22
Jan 20

Apple Addresses iPhone 11 Location Privacy Concern

Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.

Beta versions of iOS 13.3.1 include a new setting that lets users disable the “Ultra Wideband” feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature.

In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user’s location even when all applications and system services are individually set never to request this data.

Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone’s settings menu.

Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.

The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

Apple also stressed it doesn’t use the UWB feature to collect user location data, and that this location checking resided “entirely on the device.” Still, it’s nice that iPhone 11 users will now have a setting to disable the feature if they want.

Spotted by journalist Brandon Butch and published on Twitter last week, the new toggle switch to turn off UWB now exists in the “Networking & Wireless” settings in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta versions are released early to developers to help iron out kinks in the software, and it’s not clear yet when 13.3.1 will be released to the general public.

Tags: , , ,

25 comments

  1. Apologies if this is not the appropriate venue, but hoping you’ll cover the Jeff Bezos phonejacking story. This is the first time I have heard of using an MP4 file over WhatsApp to hijack a phone. This might make me naive, but isn’t that what you are for, Mr Krebs? 🙂

    Thanks for everything you do!

  2. Nice Apple. First!

  3. The Sunshine State

    Steve Jobs is spinning in his grave over this !

  4. The furor over this struck me as silly. The device is checking its own location and then making a decision, without sending information to anyone or anything else, for the purposes of remaining compliant with regulations around RF emissions. It’s not a privacy concern under even the wildest imaginary scenario.

    • I get your point. But if I tell my phone *DON’T CHECK LOCATION* and it still checks location, I’m not happy. Saying “Sure, we’re ignoring your request, but we promise it’s only for unimportant stuff” doesn’t really help. Even if those assurances are accurate, the fact remains that Apple ignored my request. And that fact renders their assurances less reliable as well.

      Even if they’re telling the truth, “We’re getting location data but not doing anything bad with it” is less reliable than “We’re not getting location data.” Does it get logged/stored somewhere? What processes have access to those logs? Could an attacker get access to the data? Etc.

      Here’s a so-so analogy: I’m in business with a partner. We agree to leave money in an insured bank account. Later I find out my partner pulled the money out without telling me. They claim they had a good reason for doing so, and the money is still available, it’s just in a safe at their home. Do I trust them? Even if I do, is our money as safe?

      • Kenny Blankenship

        I don’t think I could have summed it up better myself. In my opinion, the most concerning thing was how Apple deflected the concern. “Psh… we’re not doing anything with it.” Then why is it on in the first place? The same can be said when someone gets caught red-handed stealing a pack of gum in a store. It’s always the same excuse.

        Clerk: “Whatchya got in your pocket?”
        Thief: “I… I was planning on paying for it!”

    • You sound like you’ve read the code. Have you read the code? Distrust is a survival instinct.

    • The furor was because Apple initially dismissed this as operating by design, while saying at the same time that some location settings didn’t have a toggle in iOS. Which of course raised a bunch of other questions. As I noted earlier, it’s not my intention to cause concern where none should exist, but Apple did itself and its customers no favors by waiting several weeks to respond to a legitimate inquiry and then dismissing it as nothing without explaining why. It corrected its response a little more than a day later, but by that time the story had been picked up in just about every tech outlet there is.

      We didn’t know it wasn’t sending the information out until Apple issued its follow-up non-dismissal, saying it would address the shortcoming in a future update.

  5. So will this new iOS roll out to every device even if it’s not an 11 and (presumably) doesn’t use UWB?

  6. This recalls the removal of the Bluetooth symbol from the iPhone/ipad status bar, so that users would not notice it had been left on, collecting and sending beacon information.

    Similarly, turning “off” wifi or Bluetooth from the ios control panel no longer has an effect on the transmission of wifi or Bluetooth signals and signal-based location data. Users have to go into the main settings to do this.

    Apple lies about its collection, retention, and privacy of location data. It’s lied since the very first iPhone and they continue to be caught.

    Just this week, Reuters revealed that Apple has deliberately left unencrypted all cloud data, so that Apple could easily share user data with corrupt governments worldwide.

    Whether UWB is switched on or off, users are fooling themselves if they believe Apple’s claims about respecting privacy. They’re just as evil as the other companies making portable tracking technology.

    And their excuse that UWB is for transferring files easily is bull. No one I’ve ever met or worked with has ever had a file on their phone and said “let me transfer that to you with our stupid phones.” Yeah, no… email it to me so I can run it through antivirus, don’t send your malware-laden crap directly to my phone.

    That’s how people end up getting dirty pictures Airdropped on the train.

    • Is Apple the best we can hope for, or are there viable options in the Librum 5 or other Linux based phones?

      I’m OK with reduced performance, equal price, and no key-escrow.

      I support law enforcement in almost every way, until the Attorney General and government move too close to tyranny.

      Cincinnati was named after George Washington and the Roman general Lucius Quinctius Cincinnatus.

      Nero and Caligula are less desirable Romans. We need to avoid tyranny more than crime.

      I tried to read the Gulag Archipelago.

      • Recently, the New York Times obtained a set of location data and used it to show that people’s routine movements through the city was so unique as to make it possible to identify them.

        As a fictitious example, there’s only a handful of people who follow a famous movie executive back and forth to NYC court, then back to his lawyers offices, then to a separate home, etc. It would be easy to deduce that location data belonged to his bodyguard, for example.

        My point being, because humans follow routines, as NYT reporting showed, you’ll always be easily tracked if you use any mobile device that connects to cell phone towers or any other signal transmitter. And even if you never used your name to register ownership of a particular phone, it can be deduced which one belongs to you.

        Getting a different phone won’t really help. If the phone can make and receive calls, you can be tracked.

        Krebs has also reported about how location data is sold and used by mobile carriers, bounty hunters, police, and crooks, almost entirely without legal authority or explicit permission.

        Here’s the NYT article summary:

        https://www.nytimes.com/interactive/2019/12/19/opinion/nyt-cellphone-tracking-investigation.html

        –comment may be duplicated, because I’m not sure if I already clicked submit

  7. Interesting. The only part I don’t get, is the location tracking. All phones use location tracking to reserve space on cell towers. Otherwise, an incoming call has to query all towers to locate you. Worldwide. Then transfer the call appropriately to the local tower before the usual tenth ring fallout. Location tracking does that. Otherwise , the message may not reach you. Right now, that puts you within 3 miles of a tower. The new 5g will place you within several hundred feet. As retired military, I can see why phones were taken, from the latest bunch of tourists overseas. But, I don’t understand, the not taking of the sports watches, that use nfc to communicate. After all, they have sari, and goo, and maps. Or location services.

  8. tired_of_new_phones

    Oh dear lord… what new hell with this do to all the older iPhoney’s?…

  9. This is not silly. Suppose you are an investigative reporter, human rights activist, or subject to harassment. Someone else may not know, but your phone knows and can easily be made to keep a record.

    Also the device must send some kind of id to the UWB tower it is pinging. What is to stop it from keeping a record?

  10. I will update when version 13.99.99 hits, but I might take a chance spring for 13.99.98 beta.

  11. The content of this posted blog is very relevant and informative.

  12. It’s not don’t use apple/Android/windows/Linux phones. But be aware of what they record. And every now and then shut the bloody thing off. But some can and do listen in the background. Not everything shuts off entirely. And some are really in a sleep mode when ” off”. But, there is one part you can do. Get laws changed, right now this data can be monitized. Make our data illegal. And punish those companies that disobey the rules. The same with countries apply the same rules. Do not spy on the citizen, public, or competitor. Enforce it. But, imagine, the loss of that revenue stream. How many jobs would really disappear.

  13. just went to 13.1, this setting is disabled by default.

Leave a comment