As the 2024 US presidential election enters its final stages, state-sponsored hackers are emerging from the shadows to interfere in their own ways, including the Iranian Revolutionary Guard-affiliated hacker group APT42, which Google’s Threat Analysis Group says has targeted nearly a dozen people connected to the campaigns of Donald Trump and Joe Biden (now Kamala Harris).
The breach of data broker and background check company National Public Data is just the beginning of a string of disasters. The breach happened several months ago, but the company only publicly acknowledged it on Monday after someone posted what it called “2.9 billion records” containing names, addresses and Social Security numbers of people from the U.S., the U.K. and Canada. But an ongoing analysis of the data reveals that the situation is far more complicated, and the risks far more complex.
Bike shifters and gym lockers are now joining the list of targets to be hacked. This week, security researchers revealed that Shimano’s Di2 wireless shifters could be vulnerable to a variety of radio-based attacks that could allow someone to remotely change a rider’s gears or prevent them from changing gear at a critical moment in a race. Meanwhile, other researchers have found that it’s possible to extract administrator keys to electronic lockers used in gyms and offices around the world, potentially giving criminals access to all the lockers in one place.
If you have a Google Pixel phone, keep an eye out. An unpatched vulnerability in a hidden Android app called Showcase.apk could allow attackers deep access to the device. Exploiting the vulnerability may require physical access to the affected device, but researchers at iVerify, who discovered the flaw, say it may also be possible through other vulnerabilities. Google says it plans to release a fix in the “coming weeks,” but that’s not enough for Palantir, a data analytics company and U.S. military contractor. The company plans to suspend use of all Android devices after finding the response from Google insufficient.
But that’s not all. Every week we round up the security and privacy news we didn’t cover in depth. Click the headline to read the full story. And stay safe.
A U.S. federal appeals court ruled last week that so-called geofencing warrants violate the Fourth Amendment’s protection against unreasonable searches and seizures. Geofencing warrants allow police to demand that companies like Google turn over a list of all devices that appear in a particular place at a particular time. The U.S. Fifth Circuit Court of Appeals ruled on August 9 that geofencing warrants are “clearly prohibited by the Fourth Amendment.” Never It does not identify a particular user, only the time and geographic location where a particular user is located. May “Search, find.” In other words, the kind of search practices privacy and civil rights advocates have long argued are unconstitutional.
Google, which collects location history for tens of millions of U.S. residents and is the most frequent target of geofencing warrants, pledged late last year to change how it stores location data so that geofencing warrants don’t return the same data as before. Legally, however, the issue is far from resolved. The Fifth Circuit’s decision only applies to law enforcement activities in Louisiana, Mississippi, and Texas. Moreover, U.S. privacy laws are weak, allowing police to simply purchase data and skip the cumbersome warrant process entirely. As for the appellants in the cases heard by the Fifth Circuit, they’re no better off, either. The court found that police used the geofencing warrants “in good faith” when they were issued in 2018, so police can still use the evidence they obtained.
The Committee on Foreign Investment in the United States (CFIUS) this week fined German company T-Mobile a record $60 million for improper handling of data during its integration with Sprint after the two companies merged in 2020. According to CFIUS, “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” thus violating the national security agreement the company signed with the committee, which evaluates the national security impacts of foreign business transactions with U.S. companies. T-Mobile said in a statement that the technical issues affected “information shared from a small number of law enforcement information requests.” While the company claims to have responded “promptly and in a timely manner,” CFIUS alleges that T-Mobile “failed to promptly report some incidents of unauthorized access to CFIUS, delaying the committee’s efforts to investigate and mitigate potential harms.”
The 12-year saga of Kim Dotcom’s prosecution inched forward this week when New Zealand’s justice minister approved a U.S. extradition request for the controversial entrepreneur. Dotcom created the file-sharing service Megaupload, which U.S. authorities say was used for widespread copyright infringement. The U.S. seized Megaupload in 2012 and charged Dotcom with offenses related to organized crime, copyright infringement and money laundering. Dotcom denies any wrongdoing, but he lost an attempt to block his extradition in 2017 and has been fighting it ever since. Despite the justice minister’s decision, Dotcom vowed in a post on X to remain in the country where he has been a legal resident since 2010. “I love New Zealand,” he wrote. “I’m not leaving.”
The spread of deepfake pornography (explicit images in which people are digitally “striped” without their consent) may have finally hit a major legal hurdle. San Francisco Chief Deputy District Attorney Yvonne Mele (and by extension the city of San Francisco) has filed a lawsuit against 16 of the most popular “nudification” websites. These sites and apps, which allow the creation of explicit deepfake images of virtually anyone, are increasingly being used by boys to create material to sexually abuse underage female classmates. While several states have made it a crime to create and distribute AI-generated sexual abuse material of minors, Mele’s lawsuit effectively aims to shut down these sites for good.
