Robocalls and spam texts deliver fake news silently, at scale, but won’t stop anytime soon

… unless carriers like AT&T open up to researchers and improve their networks. While the FCC is applying pressure in this regard, any decent solution is likely years away, and may be hamstrung by net neutrality-esque message discrimination concerns. Nonetheless, fake robocalls and texts are a crisis.

Borrowing from my last post:

Right now, any robocall hacker in the world can instantly take over your phone’s screen, knocking you out of your mobile gaming experience, disrupting you as you check out at the store, or breaking your concentration as you try and type out an email.

Several billion fake calls (and texts) are received each month in the US. Reports show this is a global problem, with Brazilians averaging 37 spam calls per month.

And to quickly recap recent disinformation campaigns in the US:

Fake news dominated the US during the 2016 presidential election. Facebook’s top 20 fake news stories in the final three months of the election got more views and engagement than the top 20 stories from real outlets.

Such efforts are organized and widespread, from individuals looking to profit to state-run facilities full of hundreds of specialists, there solely to create discord by sharing lies. One known as the Internet Research Agency was very prolific. A primary goal has been to discourage voter turnout.

Carriers have not been under pressure like social media companies have been

The onus to tackle fake news has largely been placed on social media platforms, because that’s where there was massive evidence of it happening. The efficacy of these post-election efforts varies by platform, with Twitter doing a poorer job than Facebook in taking action on fake posts, for example.

But social networks like Facebook, Twitter, and YouTube are public forums with authenticated users: unlike WhatsApp, old-school text messages, and phone calls, which we can call dark networks.

Dark networks are impossible to scrutinize at face-value, because information is shared privately. In India, where WhatsApp is massively popular, outsiders can only grasp the problem’s size by observing society-scale symptoms.

Robocalls and texts: spoofable and targetable

Calls and texts are the most dangerous communication medium as far as election interference is concerned because they allow spoofable and targetable communications. Any hacker in the world can (trivially) pretend to be calling or texting from someone else’s number.

Why are calls and texts the most dangerous?

leave no public trace of the communication ever happening (unlike Facebook or even WhatsApp). Carriers have this info but don’t share.

don’t rely on viral sharing to reach the end user

have a 100% chance of annoying the recipient (great for pissing off potential voters)

because they are spoofable, they trick the recipient into blaming a specific party

the protocol is, in its current carrier-level implementations, incapable of permanently banning bad actors from repeat offenses

by volume, they are among the most widespread form of fake communication

Regarding texts: unlike robocalls, which Google has been addressing with its Call Screen feature, texts do not have an obvious way of gatekeeping/filtering robotexts. Clever AI can’t solve this issue

Regarding texts: unlike robocalls (which most people don’t answer), texts will almost always show up on a lock screen, delivering the message. Blocking specific numbers doesn’t help because the protocol is so broken the robotexters can use any number.

A true story from personal experience: I donated $5 to a political candidate before the midterms. I then proceeded in the days leading up to the election to receive dozens of SMS messages from the campaign, even after telling them to stop.

It’s probably the campaign’s fault for over-messaging me, but on the other hand, it may have been state-level actors armed with numbers from a hacked database. Who can say? Clearly voter rolls and donor offices are hacked often by nationstates. In any case, I didn’t donate again to the candidate.

With voice mimicing AI basically here, allowing convincing conversations in real time, we must–as a country and an industry–get ahead of this and demand carriers upgrade their networks to disallow spoofable communications.

In 2019, Apple needs to change iPhone’s call UI because robocalls are killing us

Right now, any robocall hacker in the world can instantly take over your phone’s screen, knocking you out of your mobile gaming experience, disrupting you as you check out at the store, or breaking your concentration as you try and type out an email.

And disrupt they do, at a massive scale. Several billion fake calls are received each month in the US. Reports show this is a global problem, with Brazilians averaging 37 spam calls per month. Actually, I’m getting a robocall as I type this very sentence, my second today.

At the telelphony-infrastructure level, it’s a supremely difficult problem that lacks a short-term fix because the underlying protocol is hopelessly insecure.

But from a user-experience perspective, there’s a simple way to make things more manageable. Apple should let incoming calls show up as a banner notification, not a full screen alert.

What was magical in 2007 has become a major annoyance

It’s absolutely bonkers that millions of smartphone users get their full screen taken over by robocallers on a daily basis. Tapping Decline is not a great option because it actually tells the robocaller that you’re with your phone and are annoyed by the call, information I’d rather not give.

The jailbreak community for iOS saw this need years ago, and an app called CallReply tweaked the phone UI to let incoming calls appear as banner notifications.

When will Apple follow suit?

One commenter on Hacker News pointed out: “This annoyance is three-fold when a call from your iPhone also takes over your iPad screen and rings on your MacBook.”[1] Fair point!

Another exclaims there’s lack of call filtering options available in iOS, I completely agree – as blocking individual numbers is totally ineffective in blocking robocall spam. “I would love to be able to block all numbers coming from my area code and the first 3 digits of my number.. all my robo calls come from a number that looks just like mine.” [2]

Another points out, the carriers could taking some steps to limit robocalls, but may be dragging their feet because it’s (arguably) in their commercial interests to let it flourish. While I agree there’s a lot more the carriers could be doing to flag “inauthentic” behavior of network participants, the root cause of SS7’s lack of authentication and encryption will remain. But yes, carriers are definitely on the hook for making things better too. [3]

Yet another commenter remarks about how Google has dealt with this issue: “Fwiw, Android actually does do this. When the phone is unlocked, calls show up as a banner. In addition, they added that new call screening option, I’ve been using it and so far it has worked fairly well. Also, there is some built-in call filtering and third party apps as well, though I have mostly been able to rely on the built-in filtering. Does iOS really not have any options for filtering? I swear last time I had an iPhone (running iOS9) there was Something… but then again, I was jailbroken. It’s a bit funny that we got full web browsers on phones before proper call filtering. (Disclaimer: I work for Google but not on phones.)” [4]

Could you disable your admin password? A stressful opsec story from an Apple Store

Tl;dr: Apparently Apple Geniuses ask customers who are dropping off their Mac for repair (where the device can’t be repaired in-store) to turn off their admin password under some circumstances (even when better options exist). 😲 Be ready, because I wasn’t.

Millions of people walk through Apple Stores, and I think Geniuses asking people to turn off their Mac admin password is an unnecessary degradation of customers’ security.

About two weeks ago, I found out about an Apple screen recall program that covered my (otherwise out-of-warranty) MacBook Pro.

I was ecstatic! I’d previously looked into paying out of pocket for a screen replacement, and the total would have been $$$ and out of my price range, but this would be free! I made a Genius Bar appointment immediately and headed straight to the closest Apple Store.

Apple visit #1:

After a quick inspection my Genius rep said my MacBook Pro was covered under the program. Then he proceeded to ask some questions: Had I backed up my computer? and, most notably for this story, he asked:

Genius: Do you have FileVault turned on?

FileVault is a disk encryption program in Mac OS X 10.3 and later. It performs on-the-fly encryption with volumes on Mac computers.

Yes, I said. It was reassuring to me that he even asked this question. I told him I’d need to wait until the following week to turn over the Mac because it was needed for work.

He said I could drop it off any day before Tuesday, and then it would be shipped to a repair facility in Houston. The turn-around time would be a few days.  … Great!

Apple visit #2

Fast forward to Tuesday…

Off from work and with a few other errands to make that evening, I called the Apple Store and asked when the repair pickup from the store would be made (where the devices are taken off to the repair center), so my device could be checked in before the next outgoing batch. The rep said that the delivery people hadn’t made their pickup yet, but they would probably be by very soon. I prioritized making it straight over there.

After checking my photo ID and looking at my computer’s lock screen, the first thing the Genius asks me is:

Could you disable the computer’s administrator password?

Me: Huh? What do you mean?

Genius: Could you turn off the password on the device?

Me: Are there other options?

Genius: Well, if they need to access your computer and the password is enabled, they’ll re-image your hard drive and reinstall the OS. Did you make a backup?

Turning off your computer’s password (disabling the lock screen) before handing it over is an insane proposition:, you are essentially giving any handler of that device cart blanche access to its data. Bad things have happened to unattended devices in the repair industry, computer access should be as limited as possible.

Flustered, and not excited about the prospects of having to restore my computer’s state from a single spinning external drive, I slowly made my way to System Preferences > Users. I stalled as some questions raced through my head:

–   Why had the Genius from my last visit asked if I used FileVault, if I was now being asked to remove my password?

–   Wasn’t Apple all about privacy? This didn’t seem in line with that.

–   Was this even necessary for a screen replacement? Could this not be handled by some BIOS interface that didn’t need an admin password?

[Update: via feedback on Twitter: screen replacements don’t require an admin password, so this ask was completely uncalled for].

–   Why had the Genius on my last visit not notified me about this “needing to unlock the computer” thing? My preparations for the visit would have been entirely different, instead he asked about disk encryption…

The Genius seemed as rushed as I was (still trying to get my computer in the store’s outbox before the delivery people showed up).

Then, this happened:

Genius: What’s your administrator password?

I was shocked.

Why had he not started with this question?

Many normal customers would have, by this point in the story, already disabled their Mac’s administrator password.

Giving Apple your password (while still a reason for concern), where it’s stored in their customer-management platform, is a MUCH BETTER OPTION THAN REMOVING IT — and should completely NEGATE the “need” to disable the computer’s password under all circumstances.

See, if you remove your Mac’s password, anyone that handles your machine can do whatever they want with it. Including the delivery people, anyone in the room with the device at the Apple Store, unrelated or miscellaneous workers at the repair center, etc.. And when they mess with the device, there would be no trail of them having done so. That’s very scary.

However, if you give a Genius the password, only a handful of people who have access to Apple’s backend can have their way with your machine, and there will (presumably) be a log of them accessing your password. This is also somewhat scary but a bit more reasonable.

And again, the reason this is a big deal is because many normal customers would have, at this point in the story, already disabled their Mac’s admin password.  This is not OK, because it represents a completely unnecessary degradation of customers’ security.

My guess is that Apple’s retail operation has seen that asking for a customer’s password is met with more resistance than asking to merely disable it. But that doesn’t matter, turning it off outright is clearly the worse option.

There’s a history of bad things happening to unprotected/unattended devices in the repair industry, see https://www.techmeme.com/search/query?q=geek+squad&wm=false. This is a point in a computer’s lifecycle, more so than any other perhaps, where device security and auditable handling is necessary.

Stressed and still wanting to turn my computer over before the pickup, I gave the Genius my password and then furiously began logging out of apps, like OneNote, Chrome, etc.. I thought about unlinking Dropbox, but what was the point — the data would have still been there. Resigned, I gave it the Genius.

When I got the device back several days later, I couldn’t have been happier from a hardware perspective — the MBPro looked brand new.

But I was dismayed (though not surprised) to learn that, despite logging out of Chrome, the browser did not clear its “Managed Passwords” from its on device storage.  Whatever, it didn’t really matter anyway, if an Apple repair tech wanted to be nefarious with my password, it was hopeless anyway as the Keychain Access would have been his/her’s too.

I guess the main takeaways from the experience are the following:

Geniuses and Apple Support Advisors should…

1 – … warn customers ahead of time that handing over their passwords is something that may happen.

2 -… should stop telling people to altogether disable administrator passwords (because a better option exists).

3 – … know if the admin password is truly necessary for a given repair.

[Update: via feedback on Twitter: screen replacements don’t require an admin password, so this ask was completely uncalled for, which makes #3 even more pressing. Don’t ask your customers to downgrade security unnecessarily].

Further reflections:

When I called before my 2nd visit to the Apple Store, the rep volunteered (unsolicited) the name of the firm that was to take the devices from the store to the repair center. That implies the devices were not in Apple’s custody the entire time, another reason disabling password is a ridiculous ask.

More thoughts following reader feedback:

In comments on this article and on Twitter, I’ve received pretty thoughtful suggestions on how I should have prepared my Mac.  Thanks, and this could have definitely been (somewhat) mitigated I’ve I’d had more foresight.  One of the main thrusts of the article, though, was that on my first visit, the Genius asked if I had FileVault turned on – which led me to believe that my disk could remain encrypted while being repaired. Which is partly why I was blind-sided by the second visit (I’m also just stupid, as one redditor pointed out 😛 ).

My second observation is the sheer variety of requests from Apple Geniuses. From people with screen repairs saying they weren’t asked for passwords, to two accounts of keyboard repair, one where the customer was asked to disable FileVault (?) to another where the customer was asked for “an admin” password (which he didn’t give and proved to not be necessary for the repair).  To my experience, where the opening question was to disable the admin (lock screen) password. There just seems to be inconsistency across the board.