say no. They're saying, "But wait, it's not an app, it's just API." So really quickly, define API.
Matt Erickson: It's an application programming interface. Essentially, it's just a way for applications to communicate with data within the operating system. There's certain functions and features built into any operating system. The API just enables developers to create an application or a function of some sort that communicates with the data stored in an operating system.
August Brice: Okay, so it's all ready for the app. For any app that might want to use whatever that secret sauce is that enables the tracking, it's ready.
Matt Erickson: Exactly.
August Brice: That's scary. I want to ask you guys, are you updated? Did you update?
Matt Erickson: Yes.
August Brice: You did?
Matt Erickson: Yes.
August Brice: Okay. What are you going to say to me because I didn't update? I'm at 13.3.1.
Matt Erickson: What model phone are you running?
August Brice: I have an XS Pro on 13.3.
Matt Erickson: From my standpoint, your phone's vulnerable to the exploit for jailbreaks at this point. So if someone did get their hands on your device, they could install that jailbreak and basically see everything. I mean, everything.
August Brice: I'm not so worried about that because, first of all, I don't expect to be picked up.
Matt Erickson: Right.
August Brice: I don't expect to be in a situation where anybody has my phone because my phone's typically at home. It's just the way I use my phone. I don't really use it that much. And so, I text and I Signal and I ProtonMail. Hey, Bryan, what's the latest app we're supposed to be using other than Signal? What's the latest one?
Bryan Neumeiste...: Threema. Threema is what we've switched to. Signal is vulnerable to us. In fact, we can actually extract Signal at this point. So, what it used to have was some bit of... It was elusive to forensic apps now, that's no longer the case, depending on a number of factors. But let's just say in general, that bridge is across now to Signal.
August Brice: Okay. I'm heading over to Threema. That's how I use my phone. It's basically just for texting communication, online on my computer.
Matt Erickson: Let me clarify one thing. It doesn't require a law enforcement to jailbreak the phone. So if you're walking along and you drop your phone on the street by accident, and you don't realize that anybody that's tech savvy can pick up your phone, and if you're on the latest version with your exact model, they're not going to be able to do a jailbreak and see any of your data. If you are vulnerable to a jailbreak, they can install that very easily. There's a lot less security holes in the later operating system. They're going to be able to exploit and see anything, just in case you lose your phone.
August Brice: So then, I should update to 13.5.1 is what you're telling me?
Matt Erickson: Correct.
Bryan Neumeiste...: Yes. Also think of this, if you have any corporate or personal data on there you wouldn't want to share, it would be vulnerable as it is. With the new update, it wouldn't. That's something you know. Of course, you obviously have your face ID off and any kind of palm reader on.
August Brice: Of course.
Matt Erickson: I can tell you this, with the phones that I do where I jailbreak them to get more data, it tells you everything. If you're running a phone that's not able to be jailbroken, email is by default encrypted on a device. So just a standard extraction, we can't see email.
August Brice: That's good.
Matt Erickson: Yeah. But with the jailbreak, it shows you everything.
August Brice: To that point, it's probably recording anyway even though I haven't enabled it.
Bryan Neumeiste...: No, because it would show on the amount of data used in your hard drive space or your drive space basically.
Matt Erickson: If you open up your Health app and look at your number of steps, if it's showing you steps, then it's definitely recording.
August Brice: Yeah. No, it's not.
Matt Erickson: But if it's not, then it's not running.
August Brice: I tell people because we were like, "What Faraday Faraday?" You know what I mean? It's like, it's the GPS. You were saying, though, somebody would physically have to have possession of my phone to do a jailbreak.
Matt Erickson: Correct. Yes.
August Brice: Anybody, somebody, it might not be somebody nice. It might not be the police. It could just be some idiot who's out to get me.
Matt Erickson: Right.
Bryan Neumeiste...: Corporate espionage would be somebody steals your phone and gets your corporate texts. That would be something.
August Brice: Okay. And so if I update, won't there be somebody that's creating something that allows that jailbreak on the next update too?
Matt Erickson: Always.
August Brice: Okay.
Matt Erickson: That's in progress, for sure. But these days, there's two hurdles for them. It's not just the operating system. There's also encrypted hardware around the chips that are in the phone. So, it's taking them much, much longer these days to get those going.
Bryan Neumeiste...: For example, if somebody installed a nanny app or something like that, it also blocks transmission. Don't limit yourself to the amount of they give you a default amount of numbers for your password. Add a couple because that requires you to use the okay button. The okay button circumvents the GrayKey hack, which is a long way around of saying if you add a couple of numbers to your passcode, like just two numbers, that's going to make it a lot safer than the standard set up that comes from the iPhone.
August Brice: What about alphabetical? Would you recommend alphabetical over numeric?
Bryan Neumeiste...: It's the same. It doesn't really matter. You're just pushing buttons basically, an unlock sequence. But if you add to unlock sequence, you're changing the default, which is what most GrayKey and those kinds of cracking apps look for. We have ours with more digits. You'd have to do one more step to open our phones than you would with a normal iPhone.
August Brice: But, I have a long sentence.
Bryan Neumeiste...: You used a statement, you're good.
August Brice: Oh, it's fun. Thanks, you guys. Matt Erickson, Bryan Neumeister, USA Forensic, thank you so much for almost convincing me that I better update to 13.5.1.