Anika Begay
The 2024 U.S. presidential election is entering its final phase, which means state-backed hackers are emerging from the shadows to meddle in their own ways. That includes Iran’s APT42, a hacking group affiliated with Iran’s Islamic Revolutionary Guard Corps, which has targeted nearly a dozen people associated with the Donald Trump and Joe Biden (now Kamala Harris) campaigns, according to Google’s Threat Analysis Group.
The ongoing disaster that is the breach of data broker and background-checking company National Public Data is just getting started. While the company’s breach occurred months ago, the company only publicly acknowledged it on Monday after someone posted what it said were “2.9 billion records” of people in the U.S., U.K. and Canada, including names, physical addresses and Social Security numbers. Ongoing analysis of the data, however, shows that the story is much more complicated — and so are the risks.
Now you can add bike shifters and gym lockers to the list of things that can be hacked. Security researchers revealed this week that Shimano’s Di2 wireless shifters may be vulnerable to various radio-based attacks, which could allow someone to remotely shift a rider’s gear or prevent them from shifting at a crucial moment in a race. Meanwhile, other researchers have discovered that administrator keys can be extracted from electronic lockers used in gyms and offices around the world, potentially giving a criminal access to every locker in a single location.
If you have a Google Pixel phone, keep an eye on this: An unpatched vulnerability in a hidden Android app called Showcase.apk could give an attacker deep access to your device. Exploiting the vulnerability could require physical access to a targeted device, but researchers at iVerify who discovered the flaw say it could be possible through other vulnerabilities as well. Google says it plans to release a fix “in the coming weeks,” but that’s not enough for data analytics firm and U.S. military contractor Palantir, which is stopping all Android devices due to what it says was an insufficient response from Google.
But that’s not all. Each week, we round up security and privacy news that we haven’t covered in depth. Click the headlines to read the full stories. And stay safe out there.
A U.S. federal appeals court ruled last week that so-called geofence warrants violate Fourth Amendment protections against unreasonable searches and seizures. Geofence warrants allow police to demand that companies like Google turn over a list of all devices that appeared in a particular location at a particular time. The U.S. Court of Appeals for the Fifth Circuit ruled on August 9 that geofence warrants are “categorically prohibited by the Fourth Amendment” because “they Never include a specific user to be identified, only a time and geographic location where a given user May show up after the search.” In other words, they are the unconstitutional fishing expedition that privacy and civil liberties advocates have long claimed they are.
Google, which collects the location histories of tens of millions of U.S. residents and is the most frequent target of geofence warrants, vowed late last year to change the way it stores location data so that geofence warrants can no longer return the data they once did. Legally, however, the issue is far from settled: The Fifth Circuit’s decision only applies to law enforcement in Louisiana, Mississippi, and Texas. And because of America’s weak privacy laws, police can simply buy the data and skip the troublesome warrant process altogether. As for the appellants in the Fifth Circuit case, well, they’re no better off: The court found that the police used the geofence warrant in “good faith” when it was issued in 2018, so they can still use the evidence they obtained.
The Committee on Foreign Investment in the US (CFIUS) fined Germany’s T-Mobile a record $60 million this week for data mishandling during its integration with US-based Sprint following the companies’ 2020 merger. According to CFIUS, “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” in violation of a National Security Agreement the company signed with the committee, which assesses the national security implications of foreign trade deals with US companies. T-Mobile said in a statement that the technical issues impacted “information shared by a small number of law enforcement requests for information.” While the company says it acted “expeditiously” and “in a timely manner,” CFIUS says T-Mobile “failed to timely report certain incidents of unauthorized access to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.”
The 12-year saga that is the Kim Dotcom prosecution continued this week with New Zealand’s justice minister approving a US request to extradite the controversial entrepreneur. Dotcom created the file-sharing service Megaupload, which US authorities say was used for widespread copyright infringement. The US seized Megaupload in 2012 and indicted Dotcom on racketeering, copyright infringement and money laundering charges. Dotcom has denied any wrongdoing but lost a bid to block the extradition in 2017 and has fought against it ever since. Despite the justice minister’s decision, Dotcom vowed in a post on X to stay in the country where he has been a legal resident since 2010. “I love New Zealand,” he wrote. “I’m not leaving.”
The growing plague of deepfake pornography, or explicit images that digitally “undress” people without their consent, may have finally hit a major legal hurdle. San Francisco City Deputy Chief Prosecutor Yvonne Meré, and by extension the city of San Francisco, has filed a lawsuit targeting 16 of the most popular “nudification” websites. These sites and apps allow people to create explicit deepfake images of virtually anyone, but they have increasingly been used by boys to create sexual abuse material of their underage classmates. While several states have criminalized the creation and distribution of AI-generated child sexual abuse material, Meré’s lawsuit effectively seeks to shut down the sites entirely.
