Day: September 1, 2019

The week may have started relatively quiet, but it ended with a shock: Google security researchers revealed Thursday night that it had observed a hacking campaign that hit thousands of iPhones, completely upending conventional wisdom about iOS security. Apple patched the problem in February, but it had persisted for at least two years prior. So, yikes!

In another concerning development, security researchers at Belgian university KU Leuven discovered that they could crack the encryption of a Tesla Model S key fob, letting them clone it within seconds. That’s bad enough as it is, but made a little worse by this being the second year in a row the KU Leuven team pulled off this particular trick. The key fobs Tesla made available last year to help fix the problem held up only slightly better to a similar attack. This time, though, Tesla’s pushing out an over-the-air fix that should shore up both the car’s locking mechanism and the fob itself. Until next year, at least.

Meanwhile, Donald Trump has at this point repeatedly denied a report in Axios that he earnestly proposed dropping a nuclear bomb into the eye of a hurricane. But if he did happen to float the idea, he wouldn’t have been anywhere near the first. WIRED contributor Garrett Graff traced the long-standing tradition, dating back to the Atomic Age, of scientists suggesting nuclear strikes against everything from polar ice caps to the Sahara desert.

In less oddball news, the Justice Department this week announced the indictment of eight men in connection with running popular piracy streaming sites Jetflicks and iStreamItAll. The services charged a monthly subscription fee to users, in exchange letting them stream and sometimes download popular televisions shows from every network and popular streaming service. The DoJ also served up another indictment against alleged Capital One hacker Paige Thompson, which added fresh details about the case—including a claim that Thompson used her access to mine cryptocurrency.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Here’s a heartwarming tale of teamwork making the dream work. Several months ago, antivirus company Avast began looking under the hood of malware called Retadup, which had infected around 850,000 Windows computers. When it found a flaw in Retadup’s command and control server communications protocol, it alerted the French National Gendarmerie, who in turn seized the servers. But they didn’t stop there! They used those C2 servers to send instructions to infected machines to delete the malware, ultimately relieving nearly a million devices of the cryptomining intruder.

The New York Times reported this week that a US cyberattack on June 20 was even more effective than planned, knocking key Iranian systems offline and disrupting the country’s ability to “choose which tankers to target and where.” The strike also appears to have created controversy within the administration and intelligence community, with some officials concerned that it gave up strategic capabilities, potentially cutting off a reliable source of information once Iran patches the underlying vulnerability. At least, though, Iran appears not to have stepped up its retaliatory cyberattacks in response.

Facebook, Google, and a Chinese telecom have invested heavily in the Pacific Light Cable Network, an 8,000-mile stretch of cable that, when completed, will connect China to Los Angeles. But with tensions between the US and China continuing to escalate, The Wall Street Journal reported this week that the effort might not survive a national security review. The FCC will ultimately make the call, but strong opposition from a group known as Team Telecom has apparently cast the project in some doubt. However it plays out, it’s a reminder that Huawei’s not the only one feeling the squeeze.

Web hosting platform Hostinger disclosed a data breach this week that affected up to 14 million of the company’s 29 million customers. A hacker apparently used an access token, found on Hostinger’s servers, to access an API database that included usernames, email addresses, and weakly hashed passwords. In response, Hostinger automatically reset customer passwords and upgraded its safeguards.

More Great WIRED Stories

A recent study by Northwestern University and the University of Massachusetts at Amherst found that every major carrier in the United States has artificially slowed down videos from places like Netflix, Hulu, and YouTube.

If you’re curious whether or not your carrier is throttling your mobile video data, CNET pointed out an app this week that can help.

Rather than show the speed of your data connection in general, Wehe will show you the specific speed of different apps on your phone. Created by the researchers, the app lets you run tests on the speed you get through apps like Netflix, Hulu, Twitch, Prime Video, and Spotify.

To use it you just download the app, select which apps you want it to run a test on (or select them all) and then press “Run Tests” at the bottom of the page.

I have a grandfathered unlimited plan from AT&T that I received with the first iPhone, which means that technically AT&T shouldn’t be allowed to throttle my data at all.

Apparently that plan isn’t enough to make it stop; however, It looks like my phone has a pretty significant amount of throttling happening on the Netflix front, as well as several other apps. Although it’s leaving Hulu, Skype, and Twitch alone.

The average American purportedly has more trust in Amazon than their own government, which makes recent reports on thousands of potentially unsafe products making their way onto the company’s online marketplace particularly terrifying.

More than 4,100 products available on the site—everything from motorcycle helmets to children’s toys—were “declared unsafe by federal agencies, are deceptively labeled or are banned by federal regulators” according to an investigation by the Wall Street Journal last week. On Friday, Wired similarly reported that several of the top-selling listings for signal boosters on Amazon lacked federal certification, which is kind of important for a device that has the potential to seriously mess with nearby cell towers. Gizmodo reached out to Amazon and will update this article with the company’s response.

Just to give you a snapshot of how pervasive Amazon’s issue is, in a roughly four-month period, the Journal found:

• 157 listings for products Amazon previously said it banned from the platform
• More than 100 listings falsely claiming to be “FDA-approved”, when some of the products themselves (like toys) aren’t approved by the agency to begin with
• 80 infant sleeping mats with eerily similar descriptions to one that Amazon purportedly banned after the FDA warned it could cause suffocation
• Over 2,000 toys lacking proper warning labels
• 44 listings for motorcycle helmets that the Wall Street Journal later discovered had failed to pass federal safety tests in 2018

Wired also found several cell phone signal boosters being sold for $100 less than their FCC-certified counterparts on Amazon. Some even featured an “Amazon’s Choice” badge, a company recommendation for “highly rated, well-priced products” according to Amazon’s site. The FCC put regulations in place in 2014 to minimize how certified signal boosters interfere with wireless networks, but illegal ones like those sold on Amazon and other online marketplaces ignore all that red tape. Without these safeguards, these models can cause a lot of dropped calls, cell network interference, and some serious headaches for network providers.

The majority of the Amazon listings detailed in these reports came from the many thousands of third-party vendors on Amazon. Despite being responsible for most of the sales on the site, these types of sellers have been a constant headache for Amazon when it comes to keeping crappy bootleg products off its marketplace.

Counterfeit products have littered the platform for years now, everything from knock-off Snuggies to off-brand cables that could fry your electronics. Amazon took one of its first major steps toward combatting this practice in 2016, when the company announced plans to make an international brand registry so that only vendors with the right permissions could sell their Amazon-registered products on the site.

But Amazon still retained the sole right to remove allegedly counterfeit listings. So in 2019, it debuted “Project Zero,” a project aimed at allowing registered brands to identify and remove these fake items themselves with the help of machine learning. Though Amazon hasn’t really explained yet how it plans to keep these companies from potentially abusing this authority or pushing legitimate competition out of the running.

The e-commerce giant seems to have as much trouble with regulating potentially harmed listings as it does with these counterfeits. After the Journal noted the problematic products its investigation found, Amazon purportedly removed or reworded 57 percent of these listings.

“We invest significant resources to protect our customers and have built robust programs designed to ensure products offered for sale in our store are safe and compliant,” the company wrote in a blog post addressing the investigation on Friday.

However, within two weeks Journal investigators reportedly came across “at least 130 items with the same policy violations reappeared, some sold by the same vendors previously identified by the Journal under different listings” in addition to more than 2,000 new listings for balloons that lacked proper choking hazard warnings.

So while Amazon definitely seems more on the alert for these potentially harmful products given all the recent press coverage, it’s already looking like the same game of Whack-a-Mole the company plays with trying to block knock-offs.

Volocopter is one of the first flying taxi companies to integrate into air traffic control systems, but others aren’t too far behind. As Engadget‘s Andrew Tarantola wrote, more than 70 companies are currently developing their own personal flying vehicles. Uber, in particular, has invested heavily. And the demonstration at Helsinki Airport isn’t just good news for Volocopter. It also speaks to the fact that multiple air traffic systems are ready to safely manage air taxis and their interactions with traditional aircraft.

Earlier this month, Volocopter revealed the designs for its first commercial autonomous flying taxi. The company previously said it hopes to have air taxis in the sky by 2023, but it will have to build take-off and landing infrastructure and integrate with air traffic management systems. Thursday’s successful test flights demonstrated that Volocopter is at least ready to do the latter.