Ant-Media-Server v2.8.2 is affected by Improper Output Neutralization for Logs. The vulnerability stems from insufficient input sanitization in the logging mechanism. Without proper filtering or validation, user-controllable data, such as identifiers or other sensitive information, can be included in log entries without restrictions.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2gx6-qrpp-c4p3: Ant-Media-Server vulnerable to Improper Output Neutralization for Logs

A deserialization vulnerability exists in the Stub class of the VarDumper module in Symfony. The vulnerability stems from deficiencies in the original implementation when handling properties with null or uninitialized values. An attacker could construct specific serialized data and use this vulnerability to execute unauthorized code.

GHSA-cg28-v4wq-whv5: Symfony's VarDumper vulnerable to unsafe deserialization

In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.

GHSA-7q22-x757-cmgc: Symfony http-security has authentication bypass

moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.

GHSA-2mj3-vfvx-fc43: Moby Race Condition vulnerability

moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.

GHSA-gh5c-3h97-2f3q: Moby Race Condition vulnerability

Whether it's detecting fraudulent activity, preventing phishing, or protecting sensitive data, AI is transforming cybersecurity in ridesharing.

Source: Askar Karimullin via Alamy Stock Photo

COMMENTARY

Picture yourself standing on a busy street corner, smartphone in hand. With just a few taps, you summon a car that will arrive in minutes. This seemingly simple action has now become a daily routine for millions of Americans across the country. But as ridesharing apps offer unparalleled convenience, they also face growing concerns about security and data protection. As a result, these platforms are increasingly turning to artificial intelligence (AI) to fortify their defenses and ensure the safety of both riders and drivers.

Beneath the surface of this seamless user experience lies a complex ecosystem of AI algorithms working tirelessly to keep every journey safe and secure. Whether it's detecting fraudulent activity, preventing phishing attempts, or protecting sensitive data, AI is fundamentally transforming the cybersecurity landscape in ridesharing.

**AI-Driven Identity Verification**

Security starts at the very first step of the ridesharing journey — identity verification. Both riders and drivers must be authenticated to ensure a secure experience. However, verifying millions of users poses a substantial challenge. That's where AI steps in as a powerful tool for combating identity fraud.

Driver Authentication: AI-powered facial recognition systems use computer vision to compare selfies taken by drivers with their government-issued IDs. This process ensures that the person behind the wheel matches the registered account. To enhance security, these platforms implement periodic re-verification through biometric checks, preventing fraudulent actors from using stolen accounts to access the platform.

Rider Authentication: Currently, riders are authenticated through basic checks such as validating email addresses, phone numbers, and payment methods. However, the potential for AI in rider verification extends far beyond these initial steps. In the future, AI systems could incorporate more sophisticated predictive modeling to detect anomalies in user activity — for example, unusual patterns in booking history or device usage could flag compromised accounts, enabling platforms to intervene before any security breach occurs.

**Detecting Fraud and Phishing Attacks**

One of the most pervasive threats in digital platforms today is phishing. With the rise of sophisticated phishing schemes aimed at ridesharing users — whether to steal credentials or payment information — ridesharing apps have embraced AI-driven systems to detect and block malicious attempts in real time.

Fraud and Phishing Detection: Fraudsters often exploit vulnerabilities like stolen payment information or fake driver profiles to manipulate the system for unauthorized gains. Meanwhile, phishing campaigns attempt to trick users — both drivers and riders — into revealing sensitive details. AI tackles these threats by:

*   Identifying Suspicious Behavior: AI models flag irregularities, such as unusual login locations, sudden changes in ride patterns, or attempts to manipulate driver or payment profiles.
    
*   Blocking Phishing Attempts: Sophisticated algorithms analyze signals like abnormal contact rates, high cancellation frequencies, and sequential anomalies to detect and prevent phishing schemes.
    
*   Responding Swiftly to Threats: When anomalies are detected, AI systems react in real time by locking compromised accounts, intercepting fraudulent actions, and mitigating risks before they escalate.
    
*   Payment Security: AI also plays a critical role in securing payment transactions. Using machine learning, ridesharing platforms can detect anomalies in payment processing, such as transaction tampering or repeated failed payments, that could indicate fraudulent activity. Payment gateways are closely monitored for suspicious transactions, and any deviations from typical user behavior are flagged for further review.
    

**Real-Time Threat Monitoring**

While preemptive security measures like identity verification and encryption are essential, ridesharing platforms must also continuously monitor for real-time threats during rides. Here, AI-driven systems act as vigilant guardians, ensuring safety throughout the journey.

*   Monitoring for Suspicious Behavior: AI systems monitor ongoing trips, flagging erratic behavior such as deviations from planned routes or excessive speed. By using GPS data, machine learning models can identify unsafe driving patterns and alert both the rider and driver to potential issues. This real-time monitoring not only ensures physical safety but also acts as a safeguard against hijacking or driver impersonation.
    
*   Emergency Response Systems: Ridesharing platforms have integrated AI-enhanced emergency features into their apps, allowing users to access help instantly. One-tap emergency buttons are backed by AI-driven systems that can instantly share real-time ride data, including location and driver information, with authorities or emergency contacts. In addition, AI models can analyze data from encrypted dashcams and provide insights into incidents that require rapid intervention, ensuring that support arrives as quickly as possible.
    

**AI, the Guardian of Ridesharing Security**

Looking ahead, AI will play a pivotal role in enhancing the security and privacy of ridesharing platforms. As the amount of personally identifiable information (PII) grows, AI systems will continue to evolve, strengthening encryption, anomaly detection, and proactive threat monitoring. Machine learning models will not only monitor for emerging cyber threats, such as phishing and fraud, but also predict and flag high-risk behaviors like frequent ride cancellations or erratic driving. By deprioritizing these risky matches, AI ensures a safer experience for both riders and drivers.

With the integration of real-time cyber threat intelligence, AI will adapt to new attack methods, staying one step ahead of cybercriminals. Predictive analytics will help identify potential risks before they escalate, allowing ridesharing platforms to take action early. AI's ability to monitor and mitigate threats in real time, coupled with its capacity for proactive threat prediction, will provide a resilient, adaptive security framework.

As ridesharing services continue to transform urban mobility, the role of AI in ensuring security and privacy will only grow. AI will enable platforms to address increasingly sophisticated cybersecurity challenges, providing a robust foundation for privacy, safety, and trust in a rapidly evolving digital world. Through its continuous innovation, AI will not only make rides more convenient but will also create a safer, more secure environment for users worldwide.

**About the Author**

Machine Learning Engineer, Lyft

Rachita Naik is a Machine Learning Engineer at Lyft in New York with a Master's in Computer Science from Columbia University. Passionate about leveraging machine learning to solve real-world problems, she has developed a diverse skill set through academic projects and professional experience. At Lyft, she works on algorithms to optimally match riders with drivers, enhancing marketplace efficiency and profit. Rachita thrives in fast-paced environments and is always eager to learn new technologies to improve her work.

How AI Is Enhancing Security in Ridesharing

Group-IB has discovered that cybercriminals are using fake betting apps and ads with AI-generated voices to steal personal information and money. Discover the tactics used by scammers and how to avoid falling victim to these fraudulent schemes.

**SUMMARY**

*   **Scammers Use Fake Ads**: Cybercriminals are creating fake betting app ads to lure users and steal money and personal information.

*   **AI-Generated Voices**: Scammers use AI-generated voices in multiple languages to make their schemes seem more credible.

*   **Massive Reach**: Over 500 fake ads and 1,377 malicious sites have been identified, targeting users in regions like Egypt, the Middle East, Europe, and Asia.

*   **Serious Losses**: Victims have reported losing significant amounts, with some losing over $10,000 to these scams.

*   **Stay Safe**: Avoid downloading apps from unofficial sources, be wary of too-good-to-be-true offers, and always use strong security measures.

Cybersecurity firm Group-IB has observed a surge in **fake betting** game advertisements across various social media platforms. In its detailed investigation, shared with Hackread.com, Group-IB’s CERT team discovered deceptive ads designed to lure unsuspecting users by promising easy money, ultimately leading to financial loss and personal data compromise. The ads typically target users in regions like Egypt, the Middle East, Europe, and Asia.

One of the fake apps used in the scam (Source: Group-IB)

Researchers, reportedly, discovered over 500 deceptive ads and 1,377 malicious websites targeting users to download fraudulent applications. Further probing revealed that cybercriminals are employing advanced techniques to make these fraudulent ads appear legitimate.

This, according to Group-IB’s **blog post**, includes using AI-generated voices in multiple languages to create a sense of authenticity, even when the scam originates from a different country. Victims have suffered significant financial losses, with some reporting losses exceeding US$10,000.

As soon as a user clicks on a deceptive ad, they are directed to download a fraudulent app. These apps are typically distributed through third-party websites or APK files and are capable of bypassing security measures on official app stores. Upon installation, the app requests various personal and financial information, which is then harvested by the scammers.

> _“Group-IB CERT discovered these scams across multiple regions, with more than 200 ads targeting Egypt, 160 ads in the GCC, and another 140 in Europe and Asia. The momentum of such scams has rapidly increased, with scammers continually expanding into new markets.”_
> 
> Group-IB

Fake reviews and testimonials are a key facilitating factor in these scams, as these enhance the legitimacy of the fake apps. These reviews feature detailed narratives, screenshots, and photos of “successful” players, creating the illusion of a highly profitable and trustworthy game, and generating attraction for the scam.

Fake reviews on one of the fraud apps (Source: Group-IB)

Fake betting apps can lead to severe consequences for users, such as financial loss through “bait and switch” tactics, identity theft due to the collection of personal information, and device compromise. Malicious apps can compromise device security, allowing attackers to access sensitive data and install additional malware, posing a significant risk to users’ personal information.

We have been witnessing a gradual rise in fake gaming apps compromising users’ devices. Recently, Hackread **reported** Fortinet’s FortiGuard Labs discovery of a new malicious campaign targeting Microsoft Windows users using game-related applications to deliver Winos4.0, an advanced malware framework similar to Cobalt Strike and Sliver. Earlier this week, Indian authorities **busted** an international gang of cybercriminals who used fake gaming apps to mint over 190cr from unsuspecting users.

Hence, it is essential to be cautious of quick money offers to avoid falling victim to such scams. Always download apps from official stores, avoid suspicious links, use strong security measures like passwords and two-factor authentication, and stay updated on the latest online scams and **phishing techniques** to stay safe.

1.  **Crooks Exploit Satellite Live Feed Delay for Betting Advantage**
2.  **Fake GlobalProtect VPN Downloads Spread WikiLoader Malware**
3.  **Chinese Scammers Exploit Cloned Sites in Vast Gambling Network**
4.  **Facebook Malvertising Campaign Drops Malware via Fake Bitwarden**
5.  **Dude Finds Flaw in World’s Biggest Gambling Site, Steals $1M in BTC**

Fake Betting Apps Using AI-Generated Voices to Sensitive Data

Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware.

Source: TippaPatt via Shutterstock

Businesses are not the only organizations looking for skilled cybersecurity professionals; cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme.

In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools, security firm Cato Networks stated in its "Q3 SASE Threat Report." In the past, the firm's threat researchers have noted advertisements seeking developers capable of creating a malicious version of ChatGPT.

The search for more technical talent highlights the recent success of law enforcement and private companies in taking down botnets and helping defenders recover their data, says Etay Maor, chief security strategist at Cato Networks.

"They definitely want to make sure that all the effort they're putting into their software is not going to be turned over when somebody finds a vulnerability," he says. "They're really stepping up their game in terms of approaching software development, making it closer to what an enterprise would do than what is typically seen today from other development groups."

The search for better software security is the latest sign of technical evolution among cybercriminal groups. In Southeast Asia, cybercriminal syndicates have grown from illegal gambling and drug cartels into enterprises that rake in more than $27 billion a year, fueling improvements in money laundering, technical development, and forced labor.

**Penetration Testing Just the Latest**

As cybercriminal groups grow, specialization is a necessity. In fact, as cybercriminal gangs grow, their business structures increasingly resemble a corporation, with full-time staff, software development groups, and finance teams. By creating more structure around roles, cybercriminals can boost economies of scale and increase profits.

Currently, the top ransomware groups are LockBit, RansomHub, PLAY, Hunters International, and Akira — all likely using more structured roles and cybercriminal services to operate efficiently, according to a 2024 review of the top ransomware groups by threat intelligence firm Recorded Future, now part of Mastercard International.

"These emerging groups and platforms bring new and interesting ways to attack so organizations need to be on their toes and adjust their cybersecurity accordingly," the company stated in a blog post. "As they evolve, understanding their modus operandi and targets will be key to mitigating the impact."

New cybercriminals groups are always appearing, and that also means new opportunities for skilled cybercriminals. The first half of 2024 saw 21 new ransomware groups appear in underground forums, although many of those new groups are likely rebranded versions of previous groups that had splintered. Overall, 68 groups posted more than 2,600 claimed breaches to leak sites in the first six months of the year, a 23% increase over the same period in 2023, according to cybersecurity firm Rapid7.

Most malware and tools created by the groups use C or C++ — the programming language used in 58 samples — but the use of more modern, memory-safe languages is growing, with Rust used in 10 samples and Go used in six samples, according to a report released by Rapid7, which noted "the complexity of the ransomware business model, with groups coming and going, extortion tactics intensifying, builders and code 'leaking' — and all the while, the overall scope of the threat only expanding."

**More Aggressive Defense**

Finally, some groups required specialization in roles based on geographical need — one of the earliest forms of contract work for cybercriminals is for those who can physically move cash, a way to break the paper trail. "Of course, there's recruitment for roles across the entire attack life cycle," Maor says. "When you're talking about financial fraud, mule recruitment ... has always been a key part of the business, and of course, development of the software, of malware, and end of services."

Cybercriminals' concerns over software security boil down to self-preservation. In the first half of 2024, law enforcement agencies in the US, Australia, and the UK — among other nations — arrested prominent members of several groups, including the ALPHV/BlackCat ransomware group and seized control of BreachForums. The FBI was able to offer a decryption tool for victims of the BlackCat group — another reason why ransomware groups want to shore up their security.

Current geopolitical disruptions, which can lead to highly skilled people unemployed, are making it more likely that cybercriminals groups will be able to convince legitimate cybersecurity professionals to take a risk and do illegal work, Cato Networks' Maor says.

"There's people ... losing jobs in Eastern Europe because of the current war situation, so unfortunately you see that in the underground forums, where you have smart people there, who — at the end of the day — need to put food on the table," he says. "If that means they have to resort to jobs that are not necessarily super legal, if that's what they need to do to pay the bills, then they'll pop up on these forums and be like, 'Hey, I worked for this company. I have this knowledge ... and I can offer access.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Gangs Seek Pen Testers to Boost Quality

When looking to create a business, one of the most important things to consider is how you will…

When looking to create a business, one of the most important things to consider is how you will get it off the ground. Having an idea is great, but you need to go way beyond this to ensure your success. You need to think of everything including how much you have to invest in your business, how you’re going to get your website up and what this will mean for you going forward. In this article, we take a look at how to get your startup off the ground and into a profitable business in no time. Keep reading to get inspired. 

****Ensure your brand is strong****

Your branding is essentially the foundation of your business and is something everyone will see and focus on as you grow and scale up. With this in mind, you want to ensure it’s strong and designed to last. Consider your brand colours and how well these correlate with what you offer. Think about your font – do you want something fun and playful? Or perhaps something more professional and business-like? Consider the message you want to put across when it comes to this and what you want to convey. 

****Place emphasis on your website****

Your website is the storefront for your business online and is the place where your customers, clients and others will come for information or to buy your products and services. Because of this, you need to make sure it’s functional, practical, looks good and does the job. Web hosting from a professional company is vital as they can help your website run smoothly and provide support when you need it. This can ensure a top experience not only for you in the back end but for your customers also. Think about how many pages you want your website to be and things like if you want a blog or other elements to it.

**Protection Against Brand Impersonation**

Brand impersonation is a growing cybersecurity threat that startups must take seriously. Cybercriminals often mimic established brands or even newly launched startups to deceive customers, partners, or employees into sharing sensitive information or making unauthorized transactions. This type of attack not only risks financial security but can also ruin a company’s reputation before it fully establishes itself in the market.

Startups should invest in cybersecurity measures like domain protection, email authentication protocols (such as **DMARC**), and regular monitoring of online mentions of their brand. Educating employees and customers about identifying phishing attempts and fake profiles is equally important to protect against these malicious tactics.

X (formerly Twitter) has become a hub for brand impersonation, with scammers frequently posing as major crypto and blockchain firms to defraud users of their funds. The issue has worsened since Elon Musk introduced the option to purchase blue checkmarks, which has significantly increased the prevalence of such scams.

> A large network of bot accounts impersonating users like myself on X/Twitter has resulted in $305k+ stolen over the past few days.
> 
> They even tricked Dexerto into accidentally making an article/post promoting the scam.
> 
> The scam worked by having impersonators post about a fake… pic.twitter.com/lde4CXHjK5
> 
> — ZachXBT (@zachxbt) November 15, 2023

****Focus on your budget allocation****

Let’s face it, starting a business isn’t cheap, but by having a budget in mind, you can avoid going too heavy over what you can afford and risking it being stressful. Allocate budget for things such as your web hosting and building, marketing, office premises if this is something you will need, warehouse and any stock, as well as a work phone and contract, your internet and travel costs that might need to be paid for. Organisation is key and can help ensure you’re a success. 

These are just a few things you can do to help get your startup off the ground and on the path to success. There are so many attributing factors to making sure your company does well, but a solid foundation is arguably the most important of them all. By starting out well with your business you can help it scale up effectively and know it will continue to grow and do well as time goes on. What are some top tips you have for getting a startup off the ground? Let us know in the comments.

How To Get Your Startup Off The Ground Amid Cybersecurity Threats

Following decades of failed attempts and dashed dreams, the US Army is once again trying out powered exoskeletons to help soldiers haul munitions and equipment in the field.

After decades of research and development, the United States Army is taking yet another run at developing a powered exoskeleton to help soldiers carry heavy loads on the battlefield—but don’t expect a futuristic suit of combat armor straight out of _Starship Troopers_ or _Iron Man_ anytime soon.

Soldiers assigned to the Army’s 1-78 Field Artillery Battalion training unit at Fort Sill, Oklahoma, recently completed a three-day “proof of concept” evaluation of several off-the-shelf “exoskeleton suits” in late September and early October, officials confirmed to WIRED. The evaluation was overseen by the service’s Combat Capabilities Development Command (DEVCOM), the organization responsible for developing new technology for soldiers.

Official photos from the evaluation published to social media showed Advanced Individual Training students hauling artillery shells to and from a M109 Paladin self-propelled howitzer and M777-towed howitzer with telltale black exoskeleton harnesses contrasted against their camouflage uniforms, part of a field exercise undertaken “to assess the potential of human augmentation, improve soldier performance, and determine if these exoskeletons meet the demands of our warfighters,” as the service put it.

While a DEVCOM spokesperson declined to identify which commercially produced systems were evaluated by soldiers, the Army announced its intent in August to award a contract to exoskeleton maker SUITX to “give users experience of advanced soldier augmentation technologies,” according to a government notice. “This exoskeleton will serve as a critical tool for evaluating the potential benefits of robotic assistance in increasing soldier endurance, strength, and overall operational effectiveness.”

Increased strength and endurance are an alluring duo for an American fighting force used to hauling close to 140 pounds into combat, and the prospect of a sophisticated combat suit that delivers both to soldiers even more so. But DEVCOM officials strongly emphasized that, despite this recent testing, the US military has yet to even determine how to actually apply a powered exoskeleton in a military context, let alone outfit soldiers in an “Iron Man suit” the likes of which the Army has bragged about in years past. Indeed, service officials tell WIRED that an official requirement document—a formal outline of a potential program’s technical and logical preconditions—for the adoption and fielding of exoskeletons does not currently exist, despite the fact that officials previously stated back in 2020 that Army Futures Command, DEVCOM’s superior organization, was closing in on one.

“As of today, the Army has not determined what the primary purpose of a ‘military exoskeleton’ is,” says David Accetta, a DEVCOM spokesperson.

That the Army is taking another crack at a powered exoskeleton should come as no surprise. The US military has been pursuing such technology for potential tactical applications for decades, since around the same time that science fiction author Robert Heinlein introduced the world to his vision of a “mobile infantry” flitting across future battlefields clad in advanced robotic armor in his beloved 1959 military science fiction classic _Starship Troopers_. Where Heinlein imagined future soldiers operating a mechanized battlesuit reminiscent of “a big steel gorilla, armed with gorilla-sized weapons,” the ostensible advantage of powered armor wasn’t just its added strength and durability, but the fact that “you don’t have to control the suit; you just wear it, like your clothes, like skin.” No fancy control interface, no complicated training: Soldiers would ostensibly step into a notional apparatus and be ready to “fight tonight,” as US military planners are fond of saying.

With an eye to future conflicts on an atomic battlefield, the Cold War-era US Defense Department clearly drew at least some inspiration from _Starship Troopers._ One year after Heinlein’s novel published, the Army went on the hunt for a “power-operated mechanical suit or skeleton that would transform the ordinary GI into a Superman,” according to a 1960 issue of the service’s _Army Research & Development_ magazine, with future “servo-soldiers” hauling munitions and other heavy equipment “beyond the strength of a dozen men.” The servo-soldier “will wear a special suit which will have its own engine, enabling him to run faster, stop quicker, and lift bigger loads than ordinary mortals,” as _Armor_ magazine put it in 1961 when the Pentagon officially solicited the defense industry for potential exoskeleton solutions. “What is more, he will be immune to germ warfare, poison gas, and the heat and radiation from nuclear blasts.”

In the following decades, the Pentagon took several stabs at making the servo-soldier a reality. In the 1960s, Cornell University engineer Neil Mizen’s “Man Amplifier,” funded by an Office of Naval Research grant, offered service members a patchwork of robotic components intended “to help sailors manhandle torpedoes, bombs, and machinery in the cramped quarters aboard ships and submarines,” as _Popular Science_ described it in a November 1965 issue. In the later part of the decade, General Electric debuted its “Hardiman” exoskeleton, developed under a dual Army-Navy effort, a colossal, bulky apparatus that more closely resembled the P-5000 Powered Work Loader from the 1986 movie _Aliens_ than a sleek battlesuit like Iron Man’s armor. In the 1980s, Los Alamos National Laboratory Advanced Weapons Technology Group engineer Jeffery Moore offered the Pentagon its most futuristic vision of a powered exoskeleton yet with his proposed “Pitman” combat suit, a vision of robot armor so advanced it remained a mere concept without ever producing a prototype. Every decade, the Pentagon appears to stand up and quickly wind down an exoskeleton project without ever producing a feasible prototype.

While the Defense Advanced Research Projects Agency (Darpa) oversaw incremental advances in US military exoskeleton research in the early 2000s, the most recent concerted attempt at a suit of powered armor came in the last decade in the form of US Special Operations Command’s Tactical Assault Light Operator Suit (TALOS). Inspired by the death of a Navy SEAL during a hostage rescue effort in Afghanistan, TALOS sought to cloak elite US special operations forces in additional layers of ballistic armor, sensors, and an exoskeleton to boost their survivability and situational awareness to near-superhuman levels. But while the TALOS program did yield several novel technologies (a lower body exoskeleton among them), the effort was canceled in 2019 after just five years of research and development, felled by “complex subsystem interdependencies” between its various elements that failed to coalesce into a unified and intuitive suit that operators could “just wear,” as Heinlein envisioned decades earlier. (SOCOM would pivot to its “hyper enabled operator” concept, which focuses on “cognitive overmatch” rather than physical augmentation to give American commandos an edge on the battlefield.)

Wary of the technological complexity required to develop mechanized armor for infantry troops, the Pentagon has spent the better part of the last two decades, with the exception of SOCOM’s TALOS effort, scaling back its exoskeleton ambitions to better match the original duties of the servo-soldier: hauling munitions and other heavy equipment. The Army’s Robotics and Autonomous Systems strategy released in March 2017, for example, stated that the service would pursue exoskeleton research primarily “to lighten the soldier load in the future” as a near-term priority as the Pentagon began its pivot from counter-insurgency operations in the Middle East to “great power competition” with technologically-advanced “near-peer” adversaries like Russia and China. The following October, in a letter to senior officials laying out the Army’s core modernization priorities for the coming decades, General Mark Milley, then the Army chief of staff and later chairman of the Joint Chiefs of Staff, declared that the service would eventually field “load-bearing exoskeletons” as part of a renewed emphasis on “soldier lethality” (the next year, Milley directed DEVCOM to undertake “a detailed engineering analysis of existing and emerging exoskeleton products” for their potential military applications).

This newfound push appears to have yielded several fresh experiments with exoskeleton technology in recent years. In 2018, Lockheed Martin was awarded a $6.9 million contract to “enhance” its ONYX exosuit for future Army demonstrations (Accetta, the DEVCOM spokesman, tells WIRED that initiative was ended due to a “number of technical issues” and lack of funding). Similarly, the service has been testing the Dephy ExoBoot for at least the last several years. In August 2022, the Army unveiled an (unpowered) exoskeleton dubbed the Soldier Assistive Bionic Exosuit for Resupply (SABER) to reduce lower back pain and physical stress among service members in the field; according to a 2023 study, 90 percent of soldiers who used the exosuit during field artillery training exercises reported an increased ability to perform their assigned tasks. And the Army isn’t the only branch exploring exoskeletons: Later in 2022, the Air Force announced that the service was testing its own pneumatically powered exosuit developed by ROAM Robotics to help aerial porters load up cargo aircraft like the C-17 Globemaster III.

The Fort Sill exoskeleton trial isn’t just the latest installment in a seven-decade push to meld man and machine; it’s also representative of the service’s cautious, restrained approach to the technology. Although US military planners may have long aspired to build an army of those so-called servo soldiers to dominate the future battlefield, current exoskeleton research efforts appear laser focused on more modest and potentially attainable applications like logistics and resupply rather than combat engagements. Slowly but surely, the Pentagon is carefully examining whether a robotic assist will help service members carry more for longer downrange.

But the Pentagon doesn’t appear to have totally given up on its dream of a powered exoskeleton as the basis for an armored battlesuit just yet. The 2017 Army RAS strategy, despite its emphasis on lightening soldier loads, also posited the long-term goal of building a “warrior suit” with “integrated displays that aggregates a common operating picture, provides intelligence updates, and integrates indirect and direct fire weapons systems”—capabilities not unlike those imagined with a notional _Starship Troopers_ mobile infantry or Iron Man suit-clad operator and explored with the TALOS initiative. As of a few years ago, at least one Army official was still talking about such a suit as a long-term effort that could potentially become a reality sometime in the 2040s.

Today, however, that idea appears to be in hibernation, if not fully dead. When asked about the “warrior suit” effort, DEVCOM officials threw cold water on the entire concept as “the professional vision of one person” and “not to be considered (even at the time) as an official Army position,” despite its explicit mention in the 2017 RAS document.

“The ‘warrior suit’ never existed as such, it was never considered a ‘warrior suit’—at least not by the Army—but a proof of concept, meaning, ‘Would something like this help manage load while on the move?’’ Accetta says. “The number of technical, integration, design, power, ergonomic, and so on concerns were not trivial.”

“The project is not abandoned, it’s simply inactive,” he adds. “And if it ever were to become active, we doubt highly it would be called a ‘warrior suit.’”

Tag

#auth