iPhone Mirroring at work may expose employees’ personal information(www.sevcosecurity.com)

58 pointsby jjguy4 days ago12 comments

dml21354 days ago
Don’t you need to be signed in to the same iCloud account on both your laptop and phone to use this feature? That would mean that in order to encounter this issue you already need to be using a work account on a personal device, or vice versa.
Since that’t the case I fail to see how this is a large vulnerability. The article doesn’t seem to address this point (possible I just missed this).
- zippergz4 days ago
  A shocking number of people login to their personal Apple IDs (and email accounts and banks and etc. etc. etc.) on their work computer. I personally do not, but lots of people do.
  - elliotec4 days ago
    I’d say generally for most people, at least anecdotally, their work laptop is their only laptop because they’re expensive and have good specs. Especially for Apple products (which is the majority of the share of hardware in this anecdote), it’s natural to want and expect the continuity between devices.
    Employers usually allow this or don’t explicitly forbid it, and most employees aren’t exactly security conscious or willing to sacrifice convenience. So it’s not that shocking to me, but it is weird that there isn’t more education or rules around it.
    RDaneel0livaw4 days ago
    This is true for me. I have a personal desktop, but for mobility (laptop) my work issued MacBook M1 Pro is the only thing I have. There's no reason at all to purchase a personal laptop since my company is fully remote and they purchased the laptop from apple and had it directly sent to me, and have never required me to install any kind of monitoring software or control software on it at all.
    EricE4 days ago
    Good luck when your laptop gets scooped up in discovery/litigation. After having been through lawsuits at work there is ZERO chance of me ever putting anything personal on work equipment.
    oyashirochama3 days ago
    Duplication and backups are a requirement of life IMO.
    emptiestplace4 days ago
    "Directly from Apple" does not preclude monitoring and control, but it would've notified you on first boot if it were MDM enrolled.
    Onavo3 days ago
    Most tech companies (except some really big ones or those with compliance requirements) are quite flexible around this issue.
    emptiestplace3 days ago
    I would qualify that "tech companies that don't know what they're doing wrt IT". Apple does have some features to allow a bit of flexibility, but unless you do all of your work via VDI or similar, I'd consider non-MDM devices to be a huge red flag,
    Onavo3 days ago
    It's called trusting your employees, especially if they are engineers. Maybe that's why "nobody wants to work anymore".
    emptiestplace3 days ago
    MDM does not imply surveillance. I wouldn't use it if it did. It does mean I can enforce full disk encryption and remotely wipe a machine if it is stolen, though.
    Onavo3 days ago
    Found the system admin
    emptiestplace3 days ago
    [flagged]
  - SoftTalker4 days ago
    I'll use my work computer to check personal email and do other personal stuff from time to time. I use a separate browser profile that clears its cache and cookies when I'm done. I don't recommend it necessarily, but I don't have any endpoint monitoring on my machine so I feel reasonably OK doing it.
  - izacus4 days ago
    People got really angry at IT not allowing them personal Apple ID logins in several large companies I've been at :/
  - delfinom4 days ago
    IT in companies using Apple devices must be an absolutely miserable position.
    mrweasel3 days ago
    Depends on what you mean by "IT". If you're thinking like fleet management for thousands of desktops, then it's probably not a bunch of people having a good time. On the other hand, trying to do fleet management for Windows desktops isn't much fun either.
    Aaronstotle4 days ago
    I've worked IT for Mac only shops my entire career, I wouldn't say any of it has been miserable
    s1mon4 days ago
    Why, because there’s not as much work to do debugging installers and malware as there is with Windows?
    hu34 days ago
    As a consultant, I work with Linux, macOS and Windows. Depends on the client and the project.
    I can't remember last time I even heard about a malware in someone else's Windows machine, let alone my Windows machine. I don't know what you mean by debugging installers.
    Sounds like an outdated opinion. Just like those "lol PHP bad" regurgitations and linking outdated articles about it.
    consteval4 days ago
    The sysadmins at my job frequently find malware artifacts on our servers, because we exclusively use Windows server. And the expectation is you RDP in to get stuff done, which means there's a big potential for human failure.
    Also most Windows software is just taken off the web and installed with administrator privileges. Sure, there are package managers. In practice, they're rarely used on Windows.
    From a technical standpoint, Windows isn't "that bad" at allowing malware. From a culture standpoint, almost nothing has changed since the 90s. Linux and Mac have a different culture.
    hu33 days ago
    macOS used to have a decent security story until some QoL started requiring disabling SIP.
    They gutted the OS so much that users start disabling security features.
    And don't get me started with atrocious window manager from macOS. Took a decade to improve it slightly. Still far away from some Linux DE and Windows. I don't enjoy having to buy apps to fix macOS. There are some open source tools for some things but for others it's cost effective to just buy.
- bilekas4 days ago
  From here : https://support.apple.com/en-us/120421
  > If your Mac asks whether to require Mac login to access your iPhone, choose Ask Every Time or Authenticate Automatically. You can change this later in iPhone Mirroring settings on your Mac.
  Seems its an app setting to have this protected or not ?
  - mastercheif4 days ago
    - iPhone Mirroring system requirements
    -- Your iPhone and Mac are signed in to the same Apple Account using two-factor authentication.
  - lxgr4 days ago
    This setting is to establish a new mirroring session, but presumably that iOS app install metadata is collected at the very first connection and then cached on macOS.
    bilekas3 days ago
    This is a nice feature of the apple ecosystem to be fair, but I do think the issue is with connecting work and personal accounts/devices
- thomastjeffery4 days ago
  It goes both ways.
  You must be signed in to the same iCloud account on a personal device and a work device in order to use a feature? Operational security isn't worth the hassle: most people will just do whatever it takes to do the thing. And when they are finished, it's not as if they are likely to sign back out on either device.
- 3 days ago
  undefined
- 4 days ago
  undefined
sigio4 days ago
Duh, don't mix work and private devices / data
- dhosek4 days ago
  I was just discussing this with a friend. The one place where I’m willing to fudge things (corporate policies permitting) is putting my personal calendar on a work machine, work calendar on my personal systems, mostly because it makes dealing with the interface between the two simpler (plus then I get meetings showing up on my watch).
  - quesera4 days ago
    Depending on your calendaring system(s), you can subscribe to your work calendar on your personal account, and vice versa. Although you should be careful about the latter!
    My life is simple enough that I just dupe the occasional MTWTF personal events as "reserved blocks" onto my work calendar, and maintain my off-hours and SS personal calendar separately.
    eastbound4 days ago
    You can share the free/busy information only.
- accrual4 days ago
  Right. I don't even let my work laptop onto my home LAN. It's hardwired into its own /30 VLAN and can only see the gateway and internet.
  - GavinGruesome4 days ago
    So it is on your home LAN, just on a different VLAN than your infra. (which makes sense)
    accrual4 days ago
    Right, shares the same PHY/layer 1, but logically separated at layer 2. :)
  - Havoc3 days ago
    Unless you believe your employer to be malicious I doubt this brings any real world benefit
mustyoshi4 days ago
The PSA should just be don't mix your personal and work devices.
- swah4 days ago
  Not that easy. I use my personal device for work - and if I didn't I would wish I did, when travelling...
  - hansvm4 days ago
    I always take both devices when I need both. The M3 is annoyingly heavy, and I have to treat it better than I do my personal device, but it's not a major hassle.
Havoc3 days ago
Two phones all the way. For most knowledge workers the cost of an mid tier iPhone is inconsequential anyway
deckar014 days ago
There also seems to be a bug in the VPN that requires sending all traffic when the VPN address is on a different subnet. It should be possible to manually specify subnet mask, but it seems to be ignored. I’m not sure if the VPN is advertising this incorrectly, but it worked fine before upgrading.
dcchambers4 days ago
I miss out on a lot of nice MacOS features because I refuse to sign into my personal iCloud account on my work mac, even though we are allowed to do so.
Oh well. Gotta draw the line somewhere I guess.
likeabatterycar4 days ago
So the threshold of concern by a "security" company is "they might audit your apps and find out you're gay!"
Yet not a single concern about tethering an iPhone (with an external connection) to a PC on the company's internal network, bypassing all firewalls, proxies, and other protections. That is grounds for immediate dismissal at some places.
I expect security people to think more like network engineers and less like teenagers gossiping in the canteen.
- lxgr4 days ago
  What do you mean by "tethering an iPhone to a PC"? iPhone Mirroring does not grant the iPhone any privileges to data on the Mac, as far as I know.
  Also, there are two orthogonal concerns at play here: Companies generally don't want personal devices (at least those not covered by MDM) to hold company data, but companies also might not want to inadvertently hold personal data of their employees.
- unsnap_biceps4 days ago
  This isn't about tethering. It's about mirroring which requires the iPhone and Mac to be on the same WiFi. And you can't route data from the Mac through the phone via mirroring
  - lxgr4 days ago
    I don't think iPhone Mirroring requires both devices being on the same (or in fact any) Wi-Fi network. It does however require them to be signed in to the same iCloud account.
    unsnap_biceps4 days ago
    Pairing requires bluetooth, streaming requires WiFi,
    https://support.apple.com/en-us/120421
    Under iPhone Mirroring system requirements
    Your iPhone and Mac are signed in to the same Apple Account using two-factor authentication.
    Your iPhone and Mac have Bluetooth and Wi-Fi turned on.
    Your iPhone is not sharing its cellular connection (Personal Hotspot is not in use).
    Your Mac is not sharing its internet connection or using AirPlay or Sidecar.
    lxgr3 days ago
    Wi-Fi needs to be turned on, but the connected network is irrelevant, similar to AirDrop.
    illiac7863 days ago
    Interesting that it works no matter the WiFi. But it’s still not tethering.
    Lots of people who are entitled to a corporate smartphone also have a single phone with two sims for work/personal, because of the same reasons: cheaper, more convenient, large data plans on corporate device. These devices are MDM enrolled and the company will at least check what apps are installed.
    dml21354 days ago
    I’ve noticed this as well, but actually not sure how the feature works if not over the LAN. Is it bluetooth? Or synced over icloud?
    happyopossum3 days ago
    It's direct peer-to-peer wifi
- 4 days ago
  undefined
lxgr4 days ago
Speaking of iPhone Mirroring: Doesn't this effectively downgrade two-factor authentication to a single factor for flows like "tap 'yes' on your phone to login"?
I've been wondering if there is a way for iOS authenticator apps to opt out of mirroring, but haven't found anything so far.
- anderiv4 days ago
  Don’t think so. Push notification flows like this fall into the “something you have” category (which you still do when using mirroring) and additionally when done properly, they require biometrics verification to respond to the “tap yes”.
seneca4 days ago
It's incredible to me how many people log into personal account on work devices. People should really research the amount of data security tools harvest.
- SketchySeaBeast4 days ago
  I sometimes see my coworkers with banking tabs open when they screen share. The level of trust is astounding.
  - rjrdi38dbbdb4 days ago
    It certainly sounds foolish at first, but what's the real risk? Is your employer really going transfer themselves your balance or snoop on your utility bills?
    Now if you loaded a crypto wallet on your work device, that would be another story..
    SketchySeaBeast4 days ago
    I know there are bad actors trying to get into my company's network. They are a high visibility target and have fallen victim to ransomware attacks before. Even if I trusted my employer, I don't trust what else may be lurking there.
  - gnu84 days ago
    You will probably find that your corporate TLS MitM proxy excludes financial institutions so that employees can do their banking without any doubt that their own company would respect the confidentiality of their finances. If not, your cybersecurity team needs some help.
    flumpcakes4 days ago
    Yes, when I was in charge of security at previous places we did not MITM a whole category of websites including banking, health, etc.
- crazygringo4 days ago
  If your employer isn't requiring you to log in with a personal account on a work device (and they're not), and your personal data doesn't have anything you'd mind your employer seeing, then why not?
  Because then there's no slippery slope and you're making a conscious choice. A lot of people lead really boring lives and just want the convenience of using their personal e-mail on the work device. Their employer knowing that the kids need to be picked up from soccer at 6 is a non-issue.
  Obviously, if you do have things it's important that your employer/police/government/etc. not know, then don't, a million times.
  But if you don't care, then let people make that choice.
  - quesera4 days ago
    > Their employer knowing that the kids need to be picked up from soccer at 6 is a non-issue.
    That's great and fine, until anything non-trivial in your life happens. Illness, relationship drama, recruiter conversation, off-hand low-context remarks to/from friends...
    The corporate suckware hoovers up the data, and a) exposes you professionally to the company's whims of self-protection, and b) exposes the company legally to your personal imperfections.
    Don't cross the streams. It would be bad.
  - threetonesun4 days ago
    Don't forget you don't own your work device and could lose access to it with zero notice. It's a personal pet peeve of mine that MacOS has no way to install with a "forget everything about iCloud" option. I love it for my personal devices but on a work device you quickly notice how it's got it's little hooks all over the OS.
    izacus4 days ago
    There is an MDM option to disable iCloud, but I'm not sure if its possible to toggle without enrolling macOS into a managed system.
  - dml21354 days ago
    One reason is that if your employer is sued your personal data/devices can get tied up in the discovery process.
    barbazoo4 days ago
    How often does that really happen though, I’ve heard this argument so many times but not really the real impact it has from a real incident.
  - hypeatei4 days ago
    I worked with someone who uploaded private git repositories to his email before quitting. People are not very smart.
    It's best to completely remove that avenue / temptation anyway, IMO. You can handle personal stuff on your phone. Logging in your work PC is asking for trouble.
  - tiahura4 days ago
    HN readers seem to be very concerned about spies and perverts that might get caught because they naively used X tech.
- dghlsakjg4 days ago
  Where is a good place to start this research?
  We have crowdstrike falcon at work, and I would love to know what they are monitoring.
  - Etheryte4 days ago
    It's been quite a few years since I did anything in this space, but back in the day you could get quite a lot of information simply by wrapping things in sandbox-exec [0] and progressively adding allow rules as the application inevitably blew up. It's a fair bit of manual effort, and I wouldn't be surprised if someone has written a wrapper around it that automatically figures it out, but last I checked this was the most reliable way to explicitly see what a rogue application does.
    [0] https://www.karltarvas.com/macos-app-sandboxing-via-sandbox-...
- EricE4 days ago
  It's not just data security tools - let your company get involved in litigation and now all your personal stuff is exposed to discovery too.
  Just dumb to mix personal and work - computers are no longer exotic.
- swah4 days ago
  In my case I "lend" my personal device for work (Git, Slack, Figma, Miro... use one Chrome for work and Chrome Beta for personal). So I suppose there's no software running behind the scenes. Should I still worry in this case?
ein0p3 days ago
Anyone who uses their personal iPhone and/or iCloud account for work is a moron.
3 days ago
undefined
4 days ago
undefined