Plus: US regulators fine T-Mobile $60 million for mishap with sensitive data, New Zealand approves Kim Dotcom’s US extradition, and San Francisco takes on deepfake porn.

The 2024 US presidential election is entering its final stretch, which means state-backed hackers are slipping out of the shadows to meddle in their own special way. That includes Iran’s APT42, a hacker group affiliated with Iran’s Islamic Revolutionary Guard Corps, which Google’s Threat Analysis Group says targeted nearly a dozen people associated with Donald Trump’s and Joe Biden’s (now Kamala Harris’) campaigns.

The rolling disaster that is the breach of data broker and background-check company National Public Data is just beginning. While the breach of the company happened months ago, the company only acknowledged it publicly on Monday after someone posted what they claimed was “2.9 billion records” of people in the US, UK, and Canada, including names, physical addresses, and Social Security numbers. Ongoing analysis of the data, however, shows the story is far messier—as are the risks.

You can now add bicycle shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s Di2 wireless shifters can be vulnerable to various radio-based attacks, which could allow someone to change a rider’s gears remotely or prevent them from changing gears at a crucial moment in a race. Meanwhile, other researchers found that it’s possible to extract the administrator keys to electronic lockers used in gyms and offices around the world, potentially giving a criminal access to every locker at a single location.

If you use a Google Pixel phone, don’t let it out of your sight: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker the ability to gain deep access to your device. Exploiting the vulnerability may require physical access to a targeted device, but researchers at iVerify who discovered the flaw say it may also be possible through other vulnerabilities. Google says it plans to release a fix “in the coming weeks,” but that’s not good enough for data analytics firm and US military contractor Palantir, which will stop using all Android devices due to what it believes was an insufficient response from Google.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It**

A US federal appeals court ruled last week that so-called geofence warrants violate the Fourth Amendment’s protections against unreasonable searches and seizures. Geofence warrants allow police to demand that companies such as Google turn over a list of every device that appeared at a certain location at a certain time. The US Fifth Circuit Court of Appeals ruled on August 9 that geofence warrants are “categorically prohibited by the Fourth Amendment” because “they _never_ include a specific user to be identified, only a temporal and geographic location where any given user _may_ turn up post-search.” In other words, they’re the unconstitutional fishing expedition that privacy and civil liberties advocates have long asserted they are.

Google, which collects the location histories of tens of millions of US residents and is the most frequent target of geofence warrants, vowed late last year that it was changing how it stores location data in such a way that geofence warrants may no longer return the data they once did. Legally, however, the issue is far from settled: The Fifth Circuit decision applies only to law enforcement activity in Louisiana, Mississippi, and Texas. Plus, because of weak US privacy laws, police can simply purchase the data and skip the pesky warrant process altogether. As for the appellants in the case heard by the Fifth Circuit, well, they’re no better off: The court found that the police used the geofence warrant in “good faith” when it was issued in 2018, so they can still use the evidence they obtained.

**T-Mobile Hit With $60 Million Fine for “Sensitive Data” Mishap**

The Committee on Foreign Investment in the US (CFIUS) fined German-owned T-Mobile a record $60 million this week for its mishandling of data during its integration with US-based Sprint following the companies’ merger in 2020. According to CFIUS, “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” in violation of a National Security Agreement the company signed with the committee, which assesses the national security implications of foreign business deals with US companies. T-Mobile said in a statement that technical issues impacted “information shared from a small number of law enforcement information requests.” While the company claims to have acted “quickly” and “in a timely manner,” CFIUS claims T-Mobile “failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.”

**New Zealand Approves US Extradition of Kim Dotcom**

The 12-year saga that is the prosecution of Kim Dotcom inched forward this week with the New Zealand justice minister approving the US’s request to extradite the controversial entrepreneur. Dotcom created the file-sharing service Megaupload, which US authorities say was used for widespread copyright infringement. The US seized Megaupload in 2012 and indicted Dotcom on charges related to racketeering, copyright infringement, and money laundering. Dotcom has denied any wrongdoing but lost an attempt to block the extradition in 2017 and has been fighting it ever since. Despite the justice minister’s decision, Dotcom vowed in a post on X to remain in the country where he’s been a legal resident since 2010. “I love New Zealand,” he wrote. “I’m not leaving.”

**San Francisco Takes On the Deepfake Porn Problem**

The growing scourge of deepfake pornography—explicit images that digitally “undress” people without their consent—may have finally hit a major legal roadblock. San Francisco’s chief deputy city attorney, Yvonne Meré—and the City of San Francisco by extension—has filed a lawsuit against the 16 most popular “nudification” websites. These sites and apps allow people to make explicit deepfake images of virtually anyone, but they have increasingly been used by boys to make sexual abuse material of their underage female classmates. While several states have criminalized the creation and distribution of AI-generated sexual abuse material of minors, Meré’s lawsuit effectively seeks to shut down the sites entirely.

Geofence Warrants Ruled Unconstitutional—but That’s Not the End of It

Social Security numbers, physical addresses, and more—all available online. After months of confusion, leaked information from a background-check firm underscores the long-term risks of data breaches.

Data breaches are a seemingly endless scourge with no simple answer, but the breach in recent months of the background-check service National Public Data illustrates just how dangerous and intractable they have become. And after four months of ambiguity, the situation is only now beginning to come into focus with National Public Data finally acknowledging the breach on Monday just as a trove of the stolen data leaked publicly online.

In April, a hacker known for selling stolen information, known as USDoD, began hawking a trove of data on cybercriminal forums for $3.5 million that they said included 2.9 billion records and impacted “the entire population of USA, CA and UK.” As the weeks went on, samples of the data started cropping up as other actors and legitimate researchers worked to understand its source and validate the information. By early June, it was clear that at least some of the data was legitimate and contained information like names, emails, and physical addresses in various combinations.

The data isn't always accurate, but it seems to involve two troves of information. One that includes more than 100 million legitimate email addresses along with other information and a second that includes Social Security numbers but no email addresses.

“There appears to have been a data security incident that may have involved some of your personal information,” National Public Data wrote on Monday. “The incident is believed to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024 … The information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es).”

The company says it has been cooperating with “law enforcement and governmental investigators.” NPD is facing potential class action lawsuits over the breach.

“We have become desensitized to the never-ending leaks of personal data, but I would say there is a serious risk,” says security researcher Jeremiah Fowler, who has been following the situation with National Public Data. “It may not be immediate, and it could take years for one of the many criminal actors to successfully figure out how to use this information, but the bottom line is that a storm is coming.”

When information is stolen from a single source, like Target customer data being stolen from Target, it's relatively straightforward to establish that source. But when information is stolen from a data broker and the company doesn't come forward about the incident, it's much more complicated to determine whether the information is legitimate and where it came from. Typically, people whose data is compromised in a breach—the true victims—aren’t even aware that National Public Data held their information in the first place.

In a blog post on Wednesday about the contents and provenance of the National Public Data trove, security researcher Troy Hunt wrote, “The only parties that know the truth are the anonymous threat actors passing the data around and the data aggregator … We're left with 134M email addresses in public circulation and no clear origin or accountability.”

Even in a situation where a data broker has admitted to being breached—as is now the case with National Public Data—the stolen data may not be reliable and may have been combined with other datasets or processed in other ways. Hunt found, for example, that many email addresses in the dataset seemed to be paired with inaccurate personal information, and there were many duplicates and redundancies.

“There were no email addresses in the Social Security number files,” noted Hunt, who runs the website Have I Been Pwned (HIBP), which allows people to search their email addresses to see which, if any, data breaches they appear in. “If you find yourself in this data breach via HIBP, there's no evidence your SSN was leaked, and if you're in the same boat as me, the data next to your record may not even be correct.”

For people whose information was in the Social Security number dump, though, the risk of identity theft looms, forcing victims to freeze their credit, scour their credit reports, and set up financial monitoring services. Indeed, over the past few days, many people included in the data have begun receiving notifications about the breach from credit monitoring and threat intelligence services. And while the stolen data is imperfect, researchers warn that every trove of information that attackers can get their hands on ultimately fuels scamming, cybercrime, and espionage when combined and reconciled with the larger corpus of personal data that has been compiled by bad actors over the years.

“Each data breach is a puzzle piece, and we know that the bad guys and specific nations are also collecting this data," Fowler says. “When numerous breaches are combined in a systematic, organized, and searchable way they can provide a complete picture and data profile of individual citizens.”

The Slow-Burn Nightmare of the National Public Data Breach

A fix is coming, but data analytics giant Palantir says it’s ditching Android devices altogether because Google’s response to the vulnerability has been troubling.

Google's flagship Pixel smartphone line touts security as a centerpiece feature, offering guaranteed software updates for seven years and running stock Android that's meant to be free of third-party add-ons and bloatware. On Thursday, though, researchers from the mobile device security firm iVerify are publishing findings on an Android vulnerability that seems to have been present in every Android release for Pixel since September 2017 and could expose the devices to manipulation and takeover.

The issue relates to a software package called “Showcase.apk” that runs at the system level and lurks invisible to users. The application was developed by the enterprise software company Smith Micro for Verizon as a mechanism for putting phones into a retail store demo mode—it is not Google software. Yet for years, it has been in each Android release for Pixel and has deep system privileges, including remote code execution and remote software installation. Even riskier, the application is designed to download a configuration file over an unencrypted HTTP web connection that iVerify researchers say could be hijacked by an attacker to take control of the application and then the entire victim device.

iVerify disclosed its findings to Google at the beginning of May, and the tech giant has not yet released a fix for the issue. Google spokesperson Ed Fernandez tells WIRED in a statement that Showcase “is no longer being used” by Verizon, and Android will remove Showcase from all supported Pixel devices with a software update “in the coming weeks.” He added that Google has not seen evidence of active exploitation and that the app is not present in the new Pixel 9 series devices that Google announced this week.

In response to WIRED's inquiry about Showcase's vulnerability, Verizon spokesperson George Koroneos says, “The APK in question was used for retail demos and is no longer in use.” Smith Micro did not respond to WIRED's requests for comment ahead of publication.

“I’ve seen a lot of Android vulnerabilities, and this one is unique in a few ways and quite troubling,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “When Showcase.apk runs, it has the ability to take over the phone. But the code is, frankly, shoddy. It raises questions about why third-party software that runs with such high privileges so deep in the operating system was not tested more deeply. It seems to me that Google has been pushing bloatware to Pixel devices around the world.”

iVerify researchers discovered the application after the company's threat-detection scanner flagged an unusual Google Play Store app validation on a user's device. The customer, big data analytics company Palantir, worked with iVerify to investigate Showcase.apk and disclose the findings to Google. Palantir chief information security officer Dane Stuckey says that the discovery and what he describes as Google's slow, opaque response has prompted Palantir to phase out not just Pixel phones, but all Android devices across the company.

“Google embedding third-party software in Android's firmware and not disclosing this to vendors or users creates significant security vulnerability to anyone who relies on this ecosystem,” Stuckey tells WIRED. He added that his interactions with Google throughout the standard 90-day disclosure window “severely eroded our trust in the ecosystem. To protect our customers, we have had to make the difficult decision to move away from Android in our enterprise.”

iVerify vice president of research Matthias Frielingsdorf points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it. The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well.

“We only found a physical way of turning this on, but there might be different ways that a potential remote attacker or someone that is already on the phone with malware might turn this on and use it for privilege escalation,” Frielingsdorf says. “For our knowledge, physical access limits the danger. If I knew a clear remote way to do this, I would not want to do public disclosure because then millions of people’s devices would be in danger.” He adds that iVerify is limiting the technical details it releases about the issue until Google pushes its fix.

The iVerify researchers say that, in addition to Pixel phones, it is possible that Showcase is embedded in other Android devices as well. Google's Fernandez tells WIRED in the statement that “we are also notifying other Android OEMs,” meaning other original equipment manufacturers who make Android phones.

“We would have much preferred to have Google patch this before we talked about it publicly, but their inability to give a specific patch date left us no other choice,” iVerify's Cole says. “A well-resourced adversary like a nation state could exploit this—it has the potential to be a backdoor into basically any Pixel in the world.”

_Updated 1 pm ET, 8/15/2024: Added a statement from Verizon._

Nearly All Google Pixel Phones Exposed by Unpatched Flaw in Hidden Android App

APT42, which is believed to work for Iran’s Revolutionary Guard Corps, targeted about a dozen people associated with both Trump’s and Biden’s campaigns this spring, according to Google’s Threat Analysis Group.

When Donald Trump's presidential campaign publicly stated last week that it had been successfully targeted by Iranian hackers, the news may have initially seemed like a sign that the Middle Eastern country was particularly focused on the candidate whom it perceived to take the most hawkish approach to its regime. It's since become clearer that Iran has had the Democrats in the sights of its cyber operations, too. Now Google's cybersecurity analysts have confirmed that both campaigns were targeted not simply by Iran but by the same group of hackers working in service of Iran's Revolutionary Guard Corps.

Google's Threat Analysis Group on Wednesday published a new report on APT42, a group it says has aggressively sought to compromise both the Democratic and Republican campaigns for president, as well as Israeli military, government, and diplomatic organizations. In May and June, APT42, which is believed to be working in service of Iran's Revolutionary Guard Corps (IRGC), targeted about a dozen people associated with both Trump and Joe Biden, including current and former government officials and individuals associated with the two political campaigns. APT42 continues to target Republican and Democratic campaign officials alike, according to Google.

“In terms of collection, they're hitting all sides,” says John Hultquist, who leads threat intelligence at Google-owned cybersecurity firm Mandiant, which works closely with its Threat Analysis Group. Hultquist notes that equal-opportunity cyberspying doesn't come as a surprise, given that APT42 also targeted both the Biden and Trump campaigns in 2020 as well. APT42's targeting doesn't necessarily speak to its preference for a single candidate, he says, so much as the fact that both candidates, Trump and now Vice President Kamala Harris, are of enormous significance to the Iranian government. “They're interested in both candidates because these are the individuals who are charting the future of American policy in the Middle East," Hultquist says.

Only one campaign, however, appears to have had its sensitive files not only successfully breached by the Iranian hackers but also leaked to the press, in an apparent replay of Russia's 2016 hack-and-leak operation that targeted Hillary Clinton's campaign. Politico, The Washington Post, and The New York Times have all said they've been offered documents allegedly taken from the Trump campaign, in some cases by a source known as “Robert.”

Whether those files were in fact compromised by APT42 remains unconfirmed. Microsoft noted last week that APT42, which it calls Mint Sandstorm, had in June targeted a “high-ranking official on a presidential campaign” by exploiting a hacked email account of another “former senior adviser” to the campaign. Google in its new report also notes that APT42 “successfully gained access to the personal Gmail account of a high-profile political consultant.”

While neither company has offered any confirmation of which individual or individuals may have been successfully hacked by the Iranian group, Trump adviser Roger Stone has revealed that he was alerted by Microsoft and then by the FBI that both his Microsoft and Gmail accounts were compromised by hackers.

Google says it has blocked “numerous” ongoing attempts to log in to the accounts of officials on both campaigns, has sent warnings to the affected individuals, and has worked with law enforcement investigating the attempted breaches. The FBI launched its investigation into the phishing attacks in June, according to the Post.

APT42 has long been one of—or perhaps _the_—most active Iranian hacking group in the Middle East, Mandiant’s Hultquist says. But the group has been “pretty limited to espionage” in the past, Hultquist notes. He points out, however, that the IRGC as a whole has used its access to victim networks to go far beyond spying in past cases, launching data-destroying disruptive cyberattacks or hacking and leaking emails in so-called “influence operations,” as may have occurred in the case of the Trump campaign. “It's a reminder that any access obtained for espionage can be used for other means,” Hultquist says.

In its report, Google lays out APT42’s typical phishing operations, which have ranged from directing victims to a fake Google Meet page that tries to trick them into entering their username and password to luring them into a conversation on a messaging platform such as Telegram, WhatsApp, or Signal, where the hackers then send the victim a phishing toolkit designed to intercept their credentials, as well as two-factor authentication codes or account recovery codes. Beyond its presidential campaign targeting, Google says APT42 has also been actively targeting Israeli organizations with phishing websites that impersonate Israeli and Israel-related groups, such as the Washington Institute for Near East Policy, the Brookings Institution, the Jewish Agency, and Project Aladdin.

APT42’s bipartisan political targeting—and its murky connection to hack-and-leak campaigns—should serve as a reminder of how hacking for political influence in US elections has expanded since Russia’s notorious influence operation of 2016, Hultquist says, with effects that are still unfolding. “It’s not just a Russia problem anymore. It's broader than that,” Hultquist says. “There are multiple teams in play. And we have to keep an eye out for all of them.”

A Single Iranian Hacker Group Targeted Both Presidential Campaigns, Google Says

Security researchers say they’ve extracted digital management keys from select electronic lockers and revealed how they could be cloned.

Thousands of electronic lockers found in gyms, offices, and schools could be vulnerable to attacks by criminals using cheap hacking tools to access administrator keys, according to new research.

At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how digital management keys could be extracted from lockers, copied, and then used to open other lockers in the same location. The researchers focused on various models of electronic locks from two of the world’s biggest manufacturers, Digilock and Schulte-Schlagbaum.

Over the past few years, the researchers, who both have backgrounds in lock picking, have been examining various electronic locks that use numerical keypads, allowing people to set and open them with a PIN. The work comes on the back of various examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes being alleged to have backdoors.

For the research, Giese and braelynn purchased electronic locks on eBay, snapping up those sold after some gyms closed during the Covid-19 pandemic and from other failed projects. Giese focused on Digilock, while braelynn looked at Schulte-Schlagbaum. Over the course of the research, they looked at legacy models from Digilock dating from 2015 to 2022 and models from Schulte-Schlagbaum from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)

Showing how security flaws could be abused by a prepared hacker, the researchers say they can take the electronic lock apart, then extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The manager key ID can be copied to a Flipper Zero or cheap Arduino circuit board and used to open other lockers, Giese says.

“If you access one lock, we can open all of them in whatever the unit is—the whole university, the whole company,” Giese says. “We can clone and emulate keys very easily, and the tools aren’t that complicated.” Whoever owns the lockers manages them, Giese says.

Ahead of developing this proof-of-concept attack, Giese says, it took some time and effort to understand how the locker systems function. They took the locks apart and used cheap debugging tools to access the devices’ erasable, programmable read-only memory, known as EEPROM. Often, in the locks they tested, this was not secured, allowing data to be pulled from the system.

“From the EEPROM, we can pull out the programming key ID, all manager key IDs, and the user PIN/ User RFID UID,” Giese says. “Newer locks erase the set user PIN when the locker is unlocked. But the PIN remains if the locker was opened with a manager key/programming key.”

The researchers say they reported the findings to both impacted companies, adding they had spoken to Digilock about the findings. Digilock tells WIRED it has issued a fix for vulnerabilities found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED's request for comment.

Your Gym Locker May Be Hackable

Please don’t, actually. But do update your Shimano Di2 shifters’ software to prevent a new radio-based form of cycling sabotage.

Professional cycling has, in its recent history, been prone to a shocking variety of cheating methods and dirty tricks. Performance-enhancing drugs. Tacks strewn on race courses. Even stealthy motors hidden inside of wheel hubs.

Now, for those who fail to download a software patch for their gear shifters—yes, bike components now get software updates—there may be hacker saboteurs to contend with, too.

At the Usenix Workshop on Offensive Technologies earlier this week, researchers from UC San Diego and Northeastern University revealed a technique that would allow anyone with a few hundred dollars of hardware to hack Shimano wireless gear-shifting systems of the kind used by many of the top cycling teams in the world, including in recent events like the Olympics and the Tour de France. Their relatively simple radio attack would allow cheaters or vandals to spoof signals from as far as 30 feet away that trigger a target bike to unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear.

The trick would, the researchers say, easily be enough to hamper a rival on a climb or, if timed to certain intense moments of a race, even cause dangerous instability. “The capability is full control of the gears. Imagine you're going uphill on a Tour de France stage: If someone shifts your bike from an easy gear to a hard one, you're going to lose time,” says Earlence Fernandes, an assistant professor at UCSD’s Computer Science and Engineering department. “Or if someone is sprinting in the big chain ring and you move it to the small one, you can totally crash a person's bike like that.”

Here's a video demonstration of the researchers’ hacking technique:

The researchers' technique exploits the increasingly electronic nature of modern high-end bicycles, which now have digital components like power meters, wireless control of fork suspensions, and wireless shifters. “Modern bicycles are cyber-physical systems,” the researchers note in their Usenix paper. Almost all professional cyclists now use electronic shifters, which respond to digital signals from shifter controls on the bike's handlebars to move a bicycle's chain from gear to gear, generally more reliably than mechanical shifting systems. In recent years, those wired electronic shifters have transitioned again to wireless versions that pair via a radio connection, such as the popular Di2 wireless shifters sold by the Japanese cycling component firm Shimano, which the researchers focused on.

To exploit those wireless components and sabotage a specific target bike, the researchers' technique does require that a hacker first intercept the target's gear-shift signals at some point before they carry out their attack. The hacker can then replay those signals—even months later—to cause the bike to shift at the hacker's command.

To carry out that eavesdrop-and-replay attack, the researchers used a $1500 USRP software-defined radio, an antenna, and a laptop. They say though that a $350 HackRF would work just as well, and point out that their hardware setup could be miniaturized to the degree that it could be hidden along the sidelines of a race, in a cycling team car, or even in the back pouch of a rider's jersey, such as by implementing it in a Raspberry Pi mini-computer.

Jamming wireless shifters with that toolkit would be considerably easier than even replay attacks, the researchers say. While a jamming attack could prevent a specific rider from shifting gears if a hacker were able to first pick up one of their wireless shifting signals, a saboteur could also simply broadcast a jamming signal at the frequency used by all Shimano shifters, potentially disrupting a large group of racers. The researchers even say that it would be possible to read the shifting signals from an entire peloton of cyclists and then jam everyone _except_ a chosen rider. “You can basically jam everyone except you,” says Northeastern professor Aanjhan Ranganathan, another author of the paper.

Shimano’s Di2 wireless shifting components and the researchers’ hacking toolkit. They say their hardware could easily be miniaturized, by using a Raspberry Pi mini-computer for instance, to make it small enough to be hidden along the sidelines of a race, in a cycling team car, or even in the back pouch of a rider’s jersey.Courtesy of UCSD and Northeastern University

The researchers first reached out to Shimano about their research in March, and the company's engineers worked with them closely to develop a patch. A Shimano spokesperson wrote in a statement to WIRED that the company “identified and created a new firmware update to enhance the security of the Di2 wireless communication systems.”

Shimano says it has provided that firmware update to the professional cycling teams that use its components. But it says its fix won't be more widely available until late August and declined to explain exactly how its update prevents the attacks the researchers identified. “We can share that this update is intended to improve wireless transmission across Shimano Di2 component platforms," the company writes. “We cannot share details on the exact fix at this moment, for obvious security reasons.”

Exactly how the patch will be deployed to customers isn't quite clear either. The company writes that “riders can perform a firmware update on the rear derailleur” using Shimano’s E-TUBE Cyclist smartphone app. But it fails to mention whether the fix will apply to the front derailleur. “More information about this process and steps riders can take to update their Di2 systems will be available shortly,” it concludes.

While Shimano's patching plan leaves a week or two-week gap between the researchers' public presentation of their bike-hacking technique at Usenix and the broad rollout of a fix for customers, UCSD professor Fernandes argues it's unlikely that average riders will be targeted with their technique—at least not immediately. “I find it hard to believe that someone will want to launch such an attack on me during my Saturday group ride,” Fernandes says.

Professional cyclists, however, should be sure to implement the early patch that Shimano has already provided, the researchers say. They note, too, that other brands of wireless shifters may be vulnerable to similar hacking techniques: They focused on Shimano only because it has the largest market share.

In the ruthless world of competitive cycling, which has been rocked to its foundations in recent decades by doping scandals, they argue that rivals hacking each others' shifters is not at all a far-fetched scenario. “This is, in our opinion, a different kind of doping,” says Fernandes. “It leaves no trace, and it allows you to cheat in the sport.”

More broadly, they argue that their radio-based bike hacking research is a cautionary tale about the temptation to add wireless electronic features to every technology, from garage doors to cars to bicycles, and the unintended consequences of that long-term trend—namely, that they've all become vulnerable to forms of replay and jamming attacks of the kind that Shimano is now scrambling to fix.

“This is a repeating pattern,” says Northeastern's Ranganathan, who has also developed solutions for replay attacks on cars’ keyless entry systems. “When manufacturers start putting in wireless features in their products, it has an impact on real-world control systems. And that can cause real physical harm.”

_Corrected at 8/14/2024 at 10:00 am ET to note the correct software-defined radio used in the researchers' experimental setup and remove an incorrect reference to Bluetooth._

Want to Win a Bike Race? Hack Your Rival’s Wireless Shifters

Security researcher Bill Demirkapi found more than 15,000 hardcoded secrets and 66,000 vulnerable websites—all by searching overlooked data sources.

If you know where to look, plenty of secrets can be found online. Since the fall of 2021, independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data.

Today, at the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.

A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers.

In a second strand to the research, Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses.

While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi tells WIRED. “I think that there’s a gap for creative solutions.”

**Spilled Secrets; Vulnerable Websites**

It is relatively trivial for a developer to accidentally include their company’s secrets in software or code. Alon Schindel, the vice president of AI and threat research at the cloud security company Wiz, says there’s a huge variety of secrets that developers can inadvertently hard-code, or expose, throughout the software development pipeline. These can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.

“The most acute risk of leaving secrets hard-coded is that if digital authentication credentials and secrets are exposed, they can grant adversaries unauthorized access to a company’s code bases, databases, and other sensitive digital infrastructure,” Schindel says.

The risks are high: Exposed secrets can result in data breaches, hackers breaking into networks, and supply chain attacks, Schindel adds. Previous research in 2019 found thousands of secrets were being leaked on GitHub every day. And while various secret scanning tools exist, these largely are focused on specific targets and not the wider web, Demirkapi says.

During his research, Demirkapi, who first found prominence for his teenage school-hacking exploits five years ago, hunted for these secret keys at scale—as opposed to selecting a company and looking specifically for its secrets. To do this, he turned to VirusTotal, the Google-owned website, which allows developers to upload files—such as apps—and have them scanned for potential malware.

Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

Allan “dwangoAC” has made it his mission to expose speedrunning phonies. At the Defcon hacker conference, he’ll challenge one record that's stood for 15 years.

Speedrunning video games, the competitive field of playing through digital games as quickly as possible, has in recent years been elevated into something between a virtuosic form of fingers-and-thumbs athletics and a highly technical science. The best speedruns reduce epic games meant to take dozens of hours to single-digit minutes through a combination of exploiting glitch-enabled shortcuts and inhuman skill.

A little too inhuman, in some cases. Speedrunning, it turns out, is plagued with fake records set by cheaters who splice together video clips to falsify evidence or use rule-breaking software to gain unfair advantages. One speedrunner and hacker named Allan Cecil has made it his personal mission to catch them.

In a talk at the Defcon hacker conference in Las Vegas today, the details of which WIRED reviewed in advance, Cecil plans to present what he alleges is evidence that a speedrunning record for the 1996 PC game _Diablo_, which has stood for more than 15 years and holds a spot in the _Guinness Book of World Records_, was in fact the result of rule-breaking techniques that should disqualify it. If Cecil and the team of investigators who have worked with him over recent months succeed at tearing down that seemingly untouchable benchmark, it will be the third such high-profile speedrun that he'll have helped to debunk, and the second in just the last year.

Cecil, who is better known in the gaming world by his handle dwangoAC, came into this strange role as a speedrun debunker from an equally niche hobby: He's known as an expert practitioner of so-called “tool-assisted speedruns,” using emulator software to run a game in a controlled environment to find the limits of what that game’s speedrun can be—an area of speedrunning that some purists once considered, itself, to be a kind of cheating. Cecil maintains instead that those tool-assisted speedruns, in which players meticulously rewind, replay, hone, and perfect their runs frame by frame, can be its own valid form of competition, or even art.

Cecil says he arrived at his fixation with catching cheaters in part out of a determination to protect this lesser-known field of speedrunning from those who would surreptitiously use the same tools in deceptive ways, essentially turning tool-assisted speedruns into a kind of speedrun doping, rather than an honest avocation. “Making a tool-assisted speedrun is a transformative work of art that humans laboriously spend months on, or even years,” says Cecil. “But you definitely do _not_ use tool-assisted speedrun techniques and then try to pretend that it was just human effort. And seeing people do that pisses me off.”

As a staff member at the tool-assisted speedrun website TASvideos.org and an organizer of many epic speedrunning feats—such as one that famously used coding glitches in the Zelda game _Ocarina of Time_ to rewrite the game's ending—Cecil has become a fixture of the speedrunning world. He's also the creator of TASBot, a robot that connects to the controller ports of video game consoles to reproduce controller inputs, so that recorded speedruns can be replayed and verified on original gaming hardware, a spectacle that gamers love so much that livestreams featuring the robot have raised $1.5 million in donations to charitable causes, according to Cecil’s count.

In recent years, however, Cecil has taken his obsession with tool-assisted speedrunning in a different direction: He's turned it into a means to catch the cheaters that threaten his pastime's legitimacy. If he can show that even a polished tool-assisted speedrun in a certain game isn't as fast as a purported human record—as he's done in all three records he's attempted to debunk—that demonstration can serve as the first step in suggesting that a record was likely falsified. He's found, too, that the process of creating that tool-assisted run often produces new revelations about what's possible—or impossible—in an unassisted human attempt.

TASbot wearing Cecil’s Defcon speaker badge.Photograph: Roger Kisby

Cecil's latest record-busting effort may be the most controversial one he's undertaken yet. At Defcon, he'll present evidence that he alleges should disqualify the record of Maciej “groobo” Maselewski, a Polish speedrunner who holds the Guinness record for not only the fastest _Diablo_ speedrun but also the fastest role-playing game speedrun of any kind. Maselewski's _Diablo_ run, 3 minutes and 12 seconds long, has withstood all challengers since 2009.

Cecil says his suspicions that Maselewski had broken speedrunning rules were first triggered when he and another speedrunner, Matthew “funkmastermp” Petroff, set out to make a tool-assisted speedrun for _Diablo_ in January. They quickly came to the conclusion they'd never match Maselewski's 3-minute, 12-second time, no matter how much they perfected their run or how lucky they got in the game's randomized dungeon layouts. That led them to assemble a team of investigators who ultimately found what they believe to be a long list of inconsistencies in software versions and items, missing frames, and other signs of potential tampering in the video of Maselewski's run, all of which they've assembled in a detailed document posted to Cecil's website. “No one could get anywhere close to that time. Now we know why,” Cecil says. “The answer seemed to be that groobo had cheated in many, many ways.”

Maselewski, when WIRED reached him for a response, immediately denied any such foul play. In an email, he pointed to the fact that his run was always understood to be “segmented"—essentially edited together, level by level, a commonly accepted category of speedrun. “It was never passed off as anything else,” Maselewski writes. “Hearing that there has been a team of researchers working on this is wild.” In a subsequent text exchange with Cecil and his collaborators that Cecil shared with WIRED, Maselewski described the attempt to debunk his record as a “witch hunt.”

Maselewski's simple explanation that the speedrun was segmented, however, isn't enough, Cecil argues. He claims that some dungeon layouts in Maselewski's run couldn't be generated even in a single segment of a run without altering the game's data, and in one case, a crucial item conveniently appears that defies the game's logic—Naj's Puzzler, a staff that allows the player to teleport across distances—and alleges a piece of performance-enhancing software known as a “trainer” must have been used, all of which could disqualify Maselewski's run. (Maselewski did not immediately respond to WIRED’s follow-up question specifically about Cecil’s allegation that he had used a trainer.)

The night before Cecil's Defcon talk, Maselewski wrote in a final email to WIRED that he believes those alleging that he cheated are using faulty tools with an incomplete picture of _Diablo_'s complexities. “Dwango is out to tell a story. Did I cheat? No,” Maselewski writes. “But what is true or not does not matter at this point, because the wonder of exploration has already overstayed its welcome for a small group of people, and the script has already been written.”

When WIRED reached out to the _Guinness Book of World Records_ to ask if it would take down Maselewski's record, a spokesperson responded noncommittally that “we value any feedback on our record titles and are committed to maintaining the highest standards of accuracy.” An administrator for Speed Demos Archive or SDA, another speedrun record-keeping website where Maselewski holds a similar _Diablo_ record, seemed to be more persuaded by Cecil's evidence. That administrator, who goes by the handle “ktwo” and asked that WIRED not include their real name, says that SDA hasn't officially reached a verdict and is still waiting to hear Maselewski's explanation.

Things are not looking good for groobo, however. “To be clear, we have made a preliminary decision, based on the available information,” ktwo writes “The staff agrees that the analysis raises questions about the validity of the run that need to be addressed, or else the run will be unpublished from SDA. The admin team is currently discussing these questions with the runner. Once that discussion has concluded, a final decision will be made.”

Cecil's involvement in investigating gaming records began in 2017, when the speedrunner Eric “Omnigamer” Koziel, who was writing a book about speedrunning, began re-examining a record set by Todd Rogers for the Atari 2600 racing game _Dragster_. Rogers' record time, 5.51 seconds, had persisted for a remarkable 35 years. But when Koziel reverse engineered Dragster's code to try to understand how Rogers had achieved that time, he found that tricks Rogers said he'd used—such as starting the game in second gear—wouldn't have provided the advantage Rogers claimed.

“The goal was never to point to someone and say, ‘Hey, they're cheating,’” says Koziel. “It was to try to find the truth.”

Cecil, who knew Koziel from the speedrun community, offered to help develop a tool-assisted speedrun they could replay via TASBot on a real Atari 2600 to show that, even on that original hardware, Rogers' record was impossible. They found that TASBot's theoretically perfect performance was 5.57 seconds, slower than Rogers' alleged time. Despite Rogers’ objections, his three-and-a-half-decade-old record was erased from the annals of the gaming records keeper Twin Galaxies—along with all his other records on the site—and Guinness stripped his world record for “longest-standing video game record.”

"Although I disagree with their decision, I must applaud them for their strong stance on the matter of cheating," Rogers wrote in a lengthy public Facebook post responding to the Twin Galaxies decision.

After a seven year hiatus in which he was mostly focused on TASBot projects, Cecil found himself involved in investigating another legendary speedrun earlier this year when a group of gamers made it their goal to beat every level of _Super Mario Maker_. That Wii U game, released in 2015, allowed users to upload their own levels of the game for others to play—if they could prove that the level was beatable by recording a video of themselves finishing it. Yet one such level, called “Trimming the Herbs,” appeared to be impossible. For years, no one but its creator had been able to complete it.

In an effort to help this group of _Super Mario Maker_\-obsessed gamers, Cecil offered to develop a tool-assisted speedrun for the level. He found that it was nearly impossible to clear it reliably, in part due to variances in the Bluetooth communications between the Wii U and its controllers. In that case, the level's creator came forward in the midst of the investigation and confessed he'd beaten the level by altering the internal hardware of his Wii U gamepad—a trick he intended as a kind of friendly prank but had never publicly explained.

In his new attempt to debunk Maselewski's _Diablo_ record, Cecil doesn't expect any such amicable agreement on the facts—or a confession. But he's confident that he and the researchers who've worked with him can remove Maselewski's record and make room for speedrunners to approach the game again. To Cecil’s surprise, they found just in recent days that they _could_, in fact, beat Maselewski's record with a tool-assisted speedrun—thanks to new _Diablo_ techniques they found in their investigation—finishing the game in 2 minutes and 45 seconds without using any of his alleged rule-breaking alterations. Meanwhile, Cecil says _Diablo_ speedrunner “xavier\_sb” has completed a run of the game in just over 4 minutes and 40 seconds, which would stand as the new record if Maselewski's is expunged.

Cecil says this shows, already, how the “chilling effect” of what he alleges to be an impossible record is lifting. “People had just stopped trying, because there wasn't any point,” Cecil says. Now the _Diablo_ speedrunning race is on, once again.

Cecil says he hopes that his work to keep speedrunners honest will not only help traditional speedrunning to thrive, but fuel the tool-assisted kind that he has helped pioneer, too. The key, he maintains, will be drawing a clear line between those who use software tools to play games with inhuman precision as an honest art form, and those who use them for deception. “Both the jerk and the jester bend the established rules. We despise the vileness of the jerk and delight in the shenanigans of the jester,” Cecil says. “But one thing has held true: No one likes a cheat.”

The Hacker Who Hunts Video Game Speedrunning Cheaters

On the hunt for corporate devices being sold secondhand, a researcher found a trove of Apple corporate data, a Mac Mini from the Foxconn assembly line, an iPhone 14 prototype, and more.

It's probably been a while since anyone thought about Apple's router and network storage combo called Time Capsule. Released in 2008 and discontinued in 2018, the product has mostly receded into the sands of gadget time. So when independent security researcher Matthew Bryant recently bought a Time Capsule from the United Kingdom on eBay for $38 (plus more than $40 to ship it to the United States), he thought he would just be getting one of the stalwart white monoliths at the end of its earthly journey. Instead he stumbled on something he didn't expect: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included service tickets, employee bank account data, internal company documentation, and emails.

“It had everything you can possibly imagine,” Bryant tells WIRED. “Files had been deleted off the drive, but when I did the forensics on it, it was definitely not empty.”

Bryant hadn't stumbled on the Time Capsule completely by accident. At the Defcon security conference in Las Vegas on Saturday, he's presenting findings from a months-long project in which he scraped secondhand electronics listings from sites like eBay, Facebook Marketplace, and China's Xianyu, and then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.

Bryant realized that the sellers hawking office devices, prototypes, and manufacturing equipment often weren't aware of their products' significance, so he couldn't comb tags or descriptions to find enterprise gems. Instead, he devised an optical character recognition processing cluster by chaining together a dozen dilapidated second-generation iPhone SEs and harnessing Apple's Live Text optical character-recognition feature to find possible inventory tags, barcodes, or other corporate labels in listing photos. The system monitored for new listings, and if it turned up a possible hit, Bryant would get an alert so he could assess the device photos himself.

In the case of the Time Capsule, the listing photos showed a label on the bottom of the device that said “Property of Apple Computer, Expensed Equipment.” After he evaluated the Time Capsule's contents, Bryant notified Apple about his findings, and the company's London security office eventually asked him to ship the Time Capsule back. Apple did not immediately return a request from WIRED for comment about Bryant's research.

“The main company in the talk for proofs of concept is Apple, because I view them as the most mature hardware company out there. They have all their hardware specially counted, and they really care about the security of their operations quite a bit,” Bryant says. “But with any Fortune 500 company, it’s basically a guarantee that their stuff will end up on sites like eBay and other secondhand markets eventually. I can’t think of any company where I haven’t seen at least some piece of equipment and got an alert on it from my system.”

Another alert from his search system led Bryant to purchase a prototype iPhone 14 intended for developer use internally at Apple. Such iPhones are coveted by both bad actors and security researchers because they often run special versions of iOS that are less locked down than the consumer product and include debugging functionality that's invaluable for gaining insight into the platform. Apple runs a program to give certain researchers access to similar devices, but the company only grants these special iPhones to a limited group, and researchers have told WIRED that they are typically outdated iPhone models. Bryant says he paid $165 for the developer-use iPhone 14.

Finally, Bryant says that manufacturing and assembly-line devices can be particularly revealing and can also be found on secondhand markets—especially platforms in China, since so many electronics are assembled in the country. Bryant was curious to see if he could find any equipment that had formerly been used in a Foxconn factory where iPhones are notoriously assembled. By analyzing Chinese listings with his computer vision system, Bryant says he was able to piece together how Foxconn’s asset management system works and how the company labels its devices—particularly those used on the factory floor. Eventually he found a Mac Mini that had a bunch of the Foxconn tags on it and had seemingly been used on a Foxconn quality-and-assurance testing line. But the computer was simply listed for parts, because the photos clearly showed that it had a large drill hole running through the device.

After examining schematics of various generations of Mac Minis, though, Bryant concluded that it was possible the drill had missed the magnetic tray where data would be stored on the hard drive. He took a chance and ordered the computer from China and assessed it himself. Bryant isn't a hardware expert, but once he received the device, it also seemed to him that the physical destruction had likely not achieved its goal. So he sent the Mac Mini to a forensics lab in Los Angeles, which was ultimately able to recover all the data from the drive.

“It had the internal software that Apple uses on their factory line to do testing, including special interfaces for communicating with prototypes and QA units,” Bryant says. “And the computer also contained credentials for Foxconn and logs.”

Bryant again reported his findings to Apple and returned the Mac Mini to them.

The project contains a warning for companies, both about the inevitability of having some device attrition and the importance of taking asset management and deprovisioning seriously. For hackers and eagle-eyed deal seekers alike, though, rogue corporate devices may be a new item for the shopping list.

Apple Prototypes and Corporate Secrets Are for Sale Online—If You Know Where to Look

The vulnerabilities, which have been patched, may have novel appeal to attackers as an avenue to compromising phones.

Demand for graphics processing units or GPUs has exploded in recent years as video rendering and artificial intelligence systems have expanded the need for processing power. And while most of the most visible shortages (and soaring stock prices) relate to top-tier PC and server chips, mobile graphics processors are the version that everyone with a smartphone is using everyday. So vulnerabilities in these chips or how they're implemented can have real-world consequences. That's exactly why Google's Android vulnerability hunting red team set its sights on open-source software from the chip giant Qualcomm that's widely used to implement mobile GPUs.

At the Defcon security conference in Las Vegas on Friday, three Google researchers presented more than nine vulnerabilities—now patched—that they discovered in Qualcomm's Adreno GPU, a suite of software used to coordinate between GPUs and an operating system like Android on Qualcomm-powered phones. Such “drivers” are crucial to how any computer is designed and have deep privileges in the kernel of an operating system to coordinate between hardware peripherals and software. Attackers could exploit the flaws the researchers found to take full control of a device.

For years, engineers and attackers alike have been most focused on potential vulnerabilities in a computer's central processing unit (CPU) and have optimized for efficiency on GPUs, leaning on them for raw processing power. But as GPUs become more central to everything a device does all the time, hackers on both ends of the spectrum are looking at how GPU infrastructure could be exploited.

“We are a small team compared to the big Android ecosystem—the scope is too big for us to cover everything, so we have to figure out what will have the most impact,” says Xuan Xing, manager of Google's Android Red Team. “So why did we focus on a GPU driver for this case? It's because there’s no permission required for untrusted apps to access GPU drivers. This is very important, and I think will attract lots of attackers’ attention.”

Xing is referring to the fact that applications on Android phones can talk to the Adreno GPU driver directly with “no sandboxing, no additional permission checks,” as he puts it. This doesn't in itself give applications the ability to go rogue, but it does make GPU drivers a bridge between the regular parts of the operating system (where data and access are carefully controlled), and the system kernel, which has full control over the entire device including its memory. “GPU drivers have all sorts of powerful functions,” Xing says. “That mapping in memory is a powerful primitive attackers want to have.”

The researchers say the vulnerabilities they uncovered are all flaws that come out of the intricacies and complicated interconnections that GPU drivers must navigate to coordinate everything. To exploit the flaws, attackers would need to first establish access to a target device, perhaps by tricking victims into side-loading malicious apps.

“There are a lot of moving parts and no access restrictions, so GPU drivers are readily accessible to pretty much every application,” says Eugene Rodionov, technical leader of the Android Red Team. “What really makes things problematic here is complexity of the implementation—that is one item which accounts for a number of vulnerabilities.”

Qualcomm released patches for the flaws to “original equipment manufacturers” (OEMs) that use Qualcomm chips and software in the Android phones they make. “Regarding the GPU issues disclosed by Android Security Red Team, patches were made available to OEMs in May 2024,” a Qualcomm Spokesperson tells WIRED. “We encourage end users to apply security updates from device makers as they become available.”

The Android ecosystem is complex, and patches must move from a vendor like Qualcomm to OEMs and then get packaged by each individual device maker and delivered to users' phones. This trickle-down process sometimes means that devices can be left exposed, but Google has spent years investing to improve these pipelines and streamline communication.

Still, the findings are yet another reminder that GPUs themselves and the software supporting them have the potential to become a critical battleground in computer security.

As Rodionov puts it, “combining high complexity of the implementation with wide accessibility makes it a very interesting target for attackers.”

Source

Wired