Headline
Apple's Encryption Is Under Attack by a Mysterious Group
Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.
Does the public have a right to see gruesome photos of animal test subjects taken by a public university?
That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.
Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.
Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.
If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.
Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.
That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.
According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.
After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.
Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.
Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.
The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”
“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”