Mobile networks really hate Apple's Private Relay: Some folks find iOS privacy feature blocked on their iPhones
Plus: Verizon's personal data grab, and more
In brief Some mobile networks in Europe, UK, and America have reportedly started blocking Apple's beta-grade Private Relay functionality in iOS 15.
This opt-in feature works kinda like a VPN or kinda like Tor depending on how you squint at it: when enabled, it encrypts and routes your connection through two proxy servers in an attempt to obfuscate your location and IP address to websites. It also hides from your cellular network which webpages and sites you're reading. Bear in mind you need to be using Safari and paying for iCloud+, and that the chosen servers do reveal the region of the world you're in. Not all countries are supported by Private Relay.
Now it's reported that at least some subscribers using T-Mobile US and Sprint in America, carriers in Europe, and EE in the UK may be unable to use Private Relay on their iPhones when using cellular data due to their network operator's intervention.
T-Mobile US in a statement said folks are only blocked if they have filtering enabled on their account, which Private Relay would break: "Customers who chose plans and features with content filtering (e.g. parent controls) do not have access to the iCloud Private Relay to allow these services to work as designed. All other customers have no restrictions."
However, 9to5Mac noted that "many of the users we’ve heard from, and tested ourselves, do not have any such content filtering enabled," and so the situation doesn't appear to be so clear cut. Internal files from T-Mobile US suggest that for some people at least, it doesn't matter if you enable the filtering or not, the fact that it's available on your cellphone plan may be enough to block Private Relay.
Here's what it looks like when you try to use the feature and are thwarted by your cellphone network:
Judging by a letter obtained by the Daily Telegraph this week and signed by Vodafone, Telefonica, and T-Mobile, these networks oppose Private Relay because they can't access "vital network data and metadata" nor "efficiently manage telecommunication networks” due to the privacy feature. They also accused Apple of "undermining European digital sovereignty" with the functionality.
However this shakes out – a service deliberately blocked by default, or carriers selectively disabling it and citing subscription plan incompatibilities – one thing is clear: cellular network operators really hate Private Relay.
Update... T-Mobile US now says a bug in iOS 15.2 caused the blocking of Cloud Relay, and that it has "not broadly blocked” the privacy function.
"Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off," the network operator said in a statement.
"We have shared this with Apple. This is not specific to T-Mobile. Again though, we have not broadly blocked iCloud Phone Relay."
If your mobile plan includes some kind of content filtering, you may find Private Relay is disabled to allow the filter system to work.
Alarm raised over Verizon personal data grab
As an FYI: Verizon has started automatically enrolling at least some customers into its Custom Experience Plus, which records all your web browsing history, call numbers and duration, location, and app usage. Customers who have opted out of such data collection in the past are also automatically enrolled in the "new" scheme.
"We do not share information that identifies you outside of Verizon as part of these programs other than with service providers who work for us," reads the FAQ. "These service providers are required to use the information only for the purposes Verizon defines and not for their own or others' marketing or advertising purposes. They are also required to protect the information."
However, for those that don't want to share this data, head over to your privacy settings and opt out before the program kicks in in earnest later this year.
New York Attorney General finds 1.1 million hijacked accounts
An investigation into 17 "well-known companies" by New York's AG office has identified "more than 1.1 million online accounts" that were invaded via credential stuffing. That's when someone uses the same login details for more than one website, one of those sites is compromised, and the intruders obtain the necessary credentials to access that person's accounts on the other websites.
“Right now, there are more than 15 billion stolen credentials being circulated across the internet, as users’ personal information stand in jeopardy,” said Attorney General Letitia James.
“Businesses have the responsibility to take appropriate action to protect their customers’ online accounts and this guide lays out critical safeguards companies can use in the fight against credential stuffing. We must do everything we can to protect consumers’ personal information and their privacy.”
So what does all this PR bumph mean? Well, the AG's office found forum posts in which cyber-criminals were sharing known-working credentials for people's online accounts, obtained via credential stuffing. According to the office:
From these posts, the OAG [Office of the Attorney General] compiled credentials to compromised accounts at 17 well-known online retailers, restaurant chains, and food delivery services. In all, the OAG collected credentials for more than 1.1 million customer accounts, all of which appeared to have been compromised in credential stuffing attacks.
The OAG alerted each of the 17 companies to the compromised accounts and urged the companies to investigate and take immediate steps to protect impacted customers. Every company did so.
Don't reuse passwords across sites, and use multi-factor authentication where possible.
Flexbooker says 3.7 million user accounts compromised
Online scheduling service Flexbooker has admitted its cloud systems were ransacked just before Christmas in which data on 3.7m user accounts was obtained by miscreants.
"On December 23, 2021, starting at 4:05 PM EST our account on Amazon’s AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data," it said in an advisory. "As part of the incident, our system data storage was also accessed and downloaded."
New breach: Online booking service FlexBooker had 3.7M accounts breached last month. Data included email addresses, names, phone numbers and for some accounts, partial credit card data. 69% were already in @haveibeenpwned https://t.co/LGaAnj1hUA— Have I Been Pwned (@haveibeenpwned) January 6, 2022
According to the company, first and last names, phone numbers, and email addresses were stolen. It said account passwords were also taken but encrypted, and the key to read them were not obtained. Quite why there's a key to decrypt them, when the passwords should be one-way hashed, is baffling to us.
Google beefs up cloud security tools with Siemplify buy
The Chocolate Factory has snaffled up Israeli security startup Siemplify for a reported $500m to bolster its push for better cloud security.
Siemplify builds what it calls security orchestration, automation and response (SOAR) software, a set of tools and playbooks to speed up a security team's response time to incidents. The technology will be integrated into Chronicle Security, the network security monitoring biz Google spun off in 2018 from its X labs.
"We plan to invest in SOAR capabilities with Siemplify’s cloud services as our foundation and the team’s talent leading the way," Google's Sunil Potti said in a blog post. "Our intention is to integrate Siemplify’s capabilities into Chronicle in ways that help enterprises modernize and automate their security operations."
Swiss army takes a knife to messaging apps?
In an effort to stop data leaks the Swiss army is discouraging all messaging apps for troops bar one – a home-grown system called Threema.
While Threema isn't as popular as WhatsApp or Signal among the inhabitants of the mountain confederation, it has one killer attribute the army likes. Its two data centers are based in Switzerland and subject to national laws, with none of the data residing overseas where other governments can potentially get a look in.
After reports that a blanket ban on other services was in place, army spokeswoman Delphine Schwab-Allemand told AP the use of Threema was merely a “recommendation” and that the use of other apps would not be prohibited. She said for those who do want to use the home service, the army would cover the annual cost for the software.
It's certainly good news for Threema: the Swiss retain national service for all men, and women who volunteer, and that makes for a lot of potential repeat customers. But it's also good from an operational security point of view, all that useful data stays within home borders. ®