Apple: Mysterious iPhone 11 location pings were because of 'ultra-wideband compliance'

NVM, we'll give you a toggle to deactivate UWB... in the future-ture-ture


For a company that prizes itself on its privacy credentials, Apple received a bit of a bloody nose earlier this week when long-time security journalist Brian Krebs revealed the iPhone 11 Pro intermittently seeks the user’s location — even when there are no applications with location permissions in use.

In recent years, Apple has heavily marketed the iPhone as a more secure and private alternative to Google's Android operating system. The fact that Cupertino's latest mobile periodically pings cell towers and GPS satellites to figure out where the user is, regardless of their settings, is obviously at odds with that messaging.

Krebs asked Apple, which said it didn't see any cause for concern. "We do not see any actual security implications," one Apple engineer said. "It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings.”

This lead the infoseccer to conclude that it was a deliberate feature within iOS. "It seems they are saying their phones have some system services that query your location regardless of whether one has disabled this setting individually for all apps and iOS system services," he wrote.

madam mim

Look at me! Phone industry contracts nasty case of 5g-itis

READ MORE

That was a good guess. Earlier today, Apple confirmed the feature was part of its ultra-wideband technology, which is part of its flagship U1 chip available across its latest handset lineup. Apple claims this gives its devices "spatial awareness" to see where other ultra-wideband devices are.

Why would you need this? Apple touts the ability to give directionally aware suggestions to people using AirDrop to share files between devices. It is also believed that the technology will play a role in its upcoming Tile-style object tracking kit.

The problem is, ultra-wideband tech is heavily regulated (PDF), and there are certain parts of the world where you can't use it.

"Ultra-wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations," Apple told TC. "iOS uses Location Services to help determine if an iPhone is in these prohibited locations in order to disable ultra-wideband and comply with regulations."

Cupertino added that all location data pertaining to ultra-wideband compliance is processed on the device, with nothing sent to Apple's servers.

Further, Apple said it also planned on releasing a toggle to deactivate ultra-wideband — and thus the intermittent location tracking — in a future iOS update.

That said, it's awfully strange that Apple took the best part of the week to confirm this.

Well, it is, and it isn't. Apple, as we know first-hand at El Reg, is notoriously opaque. It only shares what it wants to share — and, of course, what gets leaked from its notoriously porous supply chain.

If Apple addressed people's concerns sooner, there would have been far less speculation about this mysterious (and ultimately innocuous) behaviour. ®

Similar topics


Other stories you might like

  • Venezuelan cardiologist charged with designing and selling ransomware
    If his surgery was as bad as his opsec, this chap has caused a lot of trouble

    The US Attorney’s Office has charged a 55-year-old cardiologist with creating and selling ransomware and profiting from revenue-share agreements with criminals who deployed his product.

    A complaint [PDF] filed on May 16th in the US District Court, Eastern District of New York, alleges that Moises Luis Zagala Gonzalez – aka “Nosophoros,” “Aesculapius” and “Nebuchadnezzar” – created a ransomware builder known as “Thanos”, and ransomware named “Jigsaw v. 2”.

    The self-taught coder and qualified cardiologist advertised the ransomware in dark corners of the web, then licensed it ransomware to crooks for either $500 or $800 a month. He also ran an affiliate network that offered the chance to run Thanos to build custom ransomware, in return for a share of profits.

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • Oracle really does owe HPE $3b after Supreme Court snub
    Appeal petition as doomed as the Itanic chips at the heart of decade-long drama

    The US Supreme Court on Monday declined to hear Oracle's appeal to overturn a ruling ordering the IT giant to pay $3 billion in damages for violating a decades-old contract agreement.

    In June 2011, back when HPE had not yet split from HP, the biz sued Oracle for refusing to add Itanium support to its database software. HP alleged Big Red had violated a contract agreement by not doing so, though Oracle claimed it explicitly refused requests to support Intel's Itanium processors at the time.

    A lengthy legal battle ensued. Oracle was ordered to cough up $3 billion in damages in a jury trial, and appealed the decision all the way to the highest judges in America. Now, the Supreme Court has declined its petition.

    Continue reading
  • Infusion of $3.5bn not enough to revive Terra's 'stablecoin'
    Estimated $42bn vanished with collapse of UST, Luna – we explain what all this means

    TerraUSD, a so-called "stablecoin," has seen its value drop from $1 apiece a week ago to about $0.09 on Monday, demonstrating not all that much stability.

    The cryptocurrency token, abbreviated UST, is supposed to be pegged to the price of the US dollar. Hence the "stable" terminology.

    But UST is not a "centralized stablecoin" that's exchangeable for a fiat currency; UST for USD (US dollars). Rather, it's a "decentralized stablecoin," meaning it can be exchanged for Luna (LUNA) tokens, another cryptocurrency tied to the Terra blockchain.

    Continue reading
  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMBs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022