iCloud Gets a Security Upgrade

Today Apple announced some nice updates to the iCloud security features. The following features now have end-to-end encryption on iCloud:

  • Device Backups
  • Messages Backups
  • iCloud Drive
  • Notes
  • Photos
  • Reminders
  • Safari Bookmarks
  • Siri Shortcuts
  • Voice Memos
  • Wallet Passes

End-to-end encryption means your data can’t be viewed on the server in these categories (if you opt in). Put simply, Apple will no longer be able to see the above categories of data. If Apple gets hacked in the future, the bad guys can’t see your data either.

Apple has very publicly stated an interest in protecting user privacy. I believe them. What is impressive about this is how they’ve added the encryption at Apple’s user-base scale. That can’t be easy.

At this point, it’s opt-in. You must go into the iCloud settings and click on Advance Data Protection. I will be opting in. Advanced Data Protection is in the latest iOS 16.2 beta. It will be available to all U.S. customers by the end of the year and rolling out to the world in early 2023.

One note of caution, however, is that this means if you ever lose passwords, the data is gone. Apple can’t help you. So get your password security sorted out before you push the button.

Craig Federighi did an interview with Joanna Stern on these updates. She did a great job explaining end-to-end encryption in the process.

Where are the Passkeys?

With Apple’s latest round of updates, we’ve got a new password feature that lets your computer manage passwords for you in the background. There are a lot of advantages to this new “Passkey” system. (Here’s Apple’s explainer.) It isn’t dependent on user-generated passwords. It’ll guarantee people use different passwords for different sites. It will also help you avoid phishing attacks because it won’t work on spoofed websites. This comes at the cost of some loss of control, but third parties are already working on that (like 1Password in this video). 

I’m curious, however, as to when Passkey websites will start showing up. So far, I’ve seen none. For this to work, websites must adopt some new backend technologies, and everyone is now waiting for that to happen. Are website developers untrusting of the new technology? Do they want to see others figure it out first? Do they need the budget for these changes? I expect it is all of the above. I’ve been asking about it for MacSparky.com with some of my platform providers, and I’m told to cool my jets. I sure hope this all gets sorted out. It will help web security for a lot of people once it gets rolling.

553 Million Facebook Users Compromised

Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web. Yikes. I’m shocked at the scope but not the source.

If you have a Facebook account, now is the time to be on alert for scammy phone calls from people who will try and social engineer their way into your credit card numbers and bank accounts. There is already a scam where they call and claim to be the IRS and need “immediate payment to avoid criminal prosecution”. I’m sure they’ll come up with even more dreadful ways to abuse this treasure trove of data.

Solar Eufy Charger

I continue to dig my Eufy security cameras. However, one issue I have is the camera that looks down at my driveway and the front of my house. It’s a battery camera, and I have to get out a ladder to pull it down and charge every so often.

It was getting just tedious enough for me to consider running a dedicated electric line through the garage when I saw that Eufy now makes a solar charger for their cameras. I ordered one, and it has been running for six weeks. The camera is now always fully charged, and my ladder has not moved.

Face Mask Unlock in iOS 14.5

We’re getting closer to the release of iOS 14.5, and it’s adding a feature that Apple Watch owners are going to dig. Specifically, if you are wearing a face mask and an Apple Watch, you’ll still be able to unlock your iPhone without using a passcode.

Once you turn the feature on, the iPhone has some new unlock logic:

  1. Is the user wearing a face mask?
    No – Go to the usual Face ID unlock.
    Yes – Go to step 2.

  2. Does the user have a connected, unlocked Apple Watch very close to the phone?
    Yes – Unlock.
    No – Go to the passcode unlock.

So, if you are wearing a face mask and you have an unlocked Apple Watch in very close proximity (less than 1 meter) to your phone, you get an unlock. In that event, you also get a prompt on your wrist letting you lock the phone back up. Interestingly, that step 1 looks for any person with a face mask. It doesn’t try to figure out if it is specifically you wearing a face mask. John Gruber did all the research on the beta build and reports in further detail.

I plan on turning this feature on once the update ships. I am so tired of tapping in my passcode when using my phone while masked.

Mac Malware is Getting Smarter

I still bump into people that think their Macs are somehow immune from Malware. That just isn’t the case. Mac users are just as able to download malicious code as Windows users are. Historically, however, we’ve had some advantages on the Mac:

A Smaller Target
There just are not as many Macs in the world as there are Windows computers. Moreover, often the targets of malware (business and financial institutions) don’t run Macs.

Apple’s Increasing Emphasis on Security
Apple has been putting the screws down on macOS for years now. They’ve steered users toward the App Store, where they have more control over the apps you install on your Mac. They’ve rebuilt the plugin systems for Apple Mail and Safari so they are much more secure. They’ve implemented a notarization system for apps and they’ve even created a way to disable binaries from Apple Servers.

These two factors have combined to give Mac users a false sense of security. All that said, if you install an app from an untrusted source (or if one of your trusted sources that was unknowingly compromised, which happens), users are fully capable of installing malware on their systems.

That happened over the past few months with a malicious payload known as Silver Sparrow. (Red Canary did an excellent job documenting it.). It looks like this one was caught before it did any real damage (and Apple has now disabled the binary), but the advantage of catching this unexploded bomb was that it gave security researchers an opportunity to study it in detail. Silver Sparrow was designed to launch additional software that would do who knows what. It was also designed to cover its own tracks. It was very sophisticated software designed to run on both Intel and Apple Silicon Macs. Malware is increasingly targeting the Mac at a time when malware is getting increasingly advanced.

You shouldn’t be paranoid, but you also shouldn’t assume you are safe just because you are on a Mac. Don’t install software from unknown developers. Be careful around unknown download links and email attachments. In short, keep your head screwed on.

Whenever this question comes up, I get asked if I’m running virus software on my Mac. Currently, I am not. In my experience, virus software too often comes with its own set of headaches. However, reading about Silver Sparrow has me considering it again.

Additional Considerations for Home Security Cameras

Over the past few years, home security cameras have got better and cheaper. That’s good. Now anyone can set up a home security camera and keep an eye on the front door or the dog. The problem, however, is that all of these cameras are not created equal. There are two issues you need to consider when purchasing a camera that manufacturers don’t often mention: commerce and security.

Commerce

A lot of the camera racket has turned into a razor and blades style business. You get the cameras but then you end up spending around $100/year to have their cloud storage. That may be worth it to you, assuming the vendor knows what they’re doing and they have a good security model. I have trust issues with all of these vendors. How much of a stake do they really have in protecting your privacy? How much effort are they putting into keeping all that video from your house safe?

Security

It’s called a security camera but is it actually secure? This is particularly a concern if you do use the vendor’s cloud storage. Do you want anyone in the world able to look at your front door or your dog? Vendors are slowly coming around on this. Ring just announced that you can add end-to-end encryption to your video on their servers but it is (currently) off by default.

I continue to be happy with my Eufy cameras. They didn’t break the bank. They’re holding up fine and they work with Apple’s HomeKit Secure Video service that gets me encrypted online storage as part of my iCloud account (that I’m already paying for).

eufy Wireless Cameras and HomeKit

Anker has a home security subsidy, eufy, that has jumped into the home camera business with both feet. I like and trust Anker. I have been buying their stuff for years, so I was interested in their eufy camera offerings from the beginning.

For several years, I have been using the Canary camera system. I was a paying subscriber and generally happy when I first started using Canary products. But over the past few years, my love has waned. The cameras have begun failing me regularly for no explicable reason. When I would check them, they would be offline. If I power-cycled them, they would start back up and sometimes reconnect, but not always. Had the Canary company been willing to embrace HomeKit, I may have looked into upgrading the cameras instead of moving on. But alas, beyond some early broken promises, Canary has shown no interest in HomeKit, and I was ready to move on.

eufy was very much of interest to me. At this point, eufy does not have a subscription service where you pay them to store security video online for you. Instead, they have integrated storage in their hardware so you can keep your security footage locally. Because they are not motivated to sign you up for their subscription service, they have also embraced Apple’s own HomeKit Secure Video service with a growing list of their cameras.

I bought a few of eufy’s battery-powered cameras including the eufyCam 2C and the eufyCam 2 Pro. Both are battery-powered wireless cameras that connect to eufy’s hub, which contains 16GB of internal storage. The cameras stream to the hub, and you can monitor the hub from the eufy app. The internal storage holds the streams until it runs out of memory, and then it starts deleting older footage to make room for new footage. It all works fine, although I wish they made the storage via replaceable SD card.

Moreover, the eufy hub can connect with HomeKit and turn footage from these cameras over to HomeKit. For a reasonable price, you can have wireless cameras feeding straight into your HomeKit, which you can also connect to HomeKit Secure Video.

This whole system is far better than my Canary system, and it has been a great upgrade. Comparing the 2C vs. Pro cameras, there are a few items of distinction:

Recording Fidelity The 2C records at 1080p. The Pro records at 2K. I can’t tell much of a difference between the two.

Battery Life eufy, like most hardware manufacturers, must not be testing these cameras under normal conditions. They claim the 2C battery should last six months. I get about a month out of one, and I get about two weeks out of another. (The second one is near a place of high activity, so it goes off much more often.) They are easy enough to plug in and recharge, but it is a thing, and it has me thinking about bringing in an electrician to hardwire a few spots around my house. The eufyCam2 Pro has been getting better than double that in battery life for me.

Cost There is a significant jump. You can get two 2C cameras plus a base station for $220. The same rig with two eufyCam2 Pro cameras goes for $350.

Either way, this was a significant upgrade in my home security system, and the rest of my family loves that they can now see the cameras in the Home app. I am taking full advantage of HomeKit Secure Video. I have also gone further down the Eufy rabbit hole as I have added some more of their wired cameras, which I will be covering over the coming weeks.

The Very Slow Roll Out of HomeKit Secure Video


Screen Shot 2020-06-02 at 12.04.59 PM.png

A year ago, Apple announced a new HomeKit feature, dubbed Secure Video, where Apple would agree to store your security camera video on its servers for you without an additional fee. I like this idea. Not only do I not want to pay someone to store this data, I also don’t necessarily trust third parties with home camera footage either. Apple’s a big company. They are not going to get acquired and they have a stated interest in protecting user privacy. The whole idea of HomeKit Secure Video makes sense.

I left WWDC last year thinking it wouldn’t be long before I had HomeKit Secure Video working in my home. Well, that was over a year ago, and there has been very little progress. Logitech released a HomeKit update for their nearly $200 Circle 2 camera. I bought one as an experiment and it has never worked satisfactorily. The camera is often unavailable with no explanation of why, and it feels like Logitech dropped the ball on this one. Moreover, the price is prohibitive if you want to put several of them in your home. There are almost no other vendors supporting HomeKit Secure Video.

Things are getting better, though. Eufy, a subsidiary of Anker, recently announced that their home line of Eufy cameras is going to get full HomeKit Secure Video Support (9to5 Mac has all the details). It sounds like they’re going through an approval process right now. I have a few Eufy exterior cameras, and I’m much happier with them than my prior Canary cameras. The Eufy cameras stay connected, have an option for local storage, and seem way more reliable than anything else I’ve ever used. Best of all, their indoor cameras start at $40. There may be hope yet for HomeKit Secure Video, but it sure has taken a long time.