Security
Headlines
HeadlinesLatestCVEs

Headline

A TikTok ‘Car Theft’ Challenge Is Costing Hyundai $200 Million

Plus: The FBI gets busted abusing a spy tool, an ex-Apple engineer is charged with corporate espionage, and collection of airborne DNA raises new privacy risks.

Wired
#web#ios#android#apple#google#amazon#intel#perl#auth

OpenAI’s new ChatGPT app for iOS couldn’t have arrived soon enough. Its absence left open a void in Google Play and Apple’s App Store, which have been quietly filling with scam apps that sucker users into paying for weekly or monthly subscriptions, according to research from security firm Sophos. The official ChatGPT app, meanwhile, is free, and an Android version is arriving soon.

But just because something is free doesn’t make it good. Telly TV is offering 55-inch televisions for $0 to the first 500,000 people who join its reservation list. Of course, “free” comes with a catch: The company reserves the right to collect heaps of data about your viewing habits, and the TV includes a built-in camera that can track your movements. Oh, and it has a second screen primarily for bombarding you with ads. But hey, nothing beats free, right?

Elsewhere in the world of tech that has people freaked out, Montana this week became the first state in the US to ban TikTok. The ban, which goes into effect in 2024, is already facing legal challenges on the grounds that it violates TikTok users’ First Amendment rights. Even if the ban remains, getting around it is trivial—just use a VPN.

The families of four people killed in a racism-fueled mass shooting at a grocery store in Buffalo, New York, are suing a slew of companies the plaintiffs say bear some responsibility for the massacre. The companies include Meta, Alphabet, Amazon, Snap, Reddit, and 4chan. Also on the list of defendants is Good Smile, a Japanese toy company that in 2015 purchased a 30 percent stake in 4chan, where the gunman sought advice on how to carry out his attack.

The United States Postal Service doesn’t just deliver mail—it also carries out warrantless mass surveillance. A bipartisan group of US senators this week launched an effort to curb the use of so-called mail covers, which USPS investigators use to gather the information on the outside of letters and packages. The senators say the practice, which does not require a court order, “threatens both our privacy and First Amendment rights.”

In the UK, the government is working to expand a controversial surveillance program that collects web histories and other “internet connection records” on millions of people. The program began after the 2016 passage of the Investigatory Powers Act, often called the Snooper’s Charter by privacy advocates and other critics. Records show that the program appears to be moving out of its trial phase and may be rolled out nationally.

Meanwhile, researchers at security firm Kaspersky released new details about a mysterious hacker group that has carried out operations in Ukraine for far longer than people realized. Dubbed Red Stinger by researchers at Malwarebytes, the group has targeted both pro-Ukraine and pro-Russian figures as part of apparent espionage operations. Initially linked to hacks dating back to 2020, researchers now believe Red Stinger has been active for at least 15 years.

But wait, there’s more. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Most TikTok challenges you hear about are fake. This one, however, is deadly serious. Automaker Huyandai this week agreed to pay around $200 million to customers whose vehicles were stolen following a viral TikTok challenge that exposed a major security flaw in some Hyundai and Kia vehicles.

The challenge began after the user “Kia Boys” posted a video to TikTok showing that it was possible to hot-wire the vulnerable vehicles using a USB cable. According to Engadget, at least 14 crashes and eight deaths have been linked to the challenge. Hyundai will pay affected customers up to $6,125 for stolen vehicles and up to $3,375 to cover the cost of damage caused by those who took advantage of the flaw. The company also has an “anti-theft update” available for affected vehicles. Check to see if your vehicle is impacted here.

The US Foreign Intelligence Surveillance Court yesterday unsealed an April 2022 opinion that exposes rampant FBI misuse of the so-called Section 702 database, a vast trove of electronic communication records used by the bureau and the National Security Agency. The court found that the FBI improperly queried the database, established under Section 702 of the Foreign Intelligence Surveillance Act, more than 287,000 times in 2020 and 2021. Targets of the FBI’s searches include January 6 demonstrators, people arrested while protesting the police murder of George Floyd in Minneapolis, and some 19,000 American political donors to an unidentified US congressional campaign.

Section 702 gives the US government the authority to collect communications of targets overseas. Communications of Americans can get swept into the database when they communicate with someone outside the US. An audit released by the Office of the Director of National Intelligence late last year found several similar instances of the FBI misusing the Section 702 database to perform searches on American citizens, including US congressman Darin LaHood. Following both the ODNI audit and this week’s release of the court’s opinion, the FBI says the abuse was the result of a “misunderstanding” and vowed that it has fixed the problem. Regardless, Section 702 will expire at the end of the year without reauthorization from Congress, which the FBI’s repeated and widespread misuse could jeopardize.

The US Department of Justice on Tuesday announced charges against a former Apple engineer accused of stealing the company’s source code related to its self-driving-car technology. Weibao Wang allegedly stole the “sensitive” documents in the final days of his employment at Apple in April 2018. Wang left Apple five months after he signed an agreement to work for a US-based subsidiary of a company headquartered in China, according to the Justice Department. After US law enforcement searched his Mountain View, California, home in June 2018, 35-year-old Wang fled to China, the Justice Department says. If convicted, Wang faces up to 10 years in prison plus fines.

Everyone knows how much data can be collected about you anytime you’re online. But a bigger concern may be what someone can collect about you anytime you’re anywhere. That’s the warning in a new research paper, which found that it’s possible to collect “environmental DNA”—traces of genetic material floating in the air or liquids, also called eDNA—that can be linked to a person’s medical or ancestral details. Legal experts who spoke to the The New York Times warn that if police or other government authorities begin collecting eDNA, as scientists studying animals have done for a decade, it could create widespread privacy and civil liberties abuses.

Wired: Latest News

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity