View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: EVLink WallBox
Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain remote control of the charging station.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
EVLink WallBox: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22
An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability exists, which could cause arbitrary file writes when an unauthenticated user on the web server manipulates the file path.
CVE-2025-5740 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-5740. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22
An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability exists, which could cause arbitrary file reads from the charging station. Exploitation of this vulnerability requires an authenticated session of the web server.
CVE-2025-5741 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5741. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
An improper neutralization of input during web page generation ('cross-site scripting') vulnerability exists when an authenticated user modifies the configuration parameters on the web server.
CVE-2025-5742 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5742. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).
3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78
An improper neutralization of special elements used in an OS command ('OS command injection') vulnerability exists, which could cause remote control of the charging station when an authenticated user modifies configuration parameters on the web server.
CVE-2025-5743 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5743. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Dutch Institute for Vulnerability Disclosure (DIVD) reported these vulnerabilities to Schneider Electric.
4. MITIGATIONS
According to Schneider Electric, EVLink WallBox product has reached its end of life and is no longer supported. Users should also consider upgrading to the replacement product offering EVLink Pro AC to resolve these issues. Users should immediately apply the following mitigations to reduce the risk of exploit:
Firewall Configuration and Logs:

Set up network segmentation and implement a firewall to block all unauthorized access to HTTP ports.
Periodically check the access log.
Password:

Choose a strong password.
Do not share your password.
Change your password periodically .
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-03 EVLink WallBox - SEVD-2025-161-03 PDF Version, EVLink WallBox - SEVD-2025-161-03 CSAF Version.
Schneider Electric strongly recommends the following industry cybersecurity best practices.
Passwords should include upper case, lower case, number and special characters, a length of 20 characters is ideal.
A default Admin password must be changed immediately when first received and after a factory reset.
Device should only be used in a personal home network.
Device should not have a publicly accessible IP address.
Do NOT use port forwarding to access a device from the public internet.
A device should be on its own network segment. If your router supports a guest network or VLAN, it is preferable to locate the device there.
Use the strongest Wi-Fi encryption available, such as WPA3 or WPA2/3 with protected management frames.
Schedule regular reboots of your routing device, smartphones, and computers.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-03

Schneider Electric EVLink WallBox

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

In a press release last week, the owner of the Barbie brand signed a “strategic collaboration” with the AI company, which owns ChatGPT. “By using OpenAI’s technology, Mattel will bring the magic of AI to age-appropriate play experiences with an emphasis on innovation, privacy, and safety,” it said.

Details on what might emerge were scarce, but Mattel said that it only integrates new technologies into its products in “a safe, thoughtful, and responsible way”.

Advocacy groups were quick to denounce the move. Robert Weissman, co-president of public rights advocacy group Public Citizen, commented:

> “Mattel should announce immediately that it will not incorporate AI technology into children’s toys. Children do not have the cognitive capacity to distinguish fully between reality and play.
> 
> Endowing toys with human-seeming voices that are able to engage in human-like conversations risks inflicting real damage on children. It may undermine social development, interfere with children’s ability to form peer relationships, pull children away from playtime with peers, and possibly inflict long-term harm.”

**The kids aren’t alright**

Some are concerned about the effect of AI on young developing minds. Researchers from universities including Harvard and Carnegie Mellon have warned about negative social effects, along with a tendency for children to attribute human-like properties to AI.

One such child, 14 year-old Sewell Seltzer III, took his own life after repeatedly talking to chatbots from Character.AI, which allows users to create their own AI characters.

In a lawsuit against the company, his mother Megan Garcia described how he began losing sleep and growing more depressed after using the service, to the point where he fell asleep in class. A therapist diagnosed him with anxiety and disruptive mood disorder. It emerged that he had become obsessed with an AI representing an adult character from Game of Thrones that purported to be in a real romantic relationship with him.

**Past mistakes**

We’re not suggesting Mattel would condone such activities. It cites “more than 80 years of earned trust from parents and families”, but that statement glosses over previous missteps.

These include Hello Barbie. Mattel launched this Wi-Fi connected doll in 2015 and encouraged kids to talk with it. It asked personal questions about children and their families, sending that audio to a third-party company that used AI to generate a response. Non-profit group Fairplay, which advocates for protecting children from inappropriate technology and brand marketing, launched a campaign protesting child surveillance. Subsequently, investigators found vulnerabilities that would allow intruders to eavesdrop on that audio. Mattel pulled the toy from shelves in 2017.

Fairplay executive Josh Golin slammed the OpenAI partnership announcement.

> “Apparently, Mattel learned nothing from the failure of its creepy surveillance doll Hello Barbie a decade ago and is now escalating its threats to children’s privacy, safety and well-being.
> 
> Children’s creativity thrives when their toys and play are powered by their own imagination, not AI. And given how often AI ‘hallucinates’ or gives harmful advice, there is no reason to believe Mattel and OpenAI’s ‘guardrails’ will actually keep kids safe.”

Another incident where Mattel lost parents’ trust was back in November 2024 when a packaging mistake sent owners of its ‘Wicked’ doll to an adult movie website (Wicked Pictures) instead of a promotional landing page for the Wicked movie.

Incidents like these show that even with the best intentions in the world, companies can make mistakes.

Ultimately, it’s up to parents to make decisions about whether they’ll expose their children to AI-powered toys. It’s perhaps inevitable that AI will reach every corner of our lives, but is it ready and polished enough to be used on our children?

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Mattel&#8217;s going to make AI-powered toys, kids’ rights advocates are worried 

Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information.

For years, the Iranian regime has been building the technology and infrastructure needed for it to control, censor, and shut down internet access for more than 80 million Iranians. In 2019, the country shut off internet access as police sought to silence protesters, while in 2022 WhatsApp and Instagram connections were severed following protests after the death of 22-year-old Mahsa Amini in police custody. Each shutdown deprives people of information and has huge economic costs. Now as the conflict between Israel and Iran approaches the end of its first week, internet connections within Iran have been restricted again, limiting people’s access to information and stopping them connecting with loved ones who may be in peril.

Hours after Israel’s Air Force bombed targets in Iran on June 13, escalating the shadow conflict between the two countries, the first reports of self-imposed internet disruptions inside Iran emerged. Iran’s Ministry of Communication, according to semi-official state news agency Tasnim, said “temporary restrictions” had been imposed due to the “special conditions” the country was facing. Since then, Israel and Iran have traded fire, continually raising the stakes in the conflict. US president Donald Trump has indicated, but not confirmed, that the United States could support further Israeli efforts to destroy Iranian nuclear facilities.

Internet connectivity in Iran saw a 54 percent drop on June 13, says Doug Madory, director of internet analysis at monitoring firm Kentik. Then, days later on June 17, there was an additional 49 percent drop from the already lower level of connectivity. After internet connections were briefly restored back to where they were earlier on Tuesday, it dropped again on Wednesday by another 90 percent, Madory says. “Numerous Iranian service providers \[are\] now offline in second national Internet blackout in as many days,” Madory posted on BlueSky on Wednesday. Multiple internet companies in Iran have been impacted by the restrictions, including cell providers.

“Things went to overdrive since yesterday,” says a researcher with internet freedom effort Project Ainita, who asked not to be named for safety reasons. “For a second day in a row, they have cut international connectivity, and this time it's even more severe than yesterday, affecting all domestic news sites as well.” Other internet monitoring efforts such as Cloudflare Radar and Netblocks have also observed the multiple internet shutdowns in recent days, with Netblocks calling the most recent a “near-total” blackout. Iranian news agency Khabar posted on its Telegram channel that international internet access in the country had been “temporarily restricted to prevent enemy abuse,” citing the Ministry of Communications.

Iran has reportedly also told officials to stop using internet-connected devices and claimed citizens should delete WhatsApp, which has previously introduced ways to circumvent censorship. Government officials have also said the shutdowns are to try to prevent potential cyberattacks. However, the widespread measures to control and restrict connectivity have left people in Iran struggling to communicate and find out vital information about the state of the conflict. The shutdowns come at a time when Trump has said the almost 10 million people living in the Iranian capital, Tehran, should “immediately evacuate” the area.

“This extensive censorship and internet disruption primarily serve the regime’s goal of maintaining control, especially over information,” says Mahsa Alimardani, a digital rights analyst of Iranian origin and the associate director of technology, threats, and opportunities at international human rights nonprofit Witness. “These internet blocks are jeopardizing people’s safety mainly in Tehran.”

Alimardani says that it appears mobile data services are patchy, and for many people virtual private networks, which can be used to avoid censorship, have stopped working. This means it has been difficult to reach people in the country and potentially for information to get out, Alimardani says. “Some family that left Tehran today were offline and disconnected from the internet and finally found some connectivity when they were 200 kilometers outside of Tehran in another province,” Alimardani explains. “My connections are primarily with people using home broadband Wi-Fi, but even that has been unstable.”

Over the last decade, countries have increasingly taken the draconian step of fully or partially shutting down internet connectivity for citizens in times of perceived crisis. There were 296 shutdowns last year, according to Access Now, an internet rights nonprofit that tracks the actions—the highest number of any on record. Shutdowns are often linked to repressive governments trying to restrict protests that could damage them, to limit people’s ability to gather and communicate freely, as part of conflicts, and even to try and stop cheating in exams.

“The internet is a lifeline, we have seen this in many places under conflict,” says Hanna Kreitem, director of internet technology and development at the Internet Society, which has been tracking the blackouts in Iran. Kreitem says that when the connectivity in Iran first started to drop on June 13, he heard from people with relatives in Iran that their services had significantly slowed down. “People under fire use it to get news, request help, learn of safer areas, and communicate with loved ones. And for people outside to learn about what is going on and know about their loved ones.”

To limit connectivity, countries use multiple different technical approaches. Iran has been developing its own internet alternative, an intranet system called the National Information Network, known as the NIN, for years. The NIN, according to analysis by Freedom House, allows “tiers” of internet access and lets the government censor content and push people towards home-grown Iran apps, such as alternatives messaging apps, that may have “weak privacy and security features.” (Freedom House rates Iran as “not free” in its most recent measures of internet freedom, highlighting persistent shutdowns, increasing costs, and efforts to push people to the domestic internet.)

Amir Rashidi, the director of digital rights and security at the Iran-focused human rights organization Miaan Group, says that amid the recent shutdowns, there have been increased efforts to push people towards Iranian apps. “In a climate of fear, where people are simply trying to stay connected with loved ones, many are turning to these insecure platforms out of desperation,” he posted online, telling WIRED that a messaging app called Bale appears to be getting attention. “Since they are hosted on NIN, they will work even during shutdown,” he says.

Iran is not the first country to restrict people’s access to the internet—and uncensored information—with the potential justification of protecting cybersecurity or security more broadly, says Lukasz Olejnik, an independent consultant and visiting senior research fellow at the Kings’ College London’s Department of War Studies. As global internet shutdowns have soared over the last decade, Olejnik says, officials in Myanmar, India, Russia, and Belarus have all cited security reasons for implementing blackouts.

“Internet shutdowns are largely ineffective against real-world state-level cyberattacks,” Olejnik says. He explains that military and critical infrastructure systems, like energy networks or transport systems, will typically operate on separate networks and not be accessible from the open internet. “Professional cyber operations could use other means of access, albeit it could indeed make it difficult to command and control some of the deployed malware (if this was the case),” Olejnik says. “What it would block primarily would be access to information for the society.”

Witness’ Alimardani says the technical details supporting any claims that the internet restrictions are meant to protect cybersecurity are “unclear,” and ultimately, the goal of these efforts may be to control people within Iran. “The official narrative from state news channels portrays a strong war against Israel and a path to victory,” Alimardani says. “Free and open access to media would undermine this narrative, and at worst, could incite Iranians to revolt, further eroding the regime's power.”

Iran’s Internet Blackout Adds New Dangers for Civilians Amid Israeli Bombings

Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.

Wednesday, June 18, 2025 06:09

Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m.

Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller.

Elena and her team began isolating systems and tracing the activity, determined to stop it before it spread any further. What first looked like routine system commands now clearly pointed to something more serious.

This story is a compartmentalized version of something we’re seeing more and more often in Cisco Talos Incident Response engagements: Rather than inventing their own tools, attackers are making use of familiar, legitimate software — just with a very different purpose. 

**What exactly are LOLBins?**

A big part of this trend revolves around “living off the land binaries,” or LOLBins. LOLBins are tools built into an operating system that attackers can use to carry out malicious actions without having to download or install any new software or utilities.

They’re especially concerning because they’re already installed, trusted, and frequently used for normal IT tasks, making them difficult to detect or block without disrupting operations.

Defenders can reference the “Living Off The Land Binaries, Scripts and Libraries” or LOLBAS project, which maintains a list of known LOLBins on GitHub.

**But it’s not just LOLBins…**

LOLBins were used often across Talos IR engagements in 2024, but we actually saw a wider variety of commercial and open-source tools used as well. Threat actors likely gravitate towards these because they can choose which tools best suit their needs best (or which commercial tools will blend into the victim environment). 

Take DonPAPI, for example. This is an open-source tool observed in several recent Talos IR engagements that automates credential dumping remotely on multiple Windows computers. It locates and retrieves Windows Data Protection API (DPAPI) protected credentials, a process also known as “DPAPI dumping.” DonPAPI searches for certain files, including Wi-Fi keys, RDP passwords and credentials saved in web browsers, to help authenticate and move laterally to identify other assets in the environment.

From an identity perspective, open-source tools like DonPAPI pose a significant risk to organizations based on their wide availability on code repositories like GitHub and their ease of installation. 

Here’s how this plays out in the field, using the top three examples of most used tools as observed in Cisco Talos’ 2024 Year in Review:

These tools weren’t built for attackers, but they’ve become some of the most common ingredients in ransomware and advanced persistent threat (APT) campaigns.

In a recent episode of The Talos Threat Perspective, one of our senior Talos IR consultants spoke about tools that were created for legitimate purposes (e.g., HRSword, REMCOS RAT and Cobalt Strike), but played a large part in the ransomware engagements investigated by Talos IR in 2025.

Lately, Talos has seen an increase in the use of remote monitoring and management (RMM) tools during attacks — the same kind of software IT teams and managed service providers rely on to access systems remotely. These tools are designed for legitimate use, but in the wrong hands, they become a stealthy way to maintain persistence on compromised systems without raising alarms.

One colleague shared a story that stuck with me: In some incidents, the attackers showed up with an entire toolkit of RMM software, testing each one to see which would slip through unnoticed (or not get blocked). Often, they’d use exactly the same tools already trusted by the target or their service provider, such as ScreenConnect or AnyDesk.

It’s like they arrived at the front door with a ring full of keys, trying each one until something clicked. And when the tool they use is something the environment already knows — already trusts — the question becomes: how do you spot the intruder when they’re using your own keys?

**How do you detect something that looks normal?**

Let’s go back to Elena. Her team stopped the attack not just because of the alert, but because they knew what should be running on that workstation. They had clear asset inventories and network behavior baselines, and they conducted continuous anomaly monitoring.

That’s really the heart of what works best when it comes to detecting these types of attacks:

*   Asset management: Know what’s installed and where. Know who owns what assets and what high-privileged accounts are for.
*   Behavioral baselining: Understand what “normal” looks like.
*   Continuous monitoring: Configure detections to catch known TTPs and subtle deviations from baselines.
*   Threat intel alignment: Use current trends like the DonPAPI surge to inform what you log and watch for. Talos’ blog and IR reports are great resources to keep up with industry trends.

**Bottom line**

Whether it’s PsExec, DonPAPI or TeamViewer, attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations.

Detecting malicious use of legitimate tools isn’t just about recognizing what’s running. It’s about asking why it’s running.

Sometimes, the only difference between a routine operation and a breach is the analyst who stopped to ask: “Why was that tool running at 2:13 a.m.?”

When legitimate tools go rogue

Law enforcement has more tools than ever to track your movements and access your communications. Here’s how to protect your privacy if you plan to protest.

A major groundswell of nationwide protests against the second Trump administration has arrived.

If you're going to join any protests, as is your right under the First Amendment, you need to think beyond your physical well-being to your digital security, too. The same surveillance apparatus that’s enabling the Trump administration’s raids of undocumented people and targeting of left-leaning activists will no doubt be out in full force on the streets.

Two key elements of digital surveillance should be top of mind for protestors. One is the data that authorities could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is surveillance of all the identifying and revealing information that you produce when you attend a protest, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and face recognition. You should be mindful of both.

After all, police have already demonstrated their willingness to arrest and attack entirely peaceful protesters as well as journalists observing demonstrations. In that light, you should assume that any digital evidence that you were at or near a protest could be used against you.

“The Trump administration is weaponizing essentially every lever of government to shut down, suppress, and curtail criticism of the administration and of the US government generally, and there have never been more surveillance toys available to law enforcement and to US government agencies,” says Evan Greer, the deputy director of the activist organization Fight for the Future, who also wrote a helpful X (then-Twitter) thread laying out digital security advice during the Black Lives Matter protests in the summer of 2020. “That said, there are a number of very simple, concrete things that you can do that make it exponentially more difficult for someone to intercept your communications, for a bad actor to ascertain your real-time location, or for the government to gain access to your private information.”

_This story was originally published on May 31, 2020 and updated on June 12, 2025._

**Your Phone**

The most important decision to make before leaving home for a protest is whether to bring your phone—or what phone to bring. A smartphone broadcasts all sorts of identifying information; law enforcement can force your mobile carrier to cough up data about what cell towers your phone connects to and when. Police in the US have also been documented using so-called stingray devices, or IMSI catchers, that impersonate cell towers and trick all the phones in a certain area into connecting to them. This can give cops the individual mobile subscriber identity number of everyone at a protest at a given time, undermining the anonymity of entire crowds en masse.

“The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of digital security at the Freedom of the Press Foundation, a nonprofit press advocacy group. (Disclosure: WIRED’s global editorial director, Katie Drummond, serves on Freedom of the Press Foundation’s board.)

For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. Open the bag only when necessary. Holmes herself uses and recommends the Mission Darkness Faraday bag.

If you do need a mobile device, consider bringing only a secondary phone you don’t use often, or a burner. Your main smartphone likely has the majority of your digital accounts and data on it, all of which law enforcement could conceivably access if they confiscate your phone. But don’t assume that any backup phone you buy will grant you anonymity. If you give a prepaid carrier your identifying details, after all, your “burner” phone could be no more anonymous than your primary device. “Don’t expect because you got it from Duane Reade that you’re automatically a character from _The Wire_,” Holmes cautions.

Instead of a burner phone, Holmes argues that it may be far more practical to simply own a secondary phone that you’ve set up to be less sensitive—leaving off accounts and apps that offer your most private information to anyone who seizes it, such as social media, email, and messaging apps. “Choosing a secondary device that limits the amount of personal data that you have on you at all times is probably your best protection,” Holmes says.

Regardless of what phone you’re using, consider that traditional calls and text messages are vulnerable to surveillance. That means you need to use end-to-end encryption. Ideally, you and those you communicate with should use disappearing messages set to self-delete after a few hours or days. The encrypted messaging and calling app Signal has perhaps the best and longest track record. Just make sure you and the people you’re communicating with are using the same app, since they’re not interoperable.

Aside from protecting your phone’s communications from surveillance, be prepared in the event police seize your device and try to unlock it in search of incriminating evidence. The first order of business is to make sure your smartphone’s contents are encrypted. iOS devices have full disk encryption on by default if you enable an access lock. For Android phones, go to **Settings**, then **Security** to make sure the **Encrypt Disk** option is turned on. (These steps may differ depending on your specific device.)

Regardless of your operating system, always protect devices with a long, strong passcode rather than a fingerprint or face unlock. As convenient as biometric unlocking methods are, it may be more difficult to resist an officer forcing your thumb onto your phone’s sensor, for instance, than to refuse to tell them a passcode. So if you use biometrics day-to-day for convenience, disable them before heading into a protest.

If you insist on using biometric unlocking methods to have faster access to your devices, keep in mind that some phones have an emergency function to disable these types of locks. Hold the wake button and one of the volume buttons simultaneously on an iPhone, for instance, and it will lock itself and require a passcode to unlock rather than FaceID or TouchID, even if they’re enabled. Most devices also let you take photos or record video without unlocking them first, a good way to keep your phone locked as much as possible.

**Your Face**

Face recognition has become one of the most powerful tools to identify your presence at a protest. Consider wearing a face mask and sunglasses to make it far more difficult for you to be identified by face recognition in surveillance footage or social media photos or videos of the protest. Fight for the Future’s Greer cautions, however, that the accuracy of the most effective face recognition tools available to law enforcement remains something of an unknown, and a simple surgical mask or KN95 may no longer be enough to defeat well-honed face-tracking tech.

If you’re serious about not being identified, she says, a full-face mask may be far safer—or even a Halloween-style one. “I've seen people wear funny cosplay-style cartoon masks or mascot suits or silly costumes,” says Greer, offering as an example Donald Trump and Elon Musk masks that she’s seen protesters wear at Tesla Takedown protests against Musk and the so-called Department of Government Efficiency (DOGE). “That's a great way to defy facial recognition and also make the protest more fun.”

You should also consider the clothes you’re wearing before you head out. Colorful clothing or prominent logos makes you more recognizable to law enforcement and easier to track. If you have tattoos that make you identifiable, consider covering them.

Greer cautions, though, that preventing determined surveillance-empowered agencies from learning the mere fact that you attended a protest at all is increasingly difficult. For those of you in the most sensitive positions—such as undocumented immigrants at risk of deportation—she suggests that you consider staying home rather than depend on any obfuscation technique to mask their presence at an event.

If you’re driving a car to a protest—your own or someone else’s—consider that automatic license plate readers can easily identify the vehicle’s movements. And, in addition to license plates, be aware that these same sensors can also detect other words and phrases, including those on bumper stickers, signs, and even T-shirts.

More broadly, everyone who attends a protest needs to consider—perhaps more than ever before—what their tolerance for risk might be, from mere identification to the possibility of arrest or detention. “I think it's important to say that protesting in the US now comes with higher risks than it used to—it comes with a real possibility of physical violence and mass arrest,” says Danacea Vo, the founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Even just compared to protests that happened last month, people were able to just show up barefaced and march. Now things have changed.”

**Your Online Footprint**

Though most privacy and security considerations for attending an in-person protest naturally relate to your body, any devices you bring with you, and your physical surroundings, there are a set of other factors to think about online. It’s important to understand how posts on social media and other platforms before, during, or after a protest could be collected and used by authorities to identify and track you or others. Simply saying on an online platform that you are attending or attended a protest puts the information out there. And if you take photos or videos during a protest, that content could be used to expand law enforcement’s view of who attended a protest and what they did while there, including any strangers who appear in your images or footage.

Authorities can come to your online presence by looking for information about you in particular, but can also arrive there using bulk data analysis tools like Dataminr that offer law enforcement and other customers real-time monitoring connecting people to their online activity. Such tools can also surface past posts, and if you’ve ever made violent comments online or alluded to committing crimes—even as a joke—law enforcement could discover the activity and use it against you if you are questioned or arrested during a protest. This is a particular concern for people living in the US on visas or those whose immigration status is tenuous. The US State Department has said explicitly that it is monitoring immigrants’ and travelers’ social media activity.

In addition to written posts, keep in mind that files you upload to social media might contain metadata like time stamps and location information that could help authorities track protest crowds and movement. Make sure you have permission to photograph or videotape any fellow protesters who would be potentially identifiable in your content. Also think carefully before livestreaming. It’s important to document what’s going on but difficult to be sure that everyone who could show up in your stream is comfortable being included.

Even if you take photos and videos that you don’t plan to post on social media or otherwise share, remember that this media could fall into law enforcement’s hands if they demand access to your device.

With federal crackdowns on protests ramping up around the country, Cyberlixir’s Vo says that people must assess each situation and weigh the benefits of maintaining personal privacy versus chronicling the reality of what’s happening at protests.

“Social media monitoring and online profiling is the factor that lots of people forget. Those who publish footage on social media should avoid sharing photos or videos that reveal people's faces,” she says. “But I also believe that documenting what’s going on is essential, especially in high-risk conditions, because when the state escalates we need proof for legal defense, for public record, for future organizing, and also to keep ourselves physically safe in real time.”

As protests continue—with the real possibility of even further escalated response from the Trump administration—be prepared for the emergence of forms of digital surveillance that have never been used in the US before to counter civil disobedience or to retaliate against protesters after the fact. Protesters will need to stay vigilant, and Fight for the Future’s Greer emphasizes that everyone has different potential vulnerabilities and tolerance for risk. For people of every category of risk, however, a few thoughtful privacy protections can go a long way towards empowering them to hit the streets.

“Part of the goal of governments extending and implementing mass surveillance programs is to scare people and make people think twice before they speak up,” Greer says. “I think that we should be very careful in this moment not to fall into that trap.”

How to Protest Safely in the Age of Surveillance

Popular Chrome extensions exposed user data by sending it over unencrypted HTTP, raising privacy concerns. Symantec urges caution for users.

A recent investigation has revealed that several widely used Google Chrome extensions are transmitting sensitive user data over unencrypted HTTP connections, exposing millions of users to serious privacy and security risks.

The findings, published by cybersecurity researchers and detailed in a blog post by Symantec, reveal how extensions such as:

PI Rank (ID: ccgdboldgdlngcgfdolahmiilojmfndl)

Browsec VPN (ID: omghfjlpggmjjaagoclmmobgdodcjboh)

MSN New Tab (ID: lklfbkdigihjaaeamncibechhgalldgl)

SEMRush Rank (ID: idbhoeaiokcojcgappfigpifhpkjgmab)

DualSafe Password Manager & Digital Vault (ID: lgbjhdkjmpgjgcbcdlhkokkckpjmedgc)

There are other extensions as well that are handling user data in ways that open the door to eavesdropping, profiling, and other attacks.

****Extensions That Promise Privacy Are Doing the Opposite****

Although these extensions are legitimate and meant to help users monitor web rankings, manage passwords, or improve their browsing experience, behind the scenes, they are making network requests without encryption, allowing anyone on the same network to see exactly what’s being sent.

In some cases, this includes details like the domains a user visits, operating system information, unique machine IDs, and telemetry data. More troubling, several extensions were also found to have hardcoded API keys, secrets, and tokens inside their source code which is a piece of valuable information that attackers can easily exploit.

****Real Risk on Public Networks****

When extensions transmit data using HTTP rather than HTTPS, the information travels across the network in plaintext. On a public Wi-Fi network, for example, a malicious actor can intercept that data with little effort. Worse still, they can modify it mid-transit.

This opens the door to attacks that go far beyond spying. According to Symantec’s blog post, in the case of Browsec VPN, a popular privacy-focused extension with over six million users, the use of an HTTP endpoint during the uninstall process sends user identifiers and usage stats without encryption. The extension’s configuration allows it to connect to insecure websites, further widening the attack surface.

****Data Leaks Across the Board****

Other extensions are guilty of similar issues. SEMRush Rank and PI Rank, both designed to show website popularity, were found to send full URLs of visited sites over HTTP to third-party servers. This makes it easy for a network observer to build detailed logs of a user’s browsing habits.

MSN New Tab and MSN Homepage, with hundreds of thousands of users, transmit machine IDs and other device details. These identifiers remain stable over time, allowing adversaries to link multiple sessions and build profiles that persist across browsing activity.

Even DualSafe Password Manager, which handles sensitive information by nature, was caught sending telemetry data over HTTP. While no passwords were leaked, the fact that any part of the extension uses unencrypted traffic raises concerns about its overall design.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security commented on this, stating, _“_This incident highlights a critical gap in extension security – even popular Chrome extensions can put users at risk if developers cut corners. Transmitting data over unencrypted HTTP and hard-coding secrets exposes users to profiling, phishing and adversary-in-the-middle attacks – especially on unsecured networks._“_

He warned of consequences for unsuspecting users and advised that _“_Organizations should take immediate action by enforcing strict controls around browser extension usage, managing secrets securely and monitoring for suspicious behaviour across endpoints._“_

****Privacy and Data Security Threat****

Although none of the extensions were found to leak passwords or financial data directly, the exposure of machine identifiers, browsing habits, and telemetry is far from harmless. Attackers can use this data to track users across websites, deliver targeted phishing campaigns, or impersonate device telemetry for malicious purposes.

While theoretical, NordVPN’s latest findings spotted more than 94 billion browser cookies on the dark web. When combined with the data leaks highlighted by Symantec, the potential for damage is significant.

Developers who include hardcoded API keys or secrets inside their extensions add another layer of risk. If an attacker gets hold of these credentials, they can misuse them to impersonate the extension, send forged data, or even inflate service usage leading to financial costs or account bans for the developers.

****What Users Can Do****

Symantec has contacted the developers involved, and only DualSafe Password Manager has fixed the issue. Yet, users who have installed any of the affected extensions are advised to remove them until the developers fix the issues. Even popular and well-reviewed extensions can make unsafe design choices that go unnoticed for years.

Hackread.com recommends checking the permissions an extension asks for, avoiding unknown publishers, and using a trusted security solution. Above all, any tool that promises privacy or security should be examined carefully for how it handles your data.

Popular Chrome Extensions Found Leaking Data via Unencrypted Connections

The easy access that scammers have to sophisticated AI tools means everything from emails to video calls can’t be trusted.

Imagine you meet someone new. Be it on a dating app or social media, you chance across each other online and get to talking. They’re genuine and relatable, so you quickly take it out of the DMs to a platform like Telegram or WhatsApp. You exchange photos and even video call each over. You start to get comfortable. Then, suddenly, they bring up money.

They need you to cover the cost of their Wi-Fi access, maybe. Or they’re trying out this new cryptocurrency. You should really get in on it early! And then, only after it’s too late, you realize that the person you were talking to was in fact not real at all.

They were a real-time AI-generated deepfake hiding the face of someone running a scam.

This scenario might sound too dystopian or science-fictional to be true, but it has happened to countless people already. With the spike in the capabilities of generative AI over the past few years, scammers can now create realistic fake faces and voices to mask their own in real time. And experts warn that those deepfakes can supercharge a dizzying variety of online scams, from romance to employment to tax fraud.

David Maimon, the head of fraud insights at identity verification firm SentiLink and a professor of criminology at Georgia State University, has been tracking the evolution of AI romance scams and other kinds of AI fraud for the past six years. “We’re seeing a dramatic increase in the volume of deepfakes, especially in comparison to 2023 and 2024,” Maimon says.

“It wasn’t a whole lot. We’re talking about maybe four or five a month,” he says. “Now, we’re seeing hundreds of these on a monthly basis across the board, which is mind-boggling.”

Deepfakes are already being used in a variety of online scams. One finance worker in Hong Kong, for example, paid $25 million to a scammer posing as the company’s chief financial officer in a deepfaked video call. Some deepfake scammers have even posted instructional videos on YouTube, which have a disclaimer as being for “pranks and educational purposes only.” Those videos usually open with a romance scam call, where an AI-generated handsome young man is talking to an older woman.

More traditional deepfakes—such as a pre-rendered video of a celebrity or politician, rather than a live fake—have also become more prevalent. Last year, a retiree in New Zealand lost around $133,000 to a cryptocurrency investment scam after seeing a Facebook advertisement featuring a deepfake of the country’s prime minister encouraging people to buy in.

Maimon says SentiLink has started to see deepfakes used to create bank accounts in order to lease an apartment or engage in tax refund fraud. He says an increasing number of companies have also seen deepfakes in video job interviews.

“ Anything that requires folks to be online and which supports the opportunity of swapping faces with someone—that will be available and open for fraud to take advantage of,” Maimon says.

Part of the reason for this increase is that the barriers for creating deepfakes are getting lower. There are a lot of easily accessible AI tools that can generate realistic faces and a lot of tools that can animate those faces or create full-length videos out of them. Scammers often use images and videos of real people, deepfaked to slightly change their faces or alter what they’re saying, to target their loved ones or hijack their public influence.

Matt Groh, a professor of management at Northwestern University who researches people’s ability to detect deepfakes, says that point-and-click generative AI tools make it much easier to make small, believable changes to already-existing media.

“If there’s an image of you on the internet, that would be enough to manipulate a face to look like it’s saying something that you haven’t said before or doing something you haven’t done before,” Groh says.

It’s not just fake video that you need to be worried about. With a few clips of audio, it’s also possible to make a believable copy of somebody’s voice. One study in 2023 found that humans failed to detect deepfake audio over a quarter of the time.

“ Just a single image and five seconds of audio online mean that it’s definitely possible for a scammer to make some kind of realistic deepfake of you,” Groh says.

Deepfakes are becoming more pervasive in contexts other than outright scams. Social media has been flooded over the past year with AI-generated “influencers” stealing content from adult creators by deepfaking new faces onto their bodies and monetizing the resulting videos. Deepfakes have even bled over into geopolitics, like when the mayors of multiple European capital cities held video calls with a fake version of the mayor of Kyiv, Ukraine. People have started using deepfakes for personal reasons, like bringing back a dead relative or creating an avatar of a victim to testify in court.

So, if deepfakes are everywhere, how do you spot one? The answer is not technology. A number of technology companies, including OpenAI, have launched deepfake detection tools. Researchers have also proposed mechanisms to detect deepfakes based on things like light reflected in a person’s eyes or inconsistent facial movements, and have started investigating how to implement them in real time.

But those models often cannot reliably detect different kinds of AI fakes. OpenAI’s model, for example, is specifically designed only to report content generated with the company’s own Dall-E 3 tool but not other image generation models.

There’s also the risk that scammers can abuse AI detectors by repeatedly tweaking their content until it fools the software.

“ The major thing we have to understand is that the technology we have right now is not good enough to detect those deepfakes,” Maimon says. “ We’re still very much behind.”

For now, as video deepfakes get more popular, the best way to detect one relies on humans. Studies on deepfake detection show that people are best at distinguishing whether videos are real or fake, as opposed to just audio or text content, and are in some cases even better than leading detection models.

Groh’s team conducted one study which found that taking more time to determine whether an image was real or fake led to a significant increase in accuracy, by up to eight percentage points for just 10 seconds of viewing time.

“ This sounds almost so simple,” Groh says. “But if you spend just a couple extra seconds, that leads to way higher rates of being able to distinguish an image as real or fake. One of the ways for any regular person to just be a little bit less susceptible to a scam is to ask, ‘Does this look actually real?’ And if you just do that for a few extra seconds, we’re all going to be a little bit better off.”

Deepfakes’ popularity could be a double-edged sword for scammers, Groh says. The more widespread they are, the more people will be familiar with them and know what to look for.

That familiarity has paid off in some cases. Last summer, a Ferrari executive received a call from someone claiming to be the CEO of the company. The person convincingly emulated the CEO’s voice but abruptly hung up the call when the executive tried to verify their identity by asking what book the CEO had recommended just days earlier. The CEO of WPP, the world’s biggest advertising agency, was also unsuccessfully targeted by a similar deepfake scam.

“I think there’s a balancing act going on,” Groh says. “ We definitely have technology today that is generally hard for people to identify. But at the same time, once you know that there’s a point-and-click tool that allows you to transform one element into something else, everyone becomes a lot more skeptical.”

Deepfake Scams Are Distorting Reality Itself

Everyone knows what it’s like to lose cell service. A burgeoning open source project called Meshtastic is filling the gap for when you’re in the middle of nowhere—or when disaster strikes.

Hypothetical: You wake up tomorrow morning to find a superstorm that developed overnight thanks to climate change has sparked a chain of events that abruptly ushers in a new ice age and alters human society as we know it. (Yes, this is the plot of _The Day After Tomorrow_. Stick with us.) All the communication networks you relied on are down. Your phone is basically worthless. The internet has functionally ceased to exist. But you need to connect with people you trust to get help and survive. What do you do? More importantly, how did you prepare?

Less Hollywood-esque versions of having no cell service or Wi-Fi happen all the time, of course; maybe you’re hiking in a secluded area, white-knuckling through a major natural disaster, or living under a repressive regime that cuts internet access to quash public protests. Fortunately, for all these scenarios, there’s a low-budget solution: Meshtastic.

Meshtastic is a program that enables devices to send text messages over long distances without needing Wi-Fi or cell service. Long range radio (LoRa) nodes help pass messages along, forming a network of devices that can talk to each other even in remote areas. Messages hop from device to device, with each node relaying messages it hasn't seen before—extending the network’s reach across miles using minimal power. That is to say, Meshtastic is designed specifically for sending text messages over free-to-use radio frequencies to both groups and individuals, even when cell service and internet connections are nowhere to be found.

“The cool thing about Meshtastic is that it’s like a radio infrastructure without the infrastructure. It’s ad hoc,” says Eric Kristoff, a volunteer member of the Chicago chapter of the Mars Society, a nonprofit that advocates for the human exploration and colonization of Mars.

Kristoff says the group has been testing the use of Meshtastic as a way to give Mars Society “analog astronauts” the ability to communicate and keep track of each others’ locations without the use of earthly infrastructure.

“We have a set of Meshtastic T-Echo radios, about the size of a deck of cards, and they are worn on the person of the analog astronaut,” he says.

The radios that use Meshtastic cost roughly $30 (though you can spend two, three, or four times that if you want to). And because they operate over unlicensed radio frequencies on a network created by personal devices, they’re essentially free to use. Each message is end-to-end encrypted, ensuring privacy while it’s relayed through the network. And Meshtastic’s optional location-tracking capabilities give people a way to monitor their communities and keep tabs on their kids—or fellow analog astronauts—without using invasive, data-hungry apps.

Kristoff says that Mars Society members will take weeks-long excursions in remote areas with little cellular or Wi-Fi connectivity, which creates additional risks.

“There is heat stroke. We are two hours from the nearest hospital. If you go too far from the campus, it can get dangerous,” Kristoff says of the experience. “So anytime there’s a risk, the risk is made worse if people don’t know where you are.”

Most Meshtatic devices currently on the market need to pair with a phone over Bluetooth to function as a texting alternative. Some devices are just a radio, antenna, and battery, with the expectation that you’ll make the housing yourself. The radio does all the device-to-device communication, while the iOS and Android apps or the web client let you read and compose messages that are received or sent over the network—no service plan needed.

The apps also allow you to see the approximate location of nearby nodes and a map of the Meshtastic network. But fancier stand-alone devices are already available, like a line of Meshtastic-enabled gadgets from maker-friendly tech firm LilyGo that, in addition to the T-Echo model used by Mars Society members, includes Blackberry-like handhelds with their own keyboards, a smartphone-like device with an e-paper screen, and even a Meshtastic-enabled smartwatch.

Meshtastic was created by technologist Kevin Hester in early 2020 as a way to communicate while doing “any hobby where you don’t have reliable internet access,” and it remains a grassroots endeavor, with established local communities spanning from Argentina to China that are ripe with a DIY ethos. The software itself is open source, meaning anyone can theoretically contribute, and hundreds have. Still, as with many open source projects, a core group of volunteer developers help maintain the Meshtastic firmware, mobile apps, and more.

Jonathan Bennett, a self-described “Linux guy” who upgraded Meshtastic to stronger end-to-end encryption for direct messaging and keeps the software working on Linux, says he first got involved in the project after a listener of one his podcasts wanted a way to communicate with friends while attending a festival where the cell network could get overloaded.

“I put my open source enthusiast hat on and I went looking, and I came across Meshtastic,” he says. “And it immediately tickled my interest.”

Bennett says he ultimately connected with Garth Vander Houwen, a C# developer who wrote Meshtastic’s iOS app, and Ben Meadors, another C# developer who took on maintaining the Android app, web client, firmware, and other parts of the Meshtastic ecosystem after Hester needed to step back due to health issues.

Like Bennett, Vander Houwen and Meadors got involved with Meshtastic while looking for solutions to real-life problems. Vander Houwen, an iPhone user, says he found Meshtastic while on the hunt for a way to communicate as he hiked on remote trails in the Seattle area, just to find that it only had an Android app. He decided to write the iOS app himself. “So the fact that there was not an iOS app for Meshtastic was kind of how I got started,” he says, “and it's been a lot of fun.”

Meadors says he came to Meshtastic after a dangerous tornado hit his home state of Arkansas, causing major damage. “My kind of initial use case was honestly a backup communication for storm-related outages,” Meadors says. After taking part in the cleanup effort around Little Rock, he realized the value of a decentralized, off-grid communication network like Meshtastic. “It's just really handy to have anywhere where you’ve got a limited connection to the grid.”

None of which is to say you should throw your cell phone in the sea and go all-in on Meshtastic. At least not yet. First, getting into the world of LoRa remains a little bit technical, so if the idea of “flashing” your device with new firmware makes you instinctively pick up your phone to scroll TikTok, it might not be the hobby for you. Even if you are tech savvy, the system has some notable limitations.

Using the decentralized mesh network requires having your Meshtastic device in range of at least one other radio; obstructions like buildings, trees, and hills or mountains can prevent the line-of-sight communication needed to join the mesh network. This means it may only be reliable when there’s a variety of other Meshtastic nodes in the area.

Next is what Meadors calls the “narrowness” of the network’s technical capabilities. “One of the most frequent things that we get is, ‘Can I replace the internet with this?’ No, no you cannot,” he says. “You can send text messages.” Mercifully, that does include emoji.

Photograph: Michael Tessier

This may be obvious, but you also need to have a network set up before disaster hits, Meadors says. So, set up anyone who you might need to communicate with during a cell and internet blackout before it actually happens. And, due to relatively frequent firmware updates, you can’t just toss your device in a bug-out bag and forget about it. But “if it's something that you actually use, like if you pull it out and use it once a month, you'll be good to go,” Bennett says.

Then there’s the issue of raw bandwidth. This limitation can cause issues when a lot of people are trying to use the network at the same time. At a ham radio convention in Dayton, Ohio, last year (yes, it’s called Hamvention), the Meshtastic network crashed after someone ran a program that flooded the network with additional traffic, pushing the Meshtastic network to its limits.

“Because literally one person turned on this MQTT bridge, which then joined the rest of us into this mesh in a metal building in Dayton, it crashed the whole mesh immediately,” Vander Houwen says.

After this incident, Vander Houwen, Bennett, and Meadors went to work to prepare for the upcoming Defcon hacker convention in Las Vegas, ultimately releasing a special firmware for the much larger event that Vander Houwen estimates allows “somewhere between 2,000 and 2,500 nodes” to operate on the network simultaneously. A similar firmware released ahead of the 2025 Hamvention in May drew praise from the community.

Despite Meshtastic’s limitations, its promise as a backup communication system—and the sheer fun you can have with it—continues to pull in new enthusiasts. The Android app alone has drawn thousands of reviews, and the Meshtastic subreddit has grown to nearly 50,000 members. Some municipalities are even hoping to launch Meshtastic networks to help protect their communities in the event of natural disasters.

For Bennett, Meadors, and Vander Houwen, they’re excited to not just see the number of Meshtastic nodes increase, but to see the technology develop into something anyone can use without having to become an enthusiast or “analog astronaut” at all.

“I think the biggest thing for me too is that it’s not just accessible from the aspect of the hardware being available to more people. I want to make the software more accessible,” Meadors says. “I want to make the experience such that I can hand this device to anybody and have them download the app and start messaging. We've come a long way. I think there's still some room to grow there.”

_Updated at 10:25 am ET, June 4, 2025: Corrected a misspelling of Ben Meadors' surname._

The Texting Network for the End of the World

This spring has seen another spate of stories about juice jacking, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Remember juice jacking? It’s a term that crops up every couple of years to worry travelers. This spring has seen another spate of stories, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Juice jacking is where an attacker uses a malicious public USB charger to install malware on, or steal information from, your phone. In theory, the victim plugs their phone into a USB charging port like those found in airports, restaurants or public transportation to top up their battery. The attacker has programmed the charger to start a data connection with the phone, allowing them to perhaps view files or control apps.

Both Apple and Android operating system developer Google coded rudimentary protections against juice jacking into their operating systems years ago. They updated their software so that users would have to approve any request to control the phone via a USB port.

However, as Ars Technica reported last week, researchers have found a way past these mechanisms in a new variation on the theme called ChoiceJacking.

Ars offers a detailed technical analysis of the exploit, invented by researchers at Austria’s Graz University of Technology. In short, though, it gives itself permission to control the phone by spoofing the user’s button-pressing for them.

Government agencies continue to warn about the risks of juice jacking. The TSA was the most recent, posting a warning about the issue on Facebook back in March:

> “Hackers can install malware at USB ports (we’ve been told that’s called ‘juice/port jacking’). So, when you’re at an airport do not plug your phone directly into a USB port. Bring your TSA-compliant power brick or battery pack and plug in there.”

The TSA is well-intentioned, but behind the times. The FBI’s Denver office tweeted about this threat back in 2023, and the LA County District Attorney’s office posted about it in 2019.

Researchers have highlighted the threat since at least 2011, when the Defcon conference installed public charging stations that would flash a warning message on peoples’ phones. Since then, others have presented on the possible risks, and enterprising tinkerers have released malicious cables that take control of devices when plugged into them.

**Have any juicers actually been jacked?**

The FCC, which has had an advice page about this issue since 2019, said two years ago that it hadn’t found any real-world attacks, and Malwarebytes hasn’t found any since.

However, the lack of publicly documented attacks doesn’t mean that juice jacking isn’t a risk. It’s theoretically feasible. So how can you prevent against it?

Both Apple and Google have updated their operating systems to require more robust authentication than simply pressing a button when a connected USB device asks to take over your phone. However, not all iPhone users will necessarily update their devices. Android-based smartphone vendors get to implement their own versions of the operating system on their own schedule, and many take a long time to roll out new protections if they do so at all.

One way to be sure that your phone won’t get hijacked by a malicious charging station is to use a USB cable that has the data communication pins disconnected, meaning that a malicious charging port can’t talk to your phone. However, the Ars article warns that this might also interfere with the charging process on some phones.

One alternative is to power down your phone before plugging it in. Or take your own portable charging battery with you and skip the ports altogether.

**Oh, and don’t use public Wi-Fi, says TSA**

On another note, the TSA Facebook post also offered another piece of advice: “Don’t use free public WiFi, especially if you’re planning to make any online purchases,” it warned. “Do not ever enter any sensitive info while using unsecure WiFi \[sic\].”

This advice has merit. Attackers can snoop on public Wi-Fi connections, although the advancement of HTTPS on websites mean this is less of a risk nowadays for everyday browsing. However, if you’re doing anything of a sensitive nature, such as online banking, you can use a VPN to encrypt your traffic.

A simple alternative is to simply use cellular data instead, tethering your phone if you’re using a tablet or PC.

Which of these anti-juice-hacking and Wi-Fi snooping protections should you choose? As with all cybersecurity decisions, this is a question of how much risk you’re prepared to tolerate. Personally, I err on the side of caution. A little inconvenience now could save you significant trouble later.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Juice jacking warnings are back, with a new twist 

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

Tag

#wifi