The tail end of the Defcon hacking conference this week saw a remote car-start dongle and app that could have been hacked to steal cars, along with a drone hacking a smart TV. Oh, also, researchers have found a way to decrypt ubiquitous GSM calls. And common devices all around us can have their speakers manipulated to become acoustic cyber weapons. You know, the usual.
Meanwhile, Microsoft announced this week that it has found and patched a set of new Remote Desktop Protocol vulnerabilities, including two that could be used to spread worms worldwide, similar to the recently patched BlueKeep vulnerability. The classic massively multiplayer online game Second Life is riddled with security vulnerabilities, according to a new lawsuit. And Facebook is sharing more about an internal tool it built to hunt for bugs quickly in its 100 million–line codebase.
Oh, and one more warning. Do not reserve a "NULL" vanity plate thinking you're being clever. You could end up with thousands of dollars of glitch-induced tickets.
And, of course, there’s more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Facebook has been using contractors to transcribe audio clips users send each other through its Messenger communication platform. Bloomberg reported Tuesday that the third-party transcribers working on the project didn't know where the audio came from or what it was being used for. Facebook said it has paused human review of the audio, which was being used to check AI analysis of the audio messages.
For months now, revelations have emerged that every major smart-assistant developer (Amazon, Apple, Google, Microsoft) uses or has used contractors to transcribe snippets of user audio for quality control and to improve the accuracy of their products. But the news about Facebook has an additional element, since the audio doesn't come from users giving commands to a smart assistant, but from actual human-to-human communications. On Wednesday, Facebook's main European Union regulator—the Irish Data Protection Commission—opened a probe to evaluate the legality of the practice.
The alleged Capital One hacker, Paige A. Thompson, may have also pilfered data from more than 30 victim companies, as was previously rumored based on Thompson's publicly available online activity. "The servers seized from Thompson’s bedroom during the search of Thompson’s residence, include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities," prosecutors wrote in court documents. "That data varies significantly in both type and amount." Most of the other stolen data doesn't seem to specifically contain people's personally identifying information. Prosecutors said that they intend to add charges based on this evidence, and that Thompson has a history of threats to harm herself and others.
The popular dating apps Grindr, Romeo, Recon, and 3fun have vulnerabilities that would allow an attacker to determine a user's exact location. Researchers from the security firm Pen Test Partners published findings this week that an attacker would just need a person's username to track them. The researchers created a service that feeds made-up latitude and longitude data to the apps' public application programming interfaces, which can then be induced to return distance data about how far a user is from that random point. By triangulating these distance returns, the system can determine where the user is. Some of the services made changes in response to the Pen Test Partners findings, but some, like Grindr, did not respond to the firm. The researchers also found other data exposures in some of the apps, like photo and personal data leaks.
A new vulnerability and corresponding exploit of Bluetooth could allow an attacker to determine the encryption keys used during device pairing and let themselves in on the party. Dubbed "Key Negotiation of Bluetooth attack" or "KNOB," the hack would put attackers in a position to surveil or manipulate data moving between paired devices. The issue was announced through a coordinated disclosure by a large consortium of tech companies and industry groups. The Bluetooth and Bluetooth Low Energy standards have been criticized for introducing potential security issues as a result of their complexity.
- A “NULL” license plate landed one hacker in ticket hell
- The desperate race to neutralize a lethal superbug yeast
- Tour the factory where Bentley handcrafts its luxury rides
- How to reduce gun violence: Ask some scientists
- It Came From Something Awful blames 4chan for Trump
- 👁 Facial recognition is suddenly everywhere. Should you worry? Plus, read the latest news on artificial intelligence
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers.
