Lily Hay Newman
The tail end of the Defcon hacking conference this week saw a remote car-start dongle and app that could have been hacked to steal cars, along with a drone hacking a smart TV. Oh, also, researchers have found a way to decrypt ubiquitous GSM calls. And common devices all around us can have their speakers manipulated to become acoustic cyber-weapons. You know, the usual.
Meanwhile, Microsoft announced this week that it has found and patched a set of new Remote Desktop Protocol vulnerabilities, including two that could be used to spread worms worldwide, similar to the recently patched BlueKeep vulnerability. The classic massively multiplayer online game Second Life is riddled with security vulnerabilities, according to a new lawsuit. And Facebook is sharing more about an internal tool it built to hunt for bugs quickly in its 100 million line codebase.
Oh, and one more warning. Do not reserve a “NULL” vanity plate thinking you’re being clever. You could end up with thousands of dollars of glitch-induced tickets.
And, of course, there’s more. Every Saturday, we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Facebook Contractors Transcribed Audio From Messenger Chats
Facebook has been using contractors to transcribe audio clips users send each other through its Messenger communication platform. Bloomberg reported Tuesday that the third-party transcribers working on the project didn’t know where the audio came from or what it was being used for. Facebook said it has paused human review of the audio, which was being used to check AI analysis of the audio messages.
For months now, revelations have emerged that every major smart assistant developer (Amazon, Apple, Google, Microsoft) uses or has used contractors to transcribe snippets of user audio for quality control and to improve the accuracy of their products. But the news about Facebook has an additional element, since the audio doesn’t come from users giving commands to a smart assistant, but from actual human to human communications. On Wednesday, Facebook’s main European Union regulator—the Irish Data Protection Commission—opened a probe to evaluate the legality of the practice.
Court Documents Allege Capital One Hacker Stole Data From More Than 30 Institutions
The alleged Capital One hacker, Paige A. Thompson, may have also pilfered data from more than 30 victim companies, as was previously rumored based on Thompson’s publicly available online activity. “The servers seized from Thompson’s bedroom during the search of Thompson’s residence, include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities,” prosecutors wrote in court documents. “That data varies significantly in both type and amount.” Most of the other stolen data doesn’t seem to specifically contain people’s personally identifying information. Prosecutors said that they intend to add charges based on this evidence, and that Thompson has a history of threats to harm herself and others.
Dating Apps Can Be Manipulated to Provide Users’ Locations
The popular dating apps Grindr, Romeo, Recon, and 3fun have vulnerabilities that would allow an attacker to determine a user’s exact location. Researchers from the security firm Pen Test Partners published findings this week that an attacker would just need a person’s username to track them. The researchers created a service that feeds made-up latitude and longitude data to the apps’ public application programming interfaces, which can then be induced to return distance data about how far a user is from that random point. By triangulating these distance returns, the system can determine where the user is. Some of the services made changes in response to the Pen Test Partners findings, but some, like Grindr, did not respond to the firm. The researchers also found other data exposures in some of the apps, like photo and personal data leaks.
New Bluetooth Attack Undermines Encryption During Pairing
A new vulnerability and corresponding exploit of Bluetooth could allow an attacker to determine the encryption keys used during device pairing and let themselves in on the party. Dubbed “Key Negotiation of Bluetooth attack” or “KNOB,” the hack would put attackers in a position to surveil or manipulate data moving between paired devices. The issue was announced through a coordinated disclosure by a large consortium of tech companies and industry groups. The Bluetooth and Bluetooth Low Energy standards have been criticized for introducing potential security issues as a result of their complexity.
More Great WIRED Stories