Security Friday: AirPlay Could Get You Hacked, The Problem With Passphrases, and more…

Hi Readers, Cullen here. We had some serious and pretty interesting AirPlay bugs revealed this week; scroll down to check out what it means for you, because there are steps you can take to protect yourself.

View In Browser

This Newsletter Is Brought to You By:

Privacy & Security   May 9, 2025 Editor's Note Hi Readers, Cullen here. We had some serious and pretty interesting AirPlay bugs revealed this week; scroll down to check out what it means for you, because there are steps you can take to protect yourself. Unfortunately, the so-called "Signalgate" scandal just keeps evolving, so there's more to discuss there as well, but we're focusing on what practical, personal lessons we can take away as regular tech enthusiasts. You'll find that story in our Fail of the Week section. We've also got an interesting piece of research exploring the failings of the passphrase. Being a big fan of passphrases (I recommend them in our security course), I found that article exciting, so I hope you do too! We had a few readers write in to warn us about post package, toll road, and crypto-investment scams, all of which start with a text message. Do be careful with those text messages! Always verify who you're talking to, and if you encounter any scams, hacks, or trouble you feel our readers ought to be warned about, please let us know by emailing security@iphonelife.com or replying to this email. Cheers! Cullen Thomas, Senior Instructor at iPhone Life IN THIS NEWSLETTER Your Security Checklist Test Your Security Skills Your Weekly Security Update This Should Be on Your Radar Security Fail of the Week Security Updates from Apple   Your Security Checklist If you take nothing else from this newsletter, do these three things to protect yourself: Use a password manager. Password managers save your passwords for you, allowing you to generate strong passwords that you don't have to worry about memorizing. Secure your accounts with two-factor authentication. Two-factor authentication prevents others from accessing your account by verifying your identity even if you entered your password correctly. Here's how to set it up for your Facebook account. Use Face ID on your iPhone. You likely already have this enabled, but in case you don't, enabling Face ID gives you a secure way to unlock your device without having to enter your passcode. In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.   Test Your Security Skills What should you do in the following scenario? When creating a new password, which is the best option? A random string of gibberish Something clever that only you would ever know Three words that are easy to remember, connected by symbols Three words that are completely random, connected by symbols Scroll to the bottom to see how you did! In partnership with NordVPN Spring Sale: Save 77% on NordVPN You wouldn't leave your front door unlocked, right? Your online data is just as crucial and just as vulnerable as your physical possessions. NordVPN is here to help keep your browsing private and your data safe. Sign up today and get 77% off in their spring sale.     Massive Vulnerabilities in Apple AirPlay Will Haunt Us for Years A series of bugs in Apple's AirPlay feature could permit a hacker to implant malicious software on a vulnerable device by connecting over AirPlay. AirPlay is short-range, roughly the same as Bluetooth, so the attacker would need to be in close proximity to the first device they infect. However, the vulnerabilities are bad enough that the malicious software could exploit them automatically, without human interaction. That means that one infected device could be used to infect other vulnerable devices just by being near them or on the same network. An attacker could, for example, infect a vulnerable iPhone at a public cafe, then wait for that iPhone to go to an office and connect to its network, and then 'jump" from the iPhone to infect other devices on the network. Any AirPlay-enabled device is potentially vulnerable to at least some of the bugs, including iPhones, Macs, iPads, Apple TVs, HomePods, and non-Apple devices like smart TVs, conference call audio systems, or car stereo systems that use AirPlay. This puts the number of potentially vulnerable devices in the billions, though infection strategies may vary widely depending on which bugs apply. The bugs were found by security researchers Oligo Security, and their article on the bugs outlines a diverse sample of practical use cases. The bugs have all been patched in the most recent series of Apple operating system updates, so an up-to-date iPhone is safe. On top of that, the bugs often depend on user settings being left in vulnerable conditions. For example, some require that a device be set to work as an AirPlay receiver in the "everyone" mode that allows anyone on the same network to connect. That said, many third-party devices, such as Smart TVs or CarPlay automobile stereo systems, may not receive updates to patch these bugs for months, years, or maybe ever. The Bottom Line: Update your iOS devices to the latest operating system version. On your Mac computer, visit System Settings > General > AirPlay & Handoff, and then either toggle off AirPlay Receiver or set Allow AirPlay for to Current User. If you use AirPlay-enabled smart devices like speakers or CarPlay, check to see if those devices can be updated with fixes. Protect All Your Devices with 80% Off (sponsored)   This Should Be on Your Radar Can Passphrases Be Guessed? Yes, but Only If You Use Common Words Some researchers examined the effectiveness of passphrases as a replacement for passwords. A passphrase, which consists of three to five randomly selected words connected by symbols, is generally considered to be much more secure than a password because it is easier for humans to remember, and its extra length makes it harder for computers to guess. The English language contains roughly a million words (though nobody knows the exact number), so if you randomly select three of them, an attacker correctly guessing which three you selected is extremely unlikely. The problem is, in day-to-day English, people only use at most a few thousand words. The researchers found that a large number of users were generating passphrases using only the most common day-to-day words: by limiting guesses to combinations of the most common words, those passphrases were easily defeated. The Bottom Line: Passphrases are still better than passwords, but only if you use genuinely random words in the passphrase and avoid using extremely common words. A good passphrase generator, such as the one built into your password manager, should know to do these things already, but it's worth bearing in mind and double-checking when generating passphrases. Apps Can Charge You without Using the App Store, Rules Judge A judge has ruled that Apple cannot prevent app developers from directing users to make payments outside of the App Store, and it cannot collect commissions from those purchases. Previously, Apple would collect up to 30 percent on in-app purchases, even if the payment was made outside the App Store's payment processor. This led to many apps adding a 30 percent upcharge to all in-app purchases in order to account for Apple's commission. Now, this ruling should mean that those apps can drop that upcharge, so we should start seeing lower in-app purchases. Apple has appealed the ruling. The Bottom Line: At a glance, this ruling should be a win for both consumers and app developers, assuming the prices of in-app purchases come down to account for this ruling. However, it's important to pay attention to when apps direct you to make a payment outside the App Store. Only make payments to developers you're sure you can trust, and verify the amount being charged matches the amount shown in the app. In partnership with Incogni Stop Spam at the Source The reason you get so many spam calls, emails, and texts is that your name is being bought and sold by data brokers every single day. Incogni gets you off these lists, reclaiming your privacy and stopping spam right at the source. Spammers can't bother who they can't find.   Three UK Retailers Hacked in One Week Harrods, Marks & Spencer, and Co-op are all huge retail chains in the UK, and they also have in common that they've had dire cybersecurity incidents in the past week. All three were hit with ransomware, and while no formal attribution links the three incidents, at least one was likely the work of the Scattered Spider network known for the 2023 MGM and Caesars casinos hacks. More reporting in Tech Radar. The Bottom Line: We don't know the details of how these attacks all happened. However, Scattered Spider typically uses SMS phishing to gain access to employee networks, then deploys ransomware. You can protect yourself from SMS phishing by verifying the sender with follow-up phone calls and video calls, by avoiding SMS-based Multi-Factor Authentication, and practicing great skepticism toward any urgent effort to convince you to install an app. Alleged Scattered Spider Member Extradited to US for Trial The Scattered Spider group is a loose network of chat groups on the Discord app where members trade hacking tips along with memes and sometimes coordinate ransomware attacks. They're known for SMS phishing campaigns targeting employees to get access to company devices to start ransomware. The ransom is paid in crypto. One alleged member of this criminal network was caught in Spain and will be extradited to the US. Krebs On Security has the full story. Spring Sale: Save 77% on NordVPN (sponsored) Secret Research on Redditors Used AI to Try to Change Opinions With Debate Differentiating between AI and human users online is becoming more and more difficult. 404media is reporting that researchers at the University of Zurich conducted an experiment using AI bots to debate with users on Reddit. The researchers infiltrated the subreddit /r/ChangeMyView, a community where users post their opinions on specific topics, and other users can comment with the goal of changing the original poster's mind. The researchers fed their AI bots the post and comment history of the users the bots were replying to in order to find out personal details and make the bots more convincing. Reddit is now considering legal action against the researchers for conducting what it calls unethical experiments using the subreddit, in which the bots impersonated sexual assault survivors, trauma counselors, and people of color. While the accounts used by the AI bots have been banned, Reddit believes the researchers violated Reddit's user agreement and the /r/ChangeMyView subreddit rules. The Bottom Line: As we've stated before, video calls are the best way to verify someone is a real human. Of course, that's not really possible in text-only communities like Reddit or Facebook. The best advice we can give is to select online communities with active moderators, restricted membership, and strong enforcement of rules against impersonation and bots. Those features may help weed out fake personas. But for the moment, genAI makes that task extremely difficult.   Security Fail of the Week It Turns Out, the Signalgate Officials Weren't Using Signal The app that senior Trump admin officials have been using, and to which they accidentally invited a reporter, was not the Signal app, but a customized variation of the Signal app. The variation, created by a contractor named TeleMessage, was designed to add a functionality to the existing Signal app: the ability to archive every message on a server. Since it came out that this variant of Signal is what the White House staff was using, it was immediately hacked by multiple hackers. The hackers were able to extract archives of user messages, though it is not clear yet if the stolen data includes White House communications. After multiple security fails in just a few days, the TeleMessage company has taken its apps off the stores and suspended its operations. The Bottom Line: A practical lesson we can take away from this is how secure messaging can be locked down completely while in transit, but still compromised by hackers breaching the backup archives of past messages. As an example of this principle, your messages using iMessages are encrypted end-to-end, so nobody but you and the recipient can read them. That's good! But when you perform a device backup to iCloud using iCloud backup, it contains an archive of your iMessage chat history, including all those messages, and the iCloud backup is not encrypted end-to-end, so it could be accessed by Apple employees (unless you use Advanced Data Protection for iCloud). In the same way, this Signal variation was encrypted end-to-end using Signal's networks, but created a less secure backup that hackers were able to access. This is why the Signal app doesn't archive user messages. In partnership with TotalAV Protect All Your Devices with 80% Off Don't leave your devices exposed to threats. Get real-time protection against malware, hackers, and spyware with an Award-Winning antivirus. Fully compatible with Windows, Mac, Android, and iOS. Take control of your security and enjoy peace of mind - get 80% off here.     Security Updates from Apple Everything you need to know about Apple's latest software updates. The most recent iOS and iPadOS is 18.4.1 The most recent macOS is 15.4.1 The most recent tvOS is 18.4.1 The most recent watchOS is 11.4 The most recent visionOS is 2.4.1   Security Skills Answer The correct answer is D: Three words that are completely random, connected by symbols.. There are roughly a million words in English, so picking three of them randomly will make guessing which three you picked virtually impossible. However, if they are not selected randomly, then the number of possible combinations drops. Using semantically related words, or phrases with a clear meaning, makes guessing which three words you picked almost easy for a computer. Randomness is your defense. Fortunately, most human brains are pretty good at making up connections between randomly selected words, so even very random ones can be made easy to remember by telling yourself a story about them. Stop Spam at the Source (sponsored)   Mission Statement There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsbury.   Next Steps In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts. Interested in the best ways to keep your iPhone secure? Check out: How to Secure Messages on Your iPhone & iPad Private WiFi Address: What Is It & How to Enable It   Premium Content If you enjoyed this newsletter, you'll love all the security content available on iPhone Life Insider! This premium subscription includes: The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors In-depth guides on everything from security to iPhone photography to other Apple devices Daily, bite-sized video tips on topics ranging from iCloud security to password management A digital subscription to iPhone Life Magazine, where you'll find articles covering the best security gear, apps, and in-depth how-tos The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group Join the Insider community today and save 30 percent! Did we help with your security concerns? With your feedback, we can improve this security newsletter. Let us know how we did: 👍 Yes, this definitely helps me with my security 😐 Some of the content is helpful to me 👎 No, I didn't find this newsletter helpful