Security News This Week: Why the iPhone 11 Tracks Your Location Even When You Tell It Not To

Russian disinformation, a VC hack, vulnerable VPNs, and more are in the week’s top security news.
man on the phone surrounded by people walking
Photograph: Pau Barrena/Getty Images

If you call your hacking conglomerate Evil Corp and steal tens of millions of dollars from banks and individuals over the course of a decade, you can probably expect an indictment at some point. For alleged Evil Corp leader Maksim Yakubets, it came this week, as US and UK authorities charged him and an associate with hacking thefts that totaled over $100 million. A separate criminal complaint also ties Yakubets to the infamous Zeus trojan. There's also a $5 million reward out for information leading to the arrest of cybercriminal mastermind—but don't hold your breath.

We also took a look at vulnerabilities caused by the sloppy implementation of Rich Communication Services, the protocol that's on its way to replacing SMS for texting and more. Even if you're not familiar with RCS, you're going to encounter it on Android soon; Google recently made it the default for its stock Messenger app. But unless it and the various carriers who have embraced it as the future of texting get their acts together, it doesn't look much more secure than the recent past.

Speaking of the past, Microsoft patched what it considered a low-severity bug in Microsoft Outlook in 2017. So far, so good. But hackers have since figured out how to get around that fix, leaving Outlook alarmingly exposed to attacks at a time when email has become a target. Security firm FireEye recently sounded a warning that it had seen lots of activity lately associated with the bug, ranging from state-sponsored hacking crews to, well, other security firms on pen-testing missions.

What's a dead drop? We explain it in depth, and you don't even have to go to a previously agreed upon hiding spot to read it. And we took a look at why DuckDuckGo might just be the Google Chrome alternative you've been pining for. And if you have some time to spare this weekend, spend it with these animal liberation activists who want jurors to have to experience the suffering of animals being sent to slaughter for themselves—in virtual reality.

Lastly, a serious note: Ewoks are the most tactically advanced fighters in the Star Wars universe. This is not up for debate. Thank you for your time.

And there's more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

The week started with a minor mystery. Security journalist Brian Krebs noted that the iPhone 11 and 11 Plus check in on your location even when you turn off all location-related settings. That doesn't happen on older iPhones, and more importantly, goes against Apple's privacy policy and general gestalt. Rather than clearing the issue up at the time, Apple brushed off Krebs, giving no explanation other than that it was expected behavior. Well! A few days later, the company finally gave a real answer. It turns out to be related to the new ultra wideband technology enabled by the U1 chip inside of Apple's latest phones. “Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” Apple's statement reads. The location pings are there to make sure you're not in one of those locations, and the info never leaves the phone itself. All of which sounds reasonable enough, although it's still extremely unclear why Apple couldn't have just said all of that in the first place.

There's nothing especially fancy about the way hackers parted a Chinese venture capital company from its million-dollar investment in an Israeli startup, but it's an impressive example of the genre. The attackers noticed an email telegraphing the upcoming money transfer, and created fake domains that looked like the two companies respectively. By sending emails to each organization pretending to be from the other, the hackers were able to intercept every step of the ensuing correspondence, altering details along the way—like banking details. It's all very clever! Highly illegal, of course, and morally wrong. But clever!

A virtual private network ostensibly keeps your internet browsing safe from prying eyes. But a newly disclosed vulnerability in Unix-based operating systems—that's everything from Linux to macOS—leaves those VPN connections at risk of sniffing or even hijacking. The good news is that it's a tricky exploit to pull off, so you're probably not at risk unless a particularly talented hacker has eyes on you. The bad news? VPNs were already hard enough to trust.

On October 21, documents hit the internet that purported to show sensitive details about UK trade talks with the US. On Monday, Reuters reported that the release had the hallmarks of a coordinated Russian disinformation campaign. Friday afternoon, Reddit itself confirmed as much. Remember, friends! Russian intelligence operations haven't slowed down since 2016, and they're not going to.


More Great WIRED Stories