Hopefully the fine folks at Apple will release updates to Find My, iCloud and Catalina that plug these security holes sooner rather than later. While Find My may be successful on the technical level, it is a failure at the human level. When developing use cases, UX designers need to consider far-out or even seemingly unlikely situations when developing a product. They didn’t consider the effect of signing in to iCloud through a browser (displaying a give-away notification on the lost device), nor did they provide a way to protect access to the Find My app in Catalina. Even if you feel that neither of these scenarios is likely, they still illustrate problems in the way Find My has been implemented these problems create new, perhaps unforeseen security and privacy problems for Apple device users.Ĭlearly, the developers and UX designers at Apple assumed that you would only be looking for your lost device using one of your other Apple devices. Use Case 1 is entirely plausible many thieves might turn the device off and never see a notification, but some may not be savvy enough to do that. And to turn it back on, you should be required to provide a password, and maybe even a 2FA code, to prevent unauthorized parties from being nosy. You should at least be able to turn off Find My on any device to prevent unwanted access to your devices’ locations and to protect your privacy. If a burglar breaks in and steals this Mac, they can use Find My to find out where YOU are, and where the rest of your devices are, and either see if you’re getting closer to them to retrieve your stolen Mac, or make plans to steal your other devices. So anyone who uses your TV can find your location whenever they want to, whether you want them to or not. You are signed in to this Mac with the same Apple ID you use on your other devices so you can enjoy the benefits of iCloud, such as synchronizing your music across devices. The Find My app is built in to Catalina and it cannot be uninstalled or turned off. Let’s say you have a Mac at home connected to your TV and anyone you live with or who visits you can use this Mac to browse the web or watch Netflix on a big screen. You should at least be able to log in through Help a Friend without alerting your device about the iCloud login this search should be silent and invisible. You have lost an advantage over the thief. And worse, if the lost phone is still on, now the thief knows you are trying to find your iPhone and will take steps to make it harder to track the device. You have to wait until you get home to use the Find My app on your Mac precious time is lost. You cannot authorize the prompt to get the 2FA code since you are not with either of your devices, so your friend can’t help you find our device. So Apple displays a notification on your Mac (which is at home) and on your lost iPhone saying that someone is trying to log in to your iCloud account. Here’s where it all goes bad:Ī) You probably have 2FA activated. This opens iCloud in the iPhone’s Safari browser. They open Find My on their iPhone and tap the Help a Friend link. You can’t wait until you get home to use the Find My app on your Mac, so you ask your friend to help you. These holes do not stem from the architecture or cryptography of the solution, but from the way iCloud and Catalina are built and operate. The method Apple uses to disguise your location, even from Apple itself, while allowing your devices to decrypt the location data of your other devices seems sound, but it actually introduces two kinds of security holes that can leave you vulnerable. At first glance, the new Find My app seems like a good idea.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |