The 2024 US presidential election is approaching its climax, and with it, state-backed hackers are emerging to influence the process in their distinct manner. Among them is Iran’s APT42, associated with Iran’s Islamic Revolutionary Guard Corps. According to Google’s Threat Analysis Group, this group has targeted individuals linked to the campaigns of Donald Trump, Joe Biden, and now Kamala Harris.
The saga of the data breach at data broker and background-check firm National Public Data is just unfolding. The breach occurred several months ago, but the company only made it public recently when an individual posted what they claimed included “2.9 billion records” of individuals from the US, UK, and Canada, encompassing names, physical addresses, and Social Security numbers. Further scrutiny of the data reveals much deeper complications and increased risks.
Bicycle shifters and gym lockers are the latest additions to the list of hackable items. This week, security experts exposed vulnerabilities in Shimano’s Di2 wireless bicycle shifters liable to radio-based exploits, potentially enabling unauthorized gear changes or gear change prevention during critical race moments. Additionally, vulnerabilities were discovered that could allow extraction of administrator keys for electronic gym and office lockers globally, providing criminals access to all lockers at a facility.
If you are a user of Google Pixel phones, you should keep your device close at all times. A hidden Android app called Showcase.apk has an unpatched vulnerability that could allow deep access to your phone. Although exploiting this bug needs physical access to the device, researchers from iVerify suggest that it might also be exploited through other vulnerabilities. Google has promised a fix soon, yet this response has not satisfied Palantir, a data analytics firm and US military contractor, leading them to discontinue using Android devices.
But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
A US federal appeals court ruled last week that so-called geofence warrants violate the Fourth Amendment’s protections against unreasonable searches and seizures. Geofence warrants allow police to demand that companies such as Google turn over a list of every device that appeared at a certain location at a certain time. The US Fifth Circuit Court of Appeals ruled on August 9 that geofence warrants are “categorically prohibited by the Fourth Amendment” because “they never include a specific user to be identified, only a temporal and geographic location where any given user may turn up post-search.” In other words, they’re the unconstitutional fishing expedition that privacy and civil liberties advocates have long asserted they are.
Google, which collects the location histories of tens of millions of US residents and is the most frequent target of geofence warrants, vowed late last year that it was changing how it stores location data in such a way that geofence warrants may no longer return the data they once did. Legally, however, the issue is far from settled: The Fifth Circuit decision applies only to law enforcement activity in Louisiana, Mississippi, and Texas. Plus, because of weak US privacy laws, police can simply purchase the data and skip the pesky warrant process altogether. As for the appellants in the case heard by the Fifth Circuit, well, they’re no better off: The court found that the police used the geofence warrant in “good faith” when it was issued in 2018, so they can still use the evidence they obtained.
The Committee on Foreign Investment in the US (CFIUS) fined German-owned T-Mobile a record $60 million this week for its mishandling of data during its integration with US-based Sprint following the companies’ merger in 2020. According to CFIUS, “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data,” in violation of a National Security Agreement the company signed with the committee, which assesses the national security implications of foreign business deals with US companies. T-Mobile said in a statement that technical issues impacted “information shared from a small number of law enforcement information requests.” While the company claims to have acted “quickly” and “in a timely manner,” CFIUS claims T-Mobile “failed to report some incidents of unauthorized access promptly to CFIUS, delaying the Committee’s efforts to investigate and mitigate any potential harm.”
The lengthy legal battle involving Kim Dotcom progressed slightly this week as the New Zealand justice minister approved the US’s request for his extradition. Dotcom, the founder of the file-sharing site Megaupload, faces accusations from US authorities of facilitating massive copyright infringement. In 2012, Megaupload was shut down and Dotcom was indicted on several charges including racketeering and money laundering. Although Dotcom has consistently denied any wrongdoing, he lost an attempt to block the extradition in 2017 and he continues to resist the US’s legal efforts. Following the recent decision by the justice minister, Dotcom declared in a post on X his intent to stay in New Zealand, where he has been a legal resident since 2010, asserting his love for the country and his determination not to leave.
The issue of deepfake pornography, where images are digitally manipulated to create explicit content without consent, has encountered a significant legal challenge. Yvonne Meré, San Francisco’s chief deputy city attorney, has initiated a lawsuit against the top 16 ‘nudification’ websites. These platforms, widely used for creating sexualized deepfakes, have been particularly exploited to generate sexual abuse material of underage girls by their peers. Several US states have already made it illegal to produce and distribute AI-generated sexual abuse material involving minors, and this lawsuit aims to completely dismantle these websites.