The 2024 U.S. presidential election is approaching its home stretch, which means state-backed hackers are emerging from the shadows to interfere in their own way. That includes Iran’s APT42, a hacking group linked to Iran’s Islamic Revolutionary Guard Corps that has targeted nearly a dozen people associated with the campaigns of Donald Trump and Joe Biden (now Kamala Harris), according to Google’s Threat Analysis Group.
The unfolding disaster that is the data breach at data broker and background check company National Public Data is just beginning. Although the breach happened months ago, the company only publicly acknowledged it on Monday after someone allegedly released “2.9 billion records” of people in the U.S., U.K. and Canada, including names, mailing addresses and social security numbers. But ongoing analysis of the data shows the story is far more complicated — as are the risks.
You can now add bike shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s wireless Di2 shifters can be vulnerable to various radio-based attacks that could allow someone to remotely change a rider’s gears or prevent them from changing gears at a crucial moment in a race. Meanwhile, other researchers have found that it’s possible to extract the administrator keys to electronic lockers used in gyms and offices around the world, potentially giving a criminal access to all the lockers in a single location.
If you use a Google Pixel phone, don’t take your eyes off it: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker the ability to gain deep access to your device. Exploiting the vulnerability may require physical access to a target device. But researchers at iVerify, who discovered the flaw, say it could be possible via other vulnerabilities as well. Google says it plans to release a fix “in the coming weeks,” but that’s not good enough for data analytics firm and U.S. military contractor Palantir, which will stop using all Android devices because it believes Google’s response was inadequate.
But that’s not all. Each week we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full articles. And stay safe out there.
A U.S. federal appeals court ruled last week that so-called geofence search warrants violate the Fourth Amendment’s protection against unreasonable searches and seizures. Geofence search warrants allow police to demand from companies like Google a list of all devices that appeared at a specific location at a specific time. The U.S. Fifth Circuit Court of Appeals ruled on August 9 that geofence search warrants are “categorically prohibited by the Fourth Amendment” because “they never identify a specific user, only a temporal and geographical location where a specific user May appear after the search.” In other words, this is an unconstitutional expedition, as advocates of privacy and civil liberties have long claimed.
Google, which collects the location histories of tens of millions of U.S. citizens and is the most common target of geofence search warrants, said late last year that it would change the way it stores location data so that geofence search warrants may no longer return the data they once provided. Legally, however, the matter is far from settled: The Fifth Circuit’s decision only applies to law enforcement activity in Louisiana, Mississippi, and Texas. Moreover, weak U.S. privacy laws mean that police can simply buy the data and skip the onerous search process altogether. As for the appellants in the case heard by the Fifth Circuit, they are no better off: The court found that police used the geofence search warrant in “good faith” when it issued it in 2018, so they can still use the evidence they obtained.
The Committee on Foreign Investment in the US (CFIUS) this week hit German conglomerate T-Mobile with a record $60 million fine for mishandling data during the integration of US company Sprint following the two companies’ merger in 2020. According to CFIUS, T-Mobile “failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” violating a National Security Agreement the company signed with the committee, which assesses the national security impact of foreign business deals with US companies. In a statement, T-Mobile said technical issues had affected “information shared in response to a small number of law enforcement requests for information.” While the company claims it acted “quickly” and “in a timely manner,” CFIUS alleges T-Mobile “failed to promptly report some incidents of unauthorized access to CFIUS, delaying the committee’s efforts to investigate and mitigate potential harm.”
The 12-year saga surrounding the prosecution of Kim Dotcom moved forward this week when New Zealand’s attorney general granted the U.S. request to extradite the controversial entrepreneur. Dotcom founded the file-sharing service Megaupload, which U.S. authorities say was used for widespread copyright infringement. The U.S. seized Megaupload in 2012 and charged Dotcom with organized crime, copyright infringement and money laundering. Dotcom denies any wrongdoing but lost an attempt to prevent extradition in 2017 and has been fighting it ever since. Despite the attorney general’s decision, Dotcom vowed in a post on X to stay in the country where he has lived legally since 2010. “I love New Zealand,” he wrote. “I’m not leaving.”
The growing plague of deepfake pornography — explicit images that digitally “undress” people without their consent — may have finally hit a major legal hurdle. San Francisco Deputy City Attorney Yvonne Meré — and by extension, the City of San Francisco — has filed suit against the 16 most popular “nudity” websites. These sites and apps allow people to create explicit deepfake images of virtually any person, but are increasingly being used by boys to create sexual abuse material of their underage female classmates. While several states have criminalized the creation and distribution of AI-generated sexual abuse material of minors, Meré’s lawsuit effectively aims to shut down the sites entirely.
