The watch needs to be unlocked either with a PIN code or can be set to unlock on close proximity to iPhone which unlocks via Face ID (or Touch ID, or a passcode). Once it is in an authenticated state it remains unlocked while it is attached to a wrist. I’m not totally clear how it detects when it separates from a wrist (probably a light sensor, heart rate sensor or some heuristic derived from the both - but it’s pretty instantaneous and reliable). “Privileged” actions like payments or escalation prompts still require a double click of the watch’s physical button to confirm, but in this authenticated state it is possible to use the watch to unlock Mac or iPhone based on proximity alone.
It has no concept of “who” you are, only that it got positively authenticated while on a wrist by proximity to your iPhone unlock or a manual correct PIN entry and hasn’t separated from that wrist since.
No, a VPN would only change the source IP of your request which the author specifically states isn't how this system works: the browser uses its host OS' Location Services to self report its location based on GPS or Wi-Fi AP locations.
The SSID (name, like the article mentions) is different than the bSSID (mac address of the access point), so I don't think it would be that easy to spoof.
I see, thanks. I've definitely seen instances where an AP is broadcasting multiple SSIDs with different BSSIDs. I suppose I just thought nothing of it... but that makes sense.
That would be a fun project. Capture some WiFi geolocation data and rebroadcast it later with an ESP32 that switches its BSSID/SSID/frequency/transmit power to match an existing fingerprint.
And then see if you can be magically transported somewhere else.
Do most consumer APs/routers allow you to just change the MAC address on the fly? I don't think the ones I've owned have ever allowed that. But that would certainly be interesting to try (if you were somewhere without any other address interference that would tip it off)
Pretty sure the laptop I had from like 2012 until 2018 could do that. Haven't tried anymore since (haven't played around with deauths) but I thought this was common functionality
Consumer router firmware UIs, typically owned by ISPs, I'd not expect that yeah. Some don't even let you pick a WiFi band anymore and require other changes to be submitted through an ISP portal on the web somewhere (thinking of Belgium here, not sure which ISP it was)
Some will let you change it but it's almost always static since changing AP MAC Address will cause network disruptions for all connected clients.
Sure, some hacker somewhere will screw with these databases by rotating their AP MAC Address regularly but 99.9% are not going to touch it and 99.9% is good enough for location databases.
Isn't this roughly what mDL (and broader future W3C Digital Credentials spec) offers albeit with the issuing agency of the ID (e.g. state DMV) acting as the credential issuer rather than a bank? A relying party make a claim for a coarse age limit 'is user over N years old'? With the user's consent, the application receives an attestation back from their wallet, with a chain of trust back to the issuer (without the issuer's intervention or knowledge).
The user's credential is bound to the device and protected by their biometrics (Face ID/Touch ID), and the consent screen feels very similar to using a Passkey (gaining in mainstream popularity) or Apple Pay (pretty mainstream at this point).
The challenge here is adoption and availability of digital credentials. It appears State Department is allowing iOS 26 to issue digital credential representations of US passports also. Japan are also providing their national ID card in this way. Given some US states' online age verification laws (and whatever it is the UK are trying to do at the moment), seems like a great incentive for those governments to provide robust digital ID infrastructure.
UK pubs will reopen on Saturday but government issued guidance recommends that venues require customers to leave contact details in case of a localised Corona outbreak. We designed a simple service to collect the bare minimum data to comply with both the registration guidance and GDPR.
Customers just send a four digit SMS locator to a number (or an email to a special mailbox) and we log either the sender's phone number or email address against the venue and the time of entry. We reply to the message with a confirmation that can be shown to security/service staff. All data is encrypted on the back end and retention periods are enforced. Data export is controlled (and similarly encrypted) in the event that a venue is required to provide by the public health authority.
This approach means data is accurate (non-trivial to forge sender headers) and low friction for the customers. Not asking for personal details to be input makes for a less invasive check in experience for the customer, whilst maintaining compliance for the venue.
It is not clear to me that contact details will be required, the government message last weekend was that "pubs should keep a list ...", not that "pubs must keep a list ...", and there is nothing that I have found that states that this is a legal requirement. Perhaps you have more up-to-date information?
The guidance does state ‘should’ rather than ‘must’ - I have amended my comment to make it clear that it’s a recommendation (alongside lots of other recommendations in the same guidance document)
Enforcement and policing of this is presently unclear (and will likely be delegated to local environmental health and licensing authorities, from what I’ve read - so may be inconsistent across the country).
I suppose if an outbreak is linked to a venue that hasn’t implemented the recommendations it will (at best) reflect badly, and at worst attract attention from the local authority in the same way as if other recommended public health measures were not implemented.
Thanks, they really are leaving it a bit late for definitive rules on this. There is no way that I'll be giving my name and address to Cummings, Serco and co., so I'm anticipating spending Saturday looking for somewhere taking a liberal interpretation on this (fortunately there are a quite a few to try).
Totally agree with you here, not to mention the venues looking at this as an opportunity to boost their direct marketing lists. It's our view that all that is required to contact me is a phone number - so that's all we collect!
https://store.ui.com/us/en/category/internet-solutions/colle...