The Remote-Attacker Edition Wednesday, December 20, 2017

Your Home Was Not So Secure After All, by Khaos Tian, Medium

Imagine HomeKit as the butler for your home, and when you are not at home, you can send iMessage to it asking it to do things for you. Say you want to unlock the front door, you would send a message to HomeKit asking it to unlock the front door. Once HomeKit receive the message, it should check that the message is sent by you and then unlock the door as you have asked. Except that in reality, HomeKit doesn’t check who sent the message and it will happily unlock the door whenever someone ask it to do so.

In order for HomeKit to do something, the message needs to contain a unique identifier that identifies the object (accessory, scene, or room) in the home. Normally it should be impossible for anyone to figure out the unique identifier for those objects unless you are actually authorized to access that home in HomeKit. However, there are two separate bugs, one in watchOS 4 - 4.1, and another in iOS 11.2 and watchOS 4.2, allow someone to figure out those unique identifiers without authorizing the person to access the home in first place. With those unique identifiers, remote attacker can ask HomeKit to do almost anything.

Google Maps’s Moat, by Justin O'Beirne

Google has gathered so much data, in so many areas, that it’s now crunching it together and creating features that Apple can’t make—surrounding Google Maps with a moat of time.

Apple, CALEA And Law Enforcement, by Matthew D. Green, Lawfare

Apple is consistently making choices to protect users privacy and security. In the face of the kinds of attacks we've been seeing, from the "hack in a box" that Chinese criminals were selling to the sophisticated hacking Jupiter's VPN, the better security is on phones and in communications, the better off we all are. So while Nick is right on the current vulnerability in iMessage, he has it wrong on both on Apple's legal obligations under CALEA and how easy it would be for the company to accommodate law enforcement's demands.

The App Helping Pregnant Women Find A Seat On The Subway, by Mimi Kirk, Citylab

And now Japan may have come up with a better solution: an app that matches pregnant women requesting a seat with riders who have agreed in advance to give them up upon request.


As my colleague Linda Poon pointed out last year about the pink light technology, such strategies are particularly helpful for those with hidden or invisible conditions. Such passengers might be more reluctant to ask for a seat for fear that others will balk, not believing they actually need it.

Augmented Reality's Real Power Will Be Substance, Not Flash, by Clive Thompson, Wired

“Think of how you learn something new,” Feiner told me. “If someone were showing you how to use a complicated photocopy machine, they’d have their hands in there, pointing at things. That’s what you can do with AR.”

Apple Announces New ‘Global Flagship’ Retail Store Coming To Federation Square In Australia, by Chance Miller, 9to5Mac

This store will be located in Federation Square and comes as part of Australia’s efforts to “breathe new life into one of Melbourne’s most iconic landmarks.”


Apple retail head Angela Ahrendts says the company is thrilled to move forward with plans for a new flagship in Australia, noting of the surrounding museums and historical landmarks that Apple will get to call its neighbors.

Apple In Federation Square: Melbourne Plan Sparks Furore, by Calla Wahlquist, The Guardian

Critics of Wednesday’s decision the proposed design of the Apple store would be inconsistent with that overall design, as well as inconsistent with the square’s original purpose.


Apple's Shazam For iPhone & iPad Adds Offline Caching Mode, by Roger Fingas, AppleInsider

When users tap the button to listen to a song, the app will now save a sample for upload when internet access returns.

YouTube TV Delays Its Roku And Apple TV Apps To 2018, by David Katzmaier, CNET

The apps for Roku and Apple TV, originally slated to launch before the end of 2017, are now scheduled for the first quarter of 2018.


The Real Danger To Civilization Isn’t AI. It’s Runaway Capitalism, by Ted Chiang, BuzzFeed

Speaking to Maureen Dowd for a Vanity Fair article published in April, Musk gave an example of an artificial intelligence that’s given the task of picking strawberries. It seems harmless enough, but as the AI redesigns itself to be more effective, it might decide that the best way to maximize its output would be to destroy civilization and convert the entire surface of the Earth into strawberry fields. Thus, in its pursuit of a seemingly innocuous goal, an AI could bring about the extinction of humanity purely as an unintended side effect.

This scenario sounds absurd to most people, yet there are a surprising number of technologists who think it illustrates a real danger. Why? Perhaps it’s because they’re already accustomed to entities that operate this way: Silicon Valley tech companies.

Consider: Who pursues their goals with monomaniacal focus, oblivious to the possibility of negative consequences? Who adopts a scorched-earth approach to increasing market share? This hypothetical strawberry-picking AI does what every tech startup wishes it could do — grows at an exponential rate and destroys its competitors until it’s achieved an absolute monopoly. The idea of superintelligence is such a poorly defined notion that one could envision it taking almost any form with equal justification: a benevolent genie that solves all the world’s problems, or a mathematician that spends all its time proving theorems so abstract that humans can’t even understand them. But when Silicon Valley tries to imagine superintelligence, what it comes up with is no-holds-barred capitalism.