Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

The U.S. government ordered two travel companies to provide information about the movement of a Russian citizen suspected of hacking. The surveillance data was used as part of an investigation by the U.S. Secret Service, according to court documents recently unsealed.

The revelation of the extent of surveillance that the feds ordered companies to do in a 2015 investigation of Russian hacker Aleksei Burkov once again raises questions of privacy, accountability and responsibility in terms of how much access the government should have to an individual’s private data.

A letter from Forbes prompted the unsealing of court documents in the case Burkov, a now-infamous cybercriminal who at the time of the investigation was suspected of facilitating the theft of $20 million from stolen credit cards on a website called Cardplanet that he was running on the dark web.

The feds arrested Burkov at Ben-Gurion Airport near Tel Aviv in December 2015, and he eventually was extradited to the U.S. in 2019. In January 2020, he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud and money laundering.

Burkov eventually was sentenced to nine years in a federal prison, but mysteriously sent back to Russia in September 2021 for reasons which are still unclear, according to Forbes.

Forbes submitted a legal challenge to unseal documents in the case, which it won, subsequently publishing a report this week on what those documents revealed: extensive surveillance of Burkov by two travel companies, U.S.-based Sabre and U.K.-based Travelport, at the behest of the feds. The government used this data to track Burkov’s movements which eventually led to his arrest and prosecution.

****Tracking Burkov’s Movement****

The court documents show that in November 2015, a judge in the U.S. District Court for the Eastern District of Virginia granted a request by the U.S. government and ordered Sabre and Travelport to provide “all records, services and usages” of Burkov for a two-year period following the issuing of the order. The companies also had to provide a “real time” report on a weekly basis of  Burkov’s account activity to the feds.

The order was granted under the All Writs Act, a broad, 233-year-old law that allows for the government to “issue all writs necessary and appropriate” to aid authorities in their quest for the “proper administration of justice.”

The act is open to interpretation and has already been used a number of times by the U.S. government as a means of forcing tech companies into giving up information to aid them in investigations—a situation the American Civil Liberties Union deems “improper use.”

Indeed, the act has most often been used against tech giants Google and Apple to force them to help the federal government unlock Android devices or iPhones of suspects in criminal cases.

The most high-profile of these cases came after a 2015 mass shooting in San Bernadino, Calif., when Apple held its ground in its refusal to unlock the iPhone of shooter Syed Rizwan Farook. Eventually, the case came to end when the FBI managed to unlock the device without Apple’s help.

****Privacy Issues or Just Cause?****

While privacy advocates believe the federal use of the courts to force tech companies to give up data that customers shared with them in privacy is an overreach, security professionals for the most part support the action in the case of criminal investigations—to a point.

The monitoring of Burkov’s movement to apprehend him was justified due to the criminal nature of his activity, one security professional told Threatpost.

“After reviewing the facts of the case, a federal judge agreed there was enough cause and issued a ruling that authorized this activity,” Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer and current senior vice president at security firm KnowBe4, wrote in an email to Threatpost. “This was not a case of rogue government officials conducting unapproved data collection.”

Another security professional said that he’s not overly concerned if the federal government uses legal means to get access to private data collected by technology companies. However, it’s not always clear who has access to the “massive troves of data” being collected by companies like Meta and Google, observed John Bambenek, Principal Threat Hunter at security and operations analytics company Netenrich, in an email to Threatpost. This, he said, is concerning and should be remedied.

“Whether its Meta saying they can’t figure out where personal data is being used inside Meta, or law enforcement being able to get real time information on suspects, society just hasn’t come to grips with the implications of surveillance capitalism,” he said.

Feds Forced Travel Firms to Share Surveillance Data on Hacker

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information. 
Dubbed Peekaboo by researchers from Carnegie Mellon University, the system "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.

Dubbed **Peekaboo** by researchers from Carnegie Mellon University, the system "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers."

Peekaboo operates on the principle of data minimization, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose.

To achieve this the system requires developers to explicitly declare the relevant data collection behaviors in the form of a manifest file that's then fed into an in-home trusted hub to transmit sensitive data from smart home apps such as smart doorbells on a need-to-know basis.

The hub not only functions as a mediator between raw data from IoT devices and the respective cloud services, it also enables third-party auditors to vet an app developer's data collection claims.

The manifest file, for its part, is analogous to Android's "AndroidManifest.xml" file that details the permissions the app needs in order to access protected parts of the system or other apps.

But while it is more of a binary approach in Android where apps are either unilaterally allowed or denied access to a specific feature (e.g., camera), Peekaboo makes it possible to define the data collection practices — the kind of data to be gathered, when it should be carried out, and how frequently.

"With Peekaboo, a user can install a new smart home app by simply downloading a manifest to the hub rather than a binary," the researchers explained.

"This approach offers more flexibility than permissions, as well as a mechanism for enforcement. It also offers users (and auditors) more transparency about a device's behavior, in terms of what data will flow out, at what granularity, where it will go, and under what conditions."

What's more, Peekaboo is also designed to auto-generate live privacy nutrition labels that summarize an app's declared behavior à la Apple's privacy labels in iOS and Android's Data safety section.

"Peekaboo offers a hybrid architecture, where a local user-controlled hub pre-processes smart home data in a structured manner before relaying it to external cloud servers," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

RSA CONFERENCE 2022 — "Nice to see you all again," Bruce Schneier told the audience at his keynote for the in-person return of RSA Conference, taking off his trademark cap. "It's kinda neat. Kinda a little scary." 

Schneier is a security technologist, researcher, and lecturer at Harvard Kennedy School. He has a long list of publications, including books from as early as 1993 and as recent as 2019's _We Have Root_, with a new one launching in January 2023. But he's best known for his long-running newsletter Crypto-Gram and blog Schneier on Security. And his upcoming book is about hacking.

To Schneier, hacking does not necessarily mean computer systems. "Think about the tax code," he said. "It's not computer code, but it's code. It's a series of algorithms with inputs and outputs."

Because the tax code is a system, it can be hacked, Schneier said. "The tax code has vulnerabilities. We call them tax loopholes. The tax code has exploits. We call them tax avoidance strategies. And there's an entire industry of black-hat hackers — we call them tax accountants and tax attorneys," he added, to audience laughter.

He defined hacking as "a clever, unintended exploitation of a system, which subverts the rules of the system at the expense of some other part of the system." He noted that any system can be hacked, from the tax code to professional hockey, where a player — it's contested just who — started using a curved stick to improve their ability to lift the puck. That player hacked the hockey system.

"Even the best-thought-out sets of rules will be incomplete or inconsistent," Schneier said. "It'll have ambiguity. It'll have things the designers haven't thought of. And as long as there are people who want to subvert the goals of the system, there will be hacks. 

"What I want to talk about here is what happens when AIs start hacking."

**Rise of the Machines**

When AIs start hacking human systems, Schneier said, the impact will be something completely new. 

"It won't just be a difference in degree but a difference in kind, and it'll culminate in AI systems hacking other AI systems and us humans being collateral damage," he said, then paused. "So that's a bit of hyperbole, probably my back-cover copy, but none of that requires any far-future science- fiction technology. I'm not postulating a singularity. I'm not assuming intelligent androids. I'm actually not even assuming evil intent on the part of anyone.

"The hacks I think about don't even require major breakthroughs in AI. They'll improve as AI gets more sophisticated, but we can see shadows of them in operation today. And the hacking will come naturally as AIs become more advanced in learning, understanding, and problem-solving."

He traced the evolution of AI hackers using examples of competitions. Technically it's the human developers who compete in events like DARPA's 2016 Cyber Grand Challenge or China's Robot Hacking Games, but the AIs operate autonomously once set into motion.

"We know how this goes, right?" he asked. "The AIs will improve in capability every year, and we humans stay about the same, and eventually the AIs surpass the humans."

While he acknowledged that bad actors might set up AI systems to hack financial systems for profit or mayhem, Schneier also posited that an AI might hack human systems independently and without intent. 

"\[That\] is more dangerous because we might never know it happened. And this is because of the explainability problem," he said, "which I will now explain."

**Explaining the Explainability Problem**

Schneier set up the discussion of explainability with a literary reference. In Douglas Adams' _Hitchhiker's Guide to the Galaxy_, a race of superintelligent beings called the Magratheans "build the universe's most powerful computer — Deep Thought — to answer the ultimate question to life, the universe, and everything. And the answer is?" he queried. An audience member obliged by answering "42."

The Magratheans were naturally not happy with this opaque answer, and they asked the computer to explain what it meant. "Deep Thought was unable to explain its answer or even tell you what the question was," Schneier said. "That's the explainability problem."

He added: "Modern AIs are essentially black boxes. Data goes in one end, an answer comes out the other. And it can be impossible to understand how the system reached its conclusion even if you're a programmer and look at the code."  

Schneier then discussed Deep Patient, a medical AI meant to analyze patient data and predict diseases. While the system performed well, he said, it doesn't give the doctors any explanation to help them see why it predicted a disease.

Reward hacking refers to an AI achieving a goal in a way its designer didn't intend. The audience enjoyed Schneier's description of an evolution simulator that "instead of building bigger muscles or longer legs, it actually grew taller so it could fall over a finish line faster than anybody could run."

He also used the examples of King Midas and genies to underscore the human problem of poor specification, where the granting of wishes too literally leads to misery. 

"But here's the thing," he said. "There's no way to outsmart the genie. Whatever you wish for, he will always be able to grant it in a way that you wish he hadn't. The genie will always be able to hack your wish."

And because of how the human mind works, "any goal we specify will necessarily be incomplete," he said. "We can't completely specify goals to an AI, and AIs won't be able to completely understand context."

Schneier then used the 2015 Volkswagen emissions scandal to set up an example of an AI hack that we wouldn't be able to detect because of the explainability problem. He said he imagines having an AI system design engine software to be both efficient and able to pass an emissions test. In such a system, the AI might hit on the same solution the Volkswagen engineers did — that is, fudge the emissions data by turning on emission controls only during testing — while not telling humans how it accomplished its goals. Thus the company might celebrate their great new design without even realizing that it's a hack and a fraud.

He expanded that to the real-world example of recommendation algorithms that push extremist content "because that's what people respond to." And that's an example that has real-world effects, radicalizing vulnerable people and causing them to entrench in false beliefs and sometimes even take drastic actions.

Schneier talked about research into how to avoid such negative unintended effects. One solution, value alignment, attempts to teach systems to respect human moral code. "Good luck" specifying human values or allowing an AI to learn them by self-training, he said.

In defending against AI hacking, he said, "what matters is the amount of ambiguity in the system." AIs are not able to work well with ambiguity. But that seems to be a limited solution that AIs could evolve to surmount.

**AI Hacks and the Real World**

Partly because of their lucrative nature and partly because of the structured code, Schneier expects financial systems to be one of the first real-world systems affected by AI hacks. Talking about the tax code, for example, he asked, "How many loopholes will it find that we don't know about?"

Even worse might be the AI message bots that could be infesting your Twitter time line already, pushing messages and interacting realistically. "It will influence what we think is normal, and what we think others think," Schneier warned. "That's a scale change."

But perhaps the most fraught element is the role AI is already playing in people's lives. 

"AIs are making parole decisions \[about\] who receives bank loans, helps screen job candidates \[and\] applicants for college, people who apply for government services," he noted. Because we can't tell why an AI made the decision, it will not seem fair to those denied — and indeed, it might well be unfair and based on unwarranted or underanalyzed parameters like a ZIP code.

And as with so much, he pointed out, it will be the powerful who benefit and the masses who suffer. "It's not that we \[gestures around the room\] are going to discover hacks in the tax codes," Schneier said. "It's going to be the investment bankers."  

He closed on a note of hope, though. While AI can certainly be used to find and exploit software vulnerabilities, he pointed out that they can also be used to find and _fix_ those vulnerabilities. 

"It identifies all the vulnerabilities and then it patches them" before the software gets released, he suggested. "You could imagine \[this AI\] being built into the software development tools. It's part of the compiler.

"We can imagine a world in which software vulnerabilities are a thing of the past," he added. "Kinda weird, but that's what would happen."

Schneier cautioned that during the transition period in which old vulnerable codes — computer or human — were still open and the new ones were still being vetted, black-hat AIs would still have a rich opening. However, he said, "While AI hackers can be employed by the offense and the defense, in the end it favors the defense. We need to be able to quickly and efficiently respond to hacks," though.

Human systems need to have the same agility as software, he said.

"The overarching solution is people," he said. "We're much better off as a society if we decide as people what technology's role in our future should be."

Why AIs Will Become Hackers

The Android application HTTP File Server (Version 1.4.1) by 'slowscript' is affected by a path traversal vulnerability that permits arbitrary directory listing, file read, and file write.

CVE-2021-40668

A Tim Hortons app has been flagged for managing to violate Canada's privacy laws. We offer some advice to avoid becoming tangled in app woes.
The post Coffee app in hot water for constant tracking of user location appeared first on Malwarebytes Labs.

A mobile app violated Canada’s privacy laws via some pretty significant overreach with its tracking of device owners. The violation will apparently not bring the app owners, Tim Hortons, any form of punishment. However, the fallout from this incident may hopefully serve as a warning to others with an app soon to launch. That’s _one_ theory, anyway. In reality, this level of data collection is not as uncommon as is being suggested.

**The app collects _how much_ data?**

It all begins in June 2020, when a reporter finds the Tim Hortons app is going above and beyond what one would expect as a reasonable level of tracking. Despite an FAQ claiming tracking only takes place “with the app open”, reporter James McCleod submits a request under Canada’s Personal Information protection and Electronic Documents Act. He discovers the app has recorded his longitude and latitude coordinates “more than 2,700 times in less than five months”, and not just when the app was in use.

In fact, he’d never have known this level of tracking was taking place save for a notification saying the app had collected his location. The twist: he hadn’t used the app in hours. This one tiny mobile notification quickly snowballed into the story we have today.

The notification was due to an Android system update giving users the option to limit an app’s access to location information. When people and organisations say it’s a good idea to update your device, this story is a perfect example of why that is.

**How can apps collect data?**

We’ve previously covered Bluetooth beacons and geofencing on this site. These are a staple diet of Out of Home (OOH) advertising. If you’re unfamiliar with how this technology typically operates, here’s a brief rundown:

1.  You enable Bluetooth on your phone. It’s not a major battery drain and becoming more useful to mobile users than ever before so this isn’t a hassle for most people.
2.  Stores you enter may have a Bluetooth beacon which fires out a rapid pulse signal. If you have an app for the store you’re in and have granted it permission to interact, this is where the fun begins. The store can track your movements, and figure out which items you hovered in front of and which you ignored completely. The store can then offer discounts, flash sales, and even optimal item placement based on this data.
3.  Geofencing will help get you to the store in the first place. With app and permissions enabled, you may well have adverts sent directly to your phone when driving. You may even experience digital billboard Geofence marketing.

**It’s not just about coffee**

The biggest concern here for McCleod wasn’t that the app was tracking him on coffee runs. That was expected behaviour. What really stood out was the kind of deep-dive data collection that was generating “events” everywhere he went and building up a picture of his daily life.

> The Tim Hortons app used location data to infer where users lived, worked, and whether they were travelling. It generated an “event” every time users entered and left their homes, entered and exited their office, or travelled. https://t.co/ZvPJnTx8CT pic.twitter.com/yx1q8dqQtH
> 
> — OPC (@PrivacyPrivee) June 1, 2022

The app, which made use of Geofencing platform Radar, flagged trips in and out of the home. It tried to distinguish between home and office. There was even an event fired for walking past a KFC in Morocco. In fact, the app seemed to spring into life any time McCleod walked past a rival business. McDonald’s, Starbucks, A&W, and more all triggered events.

A spokesperson for Tim Hortons said this was to “tailor marketing and promotional offers” inside the app, and that no data was shared with the other companies. This wouldn’t be enough to avert some pretty serious conclusions made from the app investigation.

**The investigation findings**

Tim Hortons stopped continuous tracking in 2020 after Government investigations began, but there were still concerns over the data collected. Tim Hortons’ contract with a third-party location services supplier allowed for the possibility of selling “de-identified” data. De-anonymisation is a big problem.

Despite explanations from Tim Hortons, the investigation concluded that

> _“…continual and vast collection of location information was not proportional to the benefits Tim Hortons may have hoped to gain from better targeted promotion of its coffee and other products.”_

It also found the app continued collecting large amounts of location data for a year after deciding against using it for targeted data, despite there being no need to do so. The four privacy authorities involved recommended Tim Hortons:

*   Delete any remaining location data and direct third-party service providers to do the same;
*   Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and
*   Report back with the details of measures it has taken to comply with the recommendations.

Tim Hortons agreed.

The full findings on this case can be seen in the report here.

**Climbing under the fences: Tips for avoiding tracking**

There are several ways to avoid or opt-out from tracking which you may feel is overly invasive.

1.  **Keep your mobile device up to date**. It’s the difference between having basic “on/off” privacy settings or waking up to find you have multiple granular controls for all aspects of app use.
2.  **Not using Bluetooth? Turn it off**. You won’t enjoy a massive battery bump, but you will go some way towards staying below the beacon radar.
3.  **Think carefully about agreeing to GPS permissions for apps**. It’s as specific a way to track your movements as can be, and some apps/services save this data online for you to view at a later date. This isn’t great if the service or account is compromised, so always ensure there’s an option to delete historical data. Depending on mobile device or OS, you may have very basic location options or several options tied to different services. It’s well worth taking some time to see what’s in there.
4.  **Introduce some security to your mobile ecosystem**. Mobile ad blockers, privacy and anonymity tools will all help with regard prevention of advertising profiles tied to your real world location and identity. It may not just be the app, but the other sites, services, and ad networks it plugs into which you have to consider.
5.  **Always read the EULA**. It’s a pain, but it’s really worth checking out the privacy policies and EULAs of the apps you use. See how they share data, how long information is stored for, and which advertising networks the apps partner with. Of course, this may have limited use considering portions of the Tim Hortons app FAQ were incorrect but it’s a good way to get up to speed on an app more broadly.

Coffee app in hot water for constant tracking of user location

An illicit online marketplace known as SSNDOB was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday.
SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue.
The action

An illicit online marketplace known as **SSNDOB** was taken down in operation led by U.S. law enforcement agencies, the Department of Justice (DoJ) announced Tuesday.

SSNDOB trafficked in personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S., generating its operators $19 million in sales revenue.

The action saw the seizure of several domains associated with the marketplace — ssndob.ws, ssndob.vip, ssndob.club, and blackjob.biz — in cooperation with authorities from Cyprus and Latvia.

According to blockchain analytics firm Chainalysis, SSNDOB's Bitcoin payment processing system has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015.

Furthermore, bitcoin transfers to the tune of more than $100,000 have been unearthed between SSNDOB and Joker's Stash, another darknet market that specialized in stolen credit card information and voluntarily closed shop in January 2021, indicating a close relationship between the two criminal storefronts.

"The SSNDOB administrators created advertisements on dark web criminal forums for the Marketplace's services, provided customer support functions, and regularly monitored the activities of the sites, including monitoring when purchasers deposited money into their accounts," the DoJ said in a statement.

Additionally, the cybercriminal actors are said to have employed tactics to conceal their true identities, including using anonymous online profiles, maintaining servers in different countries, and requiring potential buyers to use cryptocurrencies.

"Identity theft can have a devastating impact on a victim's long-term emotional and financial health," said Darrell Waldon, special agent in charge of IRS-CI Washington, D.C. Field Office. "Taking down the SSNDOB website disrupted ID theft criminals and helped millions of Americans whose personal information was compromised."

The takedown marks the continued ramping up of efforts on the part of law enforcement agencies across the world to disrupt malicious cyber activity.

Last week, Europol publicized the shut down of FluBot Android banking trojan, while the Justice Department said it seized three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.

Earlier this year, the Federal Bureau of Investigation (FBI) also neutralized a modular botnet dubbed Cyclops Blink as well as dismantled RaidForums, a hacking forum notorious for selling access to hacked personal information belonging to users.

In a related development, the U.S. Treasury Department also sanctioned Hydra after German law enforcement authorities disrupted the world's largest and longest-running dark web marketplace in April 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

FBI Seizes 'SSNDOB' ID Theft Service for Selling Personal Info of 24 Million People

A vulnerability was found in Klapp App and classified as problematic. This issue affects some unknown processing of the JSON Web Token Handler. The manipulation leads to weak authentication. The attack may be initiated remotely.

**Knapp daneben ist auch vorbei**

Wir als modzero sehen seit einem Jahrzehnt Sicherheitsschwachstellen und Datenschutzvergehen in verschiedensten Variationen. Unabhängig von der Art oder Komplexität einer Schwachstelle sehen wir sehr oft einen wenig risikobewussten Umgang mit Daten und Ressourcen. Wir schreiben das Jahr 2020, und noch immer werden Applikationen mit der heissen Nadel gestrickt. Time-to-Market hat eine so hohe Priorität, dass nicht einmal grundlegende Sicherheitsprinzipien in die Lösungsarchitektur oder das individuelle Applikationsdesign einfliessen. Man findet an jeder Ecke Applikationen und Datenverarbeitungssysteme, die schlecht, d.h. unsicher, mit den ihnen anvertrauten Daten umgehen. Dies ist umso gravierender, wenn es sich um personenbezogene Daten oder gar Gesundheitsdaten handelt.

In unserem Artikel Mit Webapps gegen COVID-19 wollten wir darauf aufmerksam machen, dass jeder eine Verantwortung hat, dass Software angemessen sicher wird. Heute möchten wir dieses Thema mit einem weiteren Beispiel erneut aufgreifen. Die anhaltende Corona-Pandemie eröffnet neue Herausforderungen aber auch Möglichkeiten bei der Digitalisierung und der Datenverarbeitung. In allen Bereichen sucht man nach Lösungen, und spätestens während des totalen Lockdowns haben auch Schulen festgestellt, dass sie noch Nachholbedarf im digitalen Bereich haben. Es wurde alles eingesetzt was verfügbar war: Zoom, Teams, WhatsApp, Facebook Messenger. In der Schweiz wurde bereits vor drei Jahren eine schweizerische Plattform namens Klapp ins Leben gerufen, welche insbesondere die Kommunikation zwischen Eltern und Schule und Lehrpersonen vereinfachen soll. _Einfache Kommunikation, die klappt!"_, so der Slogan des Unternehmens. Zu Zeiten von Corona hat diese Plattform einen massiven Nutzer-Zuwachs erhalten. Unter den Nutzern ist auch eine unserer MitarbeiterInnen.

**Wie funktioniert Klapp?**

Bei Klapp handelt es sich um ein schweizerisches Start-Up mit dem Sitz in Fislisbach (AG). Zum Zeitpunkt der Veröffentlichung gibt das Unternehmen an mehr als 200 Schulen, 8'600 Lehrpersonen und 45'000 Eltern eine Plattform zur Kommunikation zu bieten. Hier werden gemäss seinen Angaben täglich rund 3'000 individuelle Nachrichten versendet. (siehe hierzu Angaben durch Klapp) Die Daten werden ausschliesslich in der Schweiz gespeichert. Neben der Benutzung im Browser kann die App kann auch mit dem Smartphone (iOS und Android) genutzt werden.

Aus technischer Sicht ist Klapp eine cordova-basierte Web- und Mobile-App. Zur Registrierung als Elternteil oder Schüler benötigt man einen sogenannten Autorisierungs-Code. Nach erfolgreicher Registrierung ist der Zugriff auf die jeweilige Klasse und die damit verbundenen Funktionalitäten möglich. Während der Kurzanalyse wurden folgende Haupt-Funktionen als angemeldetes Elternteil identifiziert:

*   Gruppen und individual Chats
*   Versand von Dateien zwischen Kommunikationspartnern
*   Kalenderfunktionen
*   Informationen über die Klassenmitglieder
*   Namen der Kinder und registrierte Eltern
*   E-Mail-Adressen und Rufnummern (wenn freigegeben)

Damit Schulen die Klapp-Plattform nutzen können, wird zunächst ein Ex- und Import von Stammdaten vorgenommen. Zu diesem notwendigen Ex- und Import Prozess hat Klapp diverse Anleitungen veröffentlicht. Nach erfolgreichem Daten-Import können die Lehrpersonen Einladungsschreiben für die Eltern generieren. Diese enthalten Informationen über Klapp und sind personalisiert. Jedes dieser Einladungsschreiben hat nämlich zusätzlich den Namen des Kindes und einen Autorisierungs-Code für die Eltern aufgedruckt.

Beispielhaftes Einladungsschreiben mit Autorisierungs-Code und Vor- Nachname des Kindes

Dieser Autorisierungs-Code wird bei der Registration benötigt. Hiermit autorisiert sich die Anwenderin als Elternteil eines bestimmten Kindes. Der Autorisierungscode stellt somit das eindeutige Merkmal dar, um die betreffende Person zu identifizieren.

Registrierungs Ansicht in der iOS-App

Der Autorisierungs-Code hat das folgende Format: P-ABCDE1. Das Präfix _"P-"_ steht für _"Parent"_, Autorisierungs-Codes von Schülerinnen haben das Präfix _"S-"_, was für _"Student"_ steht. Die darauffolgenden Werte sind sechs alphanumerische Zeichen, Das bedeutet, dass es maximal 2.17 Milliarden mögliche _"Parent"_ oder _"Student"_ Codes gibt - Bei einer Anfrage pro Sekunde an den Klapp-Server benötigt man 3,7 Wochen um alle möglichen Autorisierungs-Codes zu erraten. Geht man von aktuell 45'000 verfügbaren Autorisierungs-Codes aus, trifft man mit einer Warscheinlichkeit von 52.49%, bei der selben Anfragerate, nach 10 Stunden mindestens einen gültigen Autorisierungs-Code. Würde man den möglichen Raum von Zeichen um Kleinbuchstaben und die Länge des Autorisierungs-Codes auf 10 erweitern, so bräuchte man, bei der angenommenen Anzahl an Anfragen pro Sekunde, 16 Millionen Jahre um alle durchzuprobieren. Die Annahme, dass nur eine Anfrage pro Sekunde möglich ist gilt als sehr konservativ, nicht selten können aktuelle Webserver bis zu 1000 Anfragen/Sekunde abarbeiten.

**Wie steht es bei Klapp um den Datenschutz?**

Die Daten der Applikation (Nachrichten, Chats und Bilder) werden zwar über einen _verschlüsselten Kanal_ auf den Klapp-Server übertragen, werden auf dem Server aber _unverschlüsselt gespeichert_. Das heisst, dass mindestens der Betreiber und alle Involvierten, welche die Daten prozessieren, Informationen mitlesen und manipulieren könnten. Im Falle eines Klassenverbundes heisst das im einfachsten Fall, dass die Klapp GmbH sowie die Dienstleister für den Nachrichtenversand über die registrierten Kinder und Eltern sowie Klassengruppierungen und die versendeten Informationen Bescheid wissen. Werden sensible Informationen wie Krankheiten oder vielleicht Kritik- oder Entwicklungspunkte der Kinder zwischen Personen ausgetauscht, sind diese nicht umfassend gesichert und es ist nicht ersichtlich ob man mit dem legitimen Kommunikationspartner Daten austauscht.

In Ihrer Datenschutzerklärung verspricht die Klapp GmbH:

> "Wir geben keine Personendaten an Dritte weiter und erzielen auch keinen kommerziellen Nutzen daraus. Ihre Personendaten, die Sie uns zur Verfügung stellen, werden von uns weder verkauft, vermietet noch gehandelt".

Weiter schreibt die Klapp GmbH:

> "Ihre Daten speichern wir in der Schweiz. Benutzerdaten werden in der Schweiz gespeichert und verarbeitet und unsere Partner halten die schweizerischen und europäischen Datenschutzverordnung ein".

Und _"Privacy by Design"_ wird ebenfalls als Merkmal benannt. Die Aussage _"Wir wollen mit Ihren Daten kein Geld verdienen. Ihre Benutzerdaten werden unter keinen Umständen an Dritte verkauft oder für Werbung verwendet."_ wirkt vertrauenserweckend.

Auch die Schulen scheinen von der Lösung und deren Sicherheit überzeugt. Auf Anfrage, warum Vor- und Familienname an Dritte ohne Zustimmung mitgeteilt werde teilte eine Schule mit:

> "Die Firma Klapp hat nach der Registrierung nur Name und Vorname plus Schule Ihres Kindes. Diese gehören nach meinem Wissen nicht zu den besonders schützenswerten Daten. Es ist uns aber bewusst, dass ein sorgfältiger Umgang mit Daten zentral ist. Daher haben wir uns bei der App auch für die Firma Klapp entschieden, die einen hohen Standard bei der Datensicherheit garantiert".

Bei einer technischen Betrachtung zeigt sich ein anderes Bild. Klapp verwendet beispielsweise für die Übermittlung der Daten Push-Nachrichten, welche über den US-Amerikanischen Dienst OneSignal versendet werden. Hier werden neben dem Vor- und Familiennamen des Absenders und der Betreff der Nachricht auch weitere Metainformationen über das verwendete Gerät und das Betriebssystem und des Netzwerkbetreibers gesammelt.

Push-Benachrichtigung enthält Informationen über den Absender sowie Betreff der Nachricht

POST /players/8a77f111-c146-402b-88f3-18d874c19872/on\_session HTTP/1.1
Host: api.onesignal.com
Content-Type: application/json
Cookie: \_\_cfduid=dd2b3c2801e2179392b0232eac71bf6bf1597813825
Connection: close
If-None-Match: W/"698f061ae145e46b912b7e8e00450320"
Accept: application/vnd.onesignal.v1+json
SDK-Version: onesignal/ios/021402
Accept-Language: de-ch
Content-Length: 434
Accept-Encoding: gzip, deflate
User-Agent: Klapp/2.0.1 CFNetwork/1126 Darwin/19.5.0

{
  "app\_id" : "bb3877cc-afc0-4d81-ac73-9339554c7686",
  "net\_type" : 0,
  "device\_type" : 0,
  "sdk" : "021402",
  "identifier" : "b5c9f6956a9606a93f564ac0677342ffafd9540b6c34ba170da574fd3f77dc08",
  "language" : "de-CH",
  "device\_os" : "13.5.1",
  "game\_version" : "2.0.1",
  "timezone" : 7200,
  "ad\_id" : "CF7A0B86-311E-4EF7-A469-F7A5322B206A",
  "notification\_types" : 31,
  "carrier" : "Salt",
  "device\_model" : "iPhone11,2"
}

Bei dem Versand via E-Mail verwendet Klapp den Dienstleister Mailgun - ebenfalls ein US-Unternehmen (siehe Datenschutzerklärung). Im Gegensatz zu den Push-Nachrichten beinhalten die E-Mail-Nachrichten auch die versendete Information, sowie Hyperlinks zu den allenfalls angehängten Dokumenten. Was bedeutet, dass neben Klapp auch Mailgun in der Lage ist, sämtliche E-Mail-Inhalte zu lesen oder zu manipulieren. Ob diese Firmen sich der hiesigen Gesetzeslage und Richtlinien unterwerfen, ist für uns aktuell nicht prüfbar. Wir möchten aber auch darauf hinweisen, dass die Daten auch ungewollt als Folge eines Erpressungsversuches oder eines Hacker-Angriffes bei dem Dienstleister geleakt werden könne .

E-Mail erhalten über _Mailgun_ enthält den genauen Text sowie Links zu den angehängten Dateien

Wir geben der Firma Klapp recht. Privacy by Design ist wichtig... und zwar genau aus dem Grund, dass niemand unautorisiertes Drittes unsere Daten einsehen können sollte. Genau deshalb sollte konsequent Ende-zu-Ende-Verschlüsselung eingesetzt werden, wie es zum Beispiel im Leitfaden des Datenschutzbeauftragten des Kantons Zürich empfohlen wird. Deshalb werden Instant-Messengers wie Signal oder Threema von vielen bevorzugt, da der Transportweg sowie jede Zwischenspeicherung verschlüsselt ist und erst am eigentlichen Endgerät entschlüsselt werden kann.

Nachdem wir uns dem Datenschutzversprechen der Firma Klapp GmbH und dem Thema Datenschutz gewidmet haben, möchten wir auf einige der technischen Unzulänglichkeiten eingehen. Viele der identifizierten Fehlerklassen sind trivial und bekannt. Auch wenn die Auswirkungen bei dieser Applikation möglicherweise gering ausfallen, möchten wir diese aufführen, weil wir diese immer wieder sehen.

**Und wie steht es um die Informationssicherheit?**

Datenschutz und Informationssicherheit sind eng miteinander verbunden und das Befolgen von Sicherheitsempfehlung wichtig, um den Datenschutz überhaupt zu Implementieren. Eine oberflächliche Betrachtung der Plattform hat gezeigt, dass grundlegende Sicherheitsprinzipien der Informationstechnik sowie der sicheren Entwicklung für mobile Anwendungen nicht befolgt wurden. Dies ist leider auch im Jahr 2020 immer noch häufig anzutreffen. Gerade in frühen Projektphasen ist die Erarbeitung von Bedrohungsmodellen und das Definieren von Sicherheitsanforderungen ein Kernpunkt, um später beim Lösungsdesign sowie der eigentlichen Entwicklung die richtigen Massnahmen und Methoden zu ergreifen. Gerade die gefundenen Trivialfehlerklassen zeigen, dass Datenschutz und Sicherheit während der Entwicklung der Plattform keine Schwerpunktthemen waren.

Während der Nutzung der Applikation konnte beobachtet werden, dass nicht nur der eigene Autorisierungs-Code vom Klapp-Server übermittelt wird, sondern auch die Autorisierungs-Codes, welche es den anderen Eltern ermöglichen sich eindeutig zu identifizieren.

Auszug aus der Server-Antwort. Zu sehen ist ein JSON-Objekt mit Informationen zu Kindern und Eltern. Ausserdem sind die Autorisierungs-Codes der Eltern enthalten.

Das bedeutet, dass jeder Empfänger das eindeutige Identifizierungsmerkmal aller Klassenteilnehmer besitzt und deren Identität übernehmen kann. Die Auswirkung eines Missbrauchs erscheint vielleicht aktuell nicht weiter schlimm bei einer solchen Verwendung. Soziales Schadenspotenzial ist auf jeden Fall vorhanden und Vertrauensmissbrauch ist möglich. Wichtig ist jedoch zu verstehen, dass eine zukünftige Funktionserweiterung der Plattform noch andere betrügerische Aktivitäten ermöglichen könnte, die heute vielleicht noch nicht absehbar sind. Hätte Klapp eine Implementierung nach den eigens aufgestellten Prinzipien der Datensparsamkeit und Need-to-Know Basis gewählt, wäre dieser Fehler gar nicht aufgetreten. Diese Schwachstelle wurde umgehend dem Klapp-Team gemeldet und Sie wurde am Abend des 24. August 2020 durch ein serverseitiges Update behoben. Daraufhin hat das Klapp-Team auch eine interne Nachricht an die BenutzerInnen versendet in der zu einer manuellen Überprüfung der registrierten Elternteile aufgerufen wird.

In-App Benachrichtigung des Klapp-Teams nachdem die Autorisierungs-Code-Leck Schwachstelle behoben wurde.

Ebenfalls ein Klassiker unter den trivialen Fehlern in Applikationen ist eine Vertrauensstellung durch sehr langlebige Authentisierungsmerkmale. Im Falle der Klapp-Applikation sind es JSON-Web-Token ohne Ablaufzeitpunkt. Jeder, der in den Besitz eines solchen Tokens gelangt, kann ohne zusätzliche Merkmale wie Benutzername oder Passwort andere Nutzer imitieren und hat somit automatische die Identität und Berechtigungen des legitimen Eigentümers. Bei der Klapp-Applikation werden diese Tokens auf dem Endgerät ohne zusätzliche Schutzmassnahmen abgelegt und gelangen so auch auf Backup-Datenträger oder Cloud-Dienste. Auch hier möchten wir darauf hinweisen, dass die Auswirkungen zum Glück in dem heutigen Anwendungsfall moderat ausfallen. Bekannte Schwachstellen zu implementieren ist auf jeden Fall eine schlechte Praxis, auch wenn sie aktuell wenig Relevanz haben.

Unsterblicher JSON-Web-Token da kein Ablaufzeitpunkt (_exp_ angegeben ist.)

Die SQLite Datenbank ist nicht verschlüsselt. Auch die darin enthaltenen Informationen sind nicht durch die App verschlüsselt.

Die SQLite Datenbank befindet sich in einem Geräte Backup.

Der Versand von individual Nachrichten an Lehrer ist eine von der Plattform vorgesehene Funktionalität. Wählt man "Neue Nachricht" aus so erscheint eine Auflistung der Lehrer, welche zum Empfang von Nachrichten autorisiert sind. Jeder Lehrer hat in der Plattform eine eindeutige Benutzerkennung, Beispielsweise 5f3bf6370452c910612c71be. Diese wird beim Versand der Nachricht angegeben. Eine solche Benutzerkennung haben auch Eltern und Schüler. Tauscht man die Benutzerkennung des Lehrers mit der eines anderen Elternteils aus, so wird die Nachricht an den gewünschten Empfänger übermittelt.

In-App Nachricht an ein anderes Elternteil versendet.

Soweit modzero bekannt, ist dies keine vorgesehene Funktionalität. Auch hier müssen wir erneut darauf verweisen, dass solche Fehlerklassen üblich sind. Nur weil eine Benutzeroberfläche eine Einschränkung vorsieht, muss diese von der Applikation nicht zwingend umgesetzt worden sein. Eine Einschränkung in der Benutzeroberfläche ersetzt nicht ein striktes Umsetzen eines ordentlichen Benutzer- und Rollenkonzeptes auch im Backend.

Beiläufig sind noch weitere Probleme aufgefallen, welche hier nicht im Detail beschrieben werden, aber auch mit dem Klapp-Team besprochen wurden:

*   Sensible Informationen in lokaler SQLite-Datenbank (iOS)
*   SQLite Datenbank (iOS) in einem Backup vorhanden
*   Fehlendes Zertifikats-Pinning und Jailbreak-Erkennung
*   Keine Möglichkeit den Zugriff auf die App durch Pass Code oder biometrische Merkmale zu beschränken
**Fazit**

Dies soll kein Aufruf zur Verhinderung von Innovation oder Digitalisierung sein, jedoch bitten wir jeden einzelnen Entwickler, Architekt, CEO... JEDEN Involvierten... seine Verantwortung wahrzunehmen und im Zweifelsfall jemanden hinzuzuziehen, der die Sachlage neutral beurteilen kann.

Natürlich kann in diesem Beispiel argumentiert werden, dass die Auswirkungen der Schwachstellen ja überschaubar sind und die Schutzmassnahmen für das Anwendungsgebiet möglicherweise ausreichen. Das Problem einer solchen Argumentation liegt dabei, dass sich die Umgebung, der Funktionsumfang, die Entwicklungsprozesse sowie die Firmen selbst zukünftig wandeln werden. Selbst wenn zum jetzigen Zeitpunkt ein Unternehmen ehrbare Ziele verfolgt oder eine Applikationsschwachstelle nur eine verhältnismässig geringe Auswirkung aufweist, so kann sich dies schon Morgen ändern. Es ist daher wichtig bereits früh in der Projektphase die richtigen Entscheidungen zu treffen und Fehlfunktionen, Schwachstellen und Bedrohungsmodelle als integral wichtigen Bestandteil zu behandeln.

**Zeitlicher Ablauf***   2020-08-18  Einladungsschreiben der Schule erhalten.
*   2020-08-18  Schwachstellen aufgedeckt.
*   2020-08-19  Klapp kontaktiert. Klapp hat sich zurückgemeldet.
*   2020-08-21  Schwachstellen telefonisch an Klapp übermittelt. Schwachstellen akzeptiert.
*   2020-08-24  Rückmeldung von Klapp erhalten, dass die Autorisierungs-Code Schwachstelle behoben wurde

CVE-2020-36533: Knapp daneben ist auch vorbei

A vulnerability, which was classified as critical, was found in Platinum Mobile 1.0.4.850. Affected is /MobileHandler.ashx which leads to broken access control. The attack requires authentication. Upgrading to version 1.0.4.851 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile**

_From_: SEC Consult Vulnerability Lab <research () sec-consult com>  
_Date_: Fri, 2 Oct 2020 18:17:48 +0000  

SEC Consult Vulnerability Lab Security Advisory < 20201001-0 >
=======================================================================
              title: Broken Access Control
            product: Platinum Mobile
 vulnerable version: 1.0.4.850
      fixed version: 1.0.4.851
         CVE number: -
             impact: critical
           homepage: https://www.platinumchina.com/en/products/p11
              found: 2020-04-24
                 by: M. Li (Office Munich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Platinum Mobile is a mobile office system based on Platinum HRM and ESS
Workflow to realize HR informatization management, taking portable devices
such as mobile phone, tablet pc as its main form and carrier. The new mobile
solution will enable employees quickly and conveniently deal with affairs and
not limited by time and place, thus effectively expedite the efficiency of
internal communication and operations. Users can directly use their mobile
devices landing on the client side to complete a series of tasks. Meanwhile,
the executive have the access to making decisions and approvals anytime and
anywhere."

Source: https://www.platinumchina.com/en/products/p11

Business recommendation:
------------------------
It is recommended to apply the hotfix or update the server component to version
1.0.4.851.


Vulnerability overview/description:
-----------------------------------
1) Broken access control
The mobile application connects to the company-specific server, which does
not properly restrict the access to confidential data. Thus, an authenticated
attacker can disclose the company's payroll, personal information of other
employees without having appropriate privileges to do so.


Proof of concept:
-----------------
1) Broken access control
The mobile application's request consists primarily of two parts: an XML message
in the body and its MD5 hash in the query string.

POST /MobileHandler.ashx?MessageHash=43a98be456b0213ce45e23fdf54c58b8 HTTP/1.1
Host: \[redacted\]
Content-Length: 276

<Message ID="msg1" MessageType="InvokeServiceMessage" Service="Payslip" Method="getMyPayslipMonthInfoForReleaseMany" 
Language="English" UserCode="user0" TokenID=""><Parameters><String>0000000537</String><DateTime>2020-03-31 
00:00:00</DateTime><null/></Parameters></Message>

Analyzing the mobile application reveals the following algorithm to
calculate the hash:

MessageHash = hex\_md5(escape(XmlMsg) + TokenID);

Furthermore, the server-side part of the application runs the following logic
to verify the message:
- extract the "UserCode" value from the message
- look up the "TokenID" associated with the "UserCode"
- calculate and compare the hash
- if valid, trust and use the parameters in the message, which serves as
  the real reference (rather than the "UserCode") to the business data.

Given this information, an authenticated attacker can craft a message with
an arbitrary value set (e.g. 0000000537) for the element "Parameters" and
calculate the hash with the attacker's "UserCode" and "TokenID".

As a consequence, the pay slip of another employee (e.g. a higher-ranked
manager) can be disclosed. By iterating the values, the attacker can
reveal the entire payroll data of the whole company.

In the following example an authenticated user "user0" can collect
personal information of "user1", including phone number, emails etc.

POST /platinummobile/Handlers/MobileHandler.ashx?MessageHash=bf62c16cad7a6b27b0fee8e1a21409b7 HTTP/1.1
Host: \[redacted\]
Content-Length: 203

<Message ID="msg1" MessageType="InvokeServiceMessage" Service="MyAccount" Method="GetMyInfo" Language="English" 
UserCode="user0" TokenID=""><Parameters><String>user1</String></Parameters></Message>


Vulnerable / tested versions:
-----------------------------
The following version has been tested, which was the most recent one at the
time of the test:
- 1.0.4.864 on Android
- 1.0.4.864 on iOS
- 1.0.4.850 on Server


Vendor contact timeline:
------------------------
2020-05-19: Contact vendor through the provided email address.
2020-05-20: Exchange on the issue.
2020-05-22: Vendor acknowledged the issue, and claimed a hotfix will be released
            before a fix in the next version.
2020-07-22: Contact the vendor again.
2020-07-23: Vendor informed that a hotfix has been released.
2020-08-19: Customer confirmed that the hotfix works.
2020-10-01: Release of the advisory.


Solution:
---------
Apply the hotfix or update the application to the latest version 1.0.4.851.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF M. Li / @2020

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20201001-0 :: Broken Access Control in Platinum Mobile** _SEC Consult Vulnerability Lab (Oct 02)_

CVE-2020-36528: Broken Access Control in Platinum Mobile

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

Your passwords are terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will _actually_ be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” ​​Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Tag

#android