Quantum sensors can be used in medical technologies, navigation systems, and more, but they’re too expensive for most people. That's where the Uncut Gem open source project comes in.

Quantum computing is either a distant dream or an imminent reality depending on whom you ask. And while much of this year's Quantum Village at the Defcon security conference in Las Vegas is focused on emerging research and threat analysis, Village cofounders Victoria Kumaran and Mark Carney are also working to make a currently available quantum technology more accessible to hackers and anyone else.

In a main-stage Defcon talk on Saturday, the pair will present an open source and affordable quantum sensor that can serve a variety of uses, from medical technologies to GPS alternatives. And it's all powered by a special yet affordable diamond with particular atomic properties. The first generation design could be assembled for about $120 to $160 depending on suppliers and shipping times. The second version that Kumaran and Carney are presenting this weekend can be built for even less, and the pair says they will release a third version this fall based on community testing and input that they hope will cost just $50 to build.

Quantum sensors detect extremely slight variations in magnetic and electrical fields, enabling ultra-precise measurements. Atomic clocks that keep nearly perfect time, for example, are quantum sensors that have been in use for decades. For researchers and enthusiasts interested in learning more about quantum sensing, though, the barrier to entry has been quite high. So the Quantum Village's relatively affordable, open source “Uncut Gem” project creates a real opportunity for more people to build their own quantum sensors and explore the technology.

“You can do things you wouldn't have been able to do before, like using quantum sensors to start building portable MRI-style devices that can be used in all different countries,” Kumaran told WIRED ahead of the presentation. “These are diamonds with defects, synthetic diamonds that are the cheapest off-cuts you can get. I think there’s something a bit poetic that synthetic diamonds have this utility.”

Most of the components needed for the quantum sensor are simple off-the-shelf computing parts, but the diamond needs to be what's known as a “nitrogen-vacancy diamond.” Its special molecular properties are thanks to the presence of nitrogen atoms that replace some carbon atoms in the diamond's atomic structure.

In addition to potential medical applications, quantum sensors can be used in alternative navigation technologies that track electromagnetic wave interference. Such tools could be used as local alternatives to GPS in the case of global system failures or targeted jamming. The US Space Force is currently testing what a release called the “highest-performing quantum inertial sensor ever tested in space.”

For the vast majority of people who don't have access to the world's highest performing quantum sensors, though, the Uncut Gem project represents an opportunity to democratize and expand quantum sensing technology. The project joins others in different fields of hacking that have been geared toward low-cost, accessible designs and components.

Independent researcher Davide Gessa has been testing the Uncut Gem schematics and code.

“I'm in the final phase of casting the diamond with the electronics—I hope to finish the device in about two weeks,” Gessa told WIRED. “I'm following the instructions from the official project, but I made some customizations too. My hope is to exploit this device to do some quantum computing experiments and also use it for random number generation. All my edits will be open source, so everyone can replicate and improve it.”

Uncut Gem prototype sensors have already been able to detect magnetic wave fluctuations in a chaotic conference hall as well as a heartbeat from a few feet away from a subject. Software is vital in quantum sensing, because even the most refined and high-quality hardware still picks up noise in the environment that needs to be reconciled and filtered to focus the sensor's output on the intended detection.

“The reason we’re calling it the first fully open source is because, to the best I’ve found, other papers give you some schematics—and we’ve referenced those—but there’s no one other place that you could go that has the PCB \[printed circuit board\], the source of diamonds, the designs, the schematics, the firmware, and also a repository of knowledge about how it works so you can get started,” Carney, of the Quantum Village, told WIRED.

While quantum sensors, and certainly the Uncut Gem sensor, still have a long way to go before delivering the accuracy and ease-of-use of a _Star Trek_ tricorder, Carney and Kumaran emphasize that the purpose of the project is simply to get actual quantum technology out to the world as quickly as possible.

“Open sourcing this is really important to us,” Carney says. “Is it a good sensor? Excuse me, but fuck no. There are much better sensors. Could it be a better sensor? Absolutely, and that will happen if we can get people to take part in open source and iterate it.”

A Special Diamond Is the Key to a Fully Open Source Quantum Sensor

Plus: Instagram sparks a privacy backlash over its new map feature, hackers steal data from Google's customer support system, and the true scope of the Columbia University hack comes into focus.

This is the week of Black Hat and Defcon, which means a flood of news coming out of the Las Vegas security conferences. As you might expect, artificial intelligence was one popular topic—specifically, using AI chatbots to cause mischief.

One team of researchers, from Tel Aviv University, created a clever attack that allowed them to take over a target’s smart home devices using a “poisoned” Google Calendar invite. It’s the first known attack method that used AI to impact physical devices.

Another researcher used a poisoned document that included a malicious prompt to trick ChatGPT into leaking a user’s private information when it’s connected to a Google Drive.

In non-AI news, an end-to-end encryption algorithm recommended for radio communications used by police and military around the world can be easily cracked, according to new research. The researchers warn that weak implementations of the encryption algorithm could allow eavesdroppers to listen in—or even transmit their own messages.

Speaking of weaknesses, a security researcher found that misconfigured APIs in some streaming platforms used for company meetings and sports livestreams can allow someone to watch the streams without logging in. And a teen hacker discovered that an internet-connected smoke and vape detector in his high school’s bathroom contained microphones—and can be exploited for secret spying.

A leaked trove of data has exposed how teams of suspected North Korean IT scam workers operate, from their meticulous record keeping to the after-work activities—and their near-constant surveillance by people running the schemes.

Finally, in the last of our Black Hat- and Defcon-related news (so far), a pair of security researchers discovered a backdoor in an electronic lock used in at least eight brands of safes, and created a way to open the locks in seconds. They also found another vulnerability that allows them to figure out a safe’s unlock code.

We also took a deep dive into the US military’s slot machine program, spoke with experts who say it’s inevitable that AI will become part of nuclear weapons systems, and revealed a string of break-ins of National Guard armories in Tennessee that experts say is part of a disturbing trend.

And that’s not all. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Hack of US Court System Exposed Sealed Records, FBI Says**

A previously unreported cyberattack breached the federal judiciary’s electronic case filing system, potentially exposing the identities of confidential informants and compromising sealed court records across multiple US states, Politico reports. The breach was discovered around July 4 and affects the CM/ECF—or “case management/electronic case files”—system used by courts to manage sensitive documents.

Sources told Politico the hack may have impacted criminal dockets, arrest warrants, and sealed indictments, raising concerns that cooperating witnesses could be at risk. The actor behind the intrusion has not been exposed. The Administrative Office of the US Courts and FBI declined to provide Politico with a comment.

In response to recent cyberattacks, the federal judiciary said its been in the process of implementing new safeguards to address the judiciary’s ongoing exposure to “constant and sophisticated” cyber threats.

The incident highlights longstanding warnings that the judiciary’s systems are outdated and vulnerable. A top federal judge told Congress in June that CM/ECF and PACER face “unrelenting security threats” and need urgent replacement.

**Instagram’s New Map Feature Triggers Privacy Backlash**

Instagram’s latest feature—a searchable map showing user-posted content tagged to specific locations—has sparked a wave of privacy concerns, CNBC reports. Rolled out this week, the feature lets users explore photos and videos by browsing a visual map interface.

But users quickly raised alarms about the potential for stalking, harassment, and data misuse, especially for influencers and others posting real-time content from identifiable locations. “Instagram randomly updating their app to include a maps feature without actually alerting people is so incredibly dangerous to anyone who has a restraining order and actively making sure their abuser can’t stalk their location online,” one viral post warned.

Instagram said the feature only shows content from public accounts and reiterated that users can turn off location tagging. Still, the backlash echoes broader concerns about how tech platforms rapidly aggregate and expose personal data in ways that outpace users’ expectations and consent.

**Hackers Breached Google’s Salesforce Database, Stole Customer Data**

Hackers stole data from Google’s customer support system in a breach linked to a compromised Salesforce account, TechCrunch reports. The intrusion, disclosed Wednesday, affected an undisclosed number of Google customers and involved unauthorized access to data such as contact details and “related notes for small and medium-sized businesses.”

The attackers reportedly targeted the data through Salesforce cloud systems. Google’s Threat Intelligence Group pinned the attack on ShinyHunters, a hacking group known for targeting large companies’ cloud-based databases, including Salesforce systems.

The breach affecting Google follows similar attacks on Cisco, Qantas, and Pandora, where attackers used voice phishing to trick employees into granting access. Google says the group may be preparing a leak site to extort victims and is linked to other cybercriminal collectives like The Com, which has a history of hacking and extortion.

**Columbia University Hack Exposed Data of 870,000 People**

A cyberattack on Columbia University compromised the personal information of nearly 870,000 individuals, including students, applicants, and possibly staff, Bloomberg reports. The stolen data includes contact information, academic records, financial aid details, and some health and insurance information, according to draft letters, intended for victims, obtained by the news outlet.

The breach, which dates back to mid-May, was only publicly acknowledged after Columbia filed reports with state attorneys general in California and Maine. A university official previously claimed the perpetrator was politically motivated. The school claims it has implemented new safeguards and continues to notify affected individuals.

The incident preceded a campus-wide IT outage in June. The school reportedly suspected a potential cyberattack at the time.

The US Court Records System Has Been Hacked

At the Defcon security conference in Las Vegas on Friday, Nakasone tried to thread the needle in a politically fraught moment while hinting at major changes for the tech community around the corner.

The Trump administration's radical changes to United States fiscal policy, foreign relations, and global strategy—combined with mass firings across the federal government—have created uncertainty around US cybersecurity priorities that was on display this week at two of the country's most prominent digital security conferences in Las Vegas. “We are not retreating, we're advancing in a new direction,” Cybersecurity and Infrastructure Security Agency chief information officer Robert Costello said on Thursday during a critical infrastructure defense panel at Black Hat.

As in other parts of the federal government, the Trump administration has been combing intelligence and cybersecurity agencies to remove officials seen as disloyal to its agenda. Alongside these shifts, the White House has also been hostile to former US cybersecurity officials. In April, for example, Trump specifically directed all departments and agencies to revoke the security clearance of former CISA director Chris Krebs. And last week, following criticism from far-right activist Laura Loomer, the secretary of the Army rescinded an academic appointment that former CISA director Jen Easterly had been scheduled to fill at West Point. Amid all of this, former US National Security Agency and Cyber Command chief Paul Nakasone spoke with Defcon founder Jeff Moss in an onstage discussion on Friday, focusing on AI, cybercrime, and the importance of partnerships in digital defense.

“I think we've entered a space now in the world where technology has become political and basically every one of us is conflicted,” Moss said at the beginning of the discussion. Nakasone, who is on the board of OpenAI, agreed, citing Trump's January launch of the “Stargate” AI infrastructure initiative flanked by Oracle's Larry Ellison, SoftBank's Masayoshi Son, and OpenAI's Sam Altman. “And then two days later, just by chance, \[the Chinese generative AI platform\] DeepSeek came out,” Nakasone deadpanned. “Amazing.”

Nakasone also reflected on demographic differences between the US federal government and the tech sector.

“When I was the director of NSA and commander of US Cyber Command, every single quarter I would go to the Bay or I'd go to Texas or Boston or other places to see technology,” he said. “And every place that I went to, I was twice the age of the people that talked to me. And then when I came back to DC and I sat at the table, I was one of the younger people there. OK, that's a problem. That's a problem for our nation.”

Throughout the discussion, Nakasone largely geared his remarks toward efforts to counter traditional US rivals and adversaries, including China, Iran, North Korea, and Russia, as well as specific digital threats.

“Why aren't we thinking differently about ransomware, which I think right now is among the great scourges that we have in our country,” he said. “We are not making progress against ransomware.”

At times, though, Moss attempted to steer the conversation toward geopolitical changes and conflicts around the world that are fueling uncertainty and fear.

“How do you be neutral in this environment? Can you be neutral? Or is the world's environment since last year, Ukraine, Israel, Russia, Iran, just take your pick, America—how does anybody remain neutral?" Moss asked at the beginning of the conversation. Later he added, “I think because I'm so stressed out by the chaos of the situation, I'm trying to feel how do I get control?”

Referencing these remarks and comments Moss had made about turning to open source software platforms as a community-building alternative to multinational tech companies, Nakasone hinted at Moss' notion that the world and its entering a precarious state of flux.

“This is going to be an interesting storyline that we play out through ‘25 and ’26. When we come back \[to Defcon\] next year to have this discussion, will we still be able to have this sense of, oh, we're truly neutral? I sense not. I think it's going to be very, very difficult.”

Ex-NSA Chief Paul Nakasone Has a Warning for the Tech World

Security researchers found two techniques to crack at least eight brands of electronic safes—used to secure everything from guns to narcotics—that are sold with Securam Prologic locks.

About two years ago, security researchers James Rowley and Mark Omo got curious about a scandal in the world of electronic safes: Liberty Safe, which markets itself as “America’s #1 heavy-duty home and gun safe manufacturer,” had apparently given the FBI a code that allowed agents to open a criminal suspect's safe in response to a warrant related to the January 6, 2021, invasion of the US Capitol building.

Politics aside, Rowley and Omo were taken aback to read that it was so easy for law enforcement to penetrate a locked metal box—not even an internet-connected device—that no one but the owner ought to have the code to open. “How is it possible that there's this physical security product, and somebody else has the keys to the kingdom?” Omo asks.

So they decided to try to figure out how that backdoor worked. In the process, they'd find something far bigger: another form of backdoor intended to let authorized locksmiths open not just Liberty Safe devices, but the high-security Securam Prologic locks used in many of Liberty’s safes and those of at least seven other brands. More alarmingly, they discovered a way for a hacker to exploit that backdoor—intended to be accessible only with the manufacturer's help—to open a safe on their own in seconds. In the midst of their research, they also found _another_ security vulnerability in many newer versions of Securam's locks that would allow a digital safecracker to insert a tool into a hidden port in the lock and instantly obtain a safe’s unlock code.

Security researchers James Rowley and Mark Omo.Photograph: Ronda Churchill

At the Defcon hacker conference in Las Vegas today, Omo and Rowley made their findings public for the first time, demonstrating onstage their two distinct methods for opening electronic safes sold with Securam ProLogic locks, which are used to protect everything from personal firearms to cash in retail stores to narcotics in pharmacies.

While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing,” Omo says. “All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world.”

Omo and Rowley demonstrate both their safecracking methods in the two videos below, which show them performing the techniques on their own custom-made safe with a standard, unaltered Securam ProLogic lock:

**Security Update? No, Buy a New Lock**

Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. “We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure,” a Securam representative wrote to the two researchers ahead of last year's Defcon, where they first planned to present their research.

Only after obtaining pro bono legal representation from the Electronic Frontier Foundation's Coders’ Rights Project did the pair decide to follow through with their plan to speak about Securam's vulnerabilities at Defcon. Omo and Rowley say they're even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.

When WIRED reached out to Securam for comment, the company’s CEO, Chunlei Zhou, responded in a statement. “The specific ‘vulnerabilities’ alleged by Omo and Rowley are already well known to industry professionals and in fact, also affect other safe lock providers that use similar chips,” Zhou writes. “Delivering any attack based on these vulnerabilities does require specialized knowledge, skills, and equipment, and we have no record of any customer that has ever had even a single safe lock defeated through a use of this attack.”

Zhou’s statement goes on to point to other ways safes’ locks can be opened from drilling and cutting to the use of a locksmith device called a Little Black Box that exploits vulnerabilities in some brands of electronic safe locks.

Omo and Rowley respond that the vulnerabilities they found were not previously known to the public; one of the two does not require _any_ special equipment, despite Zhou’s claim; and none of the other techniques Zhou mentions represents as serious a security flaw as their findings about the Securam ProLogic locks. The brute-force safecracking methods Zhou points to, like cutting and drilling are far slower and less stealthy—or, like the Little Black Box, are available only to locksmiths and haven’t been publicly shown to be exploitable by unauthorized hackers.

Zhou added in his statement that Securam will be fixing the vulnerabilities Omo and Rowley found in future models of the ProLogic lock. “Customer security is our priority and we have begun the process of creating next-generation products to thwart these potential attacks,” he writes. “We expect to have new locks on the market by the end of the year.”

Photograph: Ronda Churchill

In a followup call, Securam director of sales Jeremy Brookes confirmed that Securam has no plan to fix the vulnerability in locks already in use on customers’ safes, but suggests safe owners who are concerned buy a new lock and replace the one on their safe. “We’re not going to be offering a firmware package that upgrades it,” Brookes says. “We’re going to offer them a new product.”

Brookes adds that he believes Omo and Rowley are “singling out” Securam with the intention of “discrediting” the company.

Omo responds that’s not at all their intent. “We’re trying to make the public aware of the vulnerabilities in one of the most popular safe locks on the market,” he says.

**A Senator’s Warning**

Beyond Liberty Safe, Securam ProLogic locks are used by a wide variety of safe manufacturers including Fort Knox, High Noble, FireKing, Tracker, ProSteel, Rhino Metals, Sun Welding, Corporate Safe Specialists, and pharmacy safe companies Cennox and NarcSafe, according to Omo and Rowley’s research. The locks can also be found on safes used by CVS for storing narcotics and by multiple US restaurant chains for storing cash.

Rowley and Omo aren't the first to raise concerns about the security of Securam locks. In March of last year, US senator Ron Wyden wrote an open letter to Michael Casey, then director of the National Counterintelligence and Security Center, urging Casey to make clear to American businesses that safe locks made by Securam, which is owned by a Chinese parent company, have a manufacturer reset capability. That capability, Wyden wrote, could be used as a backdoor—a risk that had already led to Securam locks being prohibited for US government use like all other locks with a manufacturer reset, even as they're widely used by private US companies.

In response to learning about Rowley and Omo’s research, Wyden wrote in a statement to WIRED that the researchers’ findings represent exactly the risk of a backdoor—whether in safes or in encryption software—that he’s tried to call attention to.

“Experts have warned for years that backdoors will be exploited by our adversaries, yet instead of acting on my warnings and those of security experts, the government has left the American public vulnerable,” Wyden writes. “This is exactly why Congress must reject calls for new backdoors in encryption technology and fight all efforts by other governments, such as the UK, to force US companies to weaken their encryption to facilitate government surveillance.”

**ResetHeist**

Rowley and Omo’s research began with that same concern, that a largely undisclosed unlocking method in safes might represent a broader security risk. They initially went searching for the mechanism behind the Liberty Safe backdoor that had caused a backlash against the company in 2023, and found a relatively straightforward answer: Liberty Safe keeps a reset code for every safe and, in some cases, makes it available to US law enforcement.

Liberty Safe has since written on its website that it now requires a subpoena, a court order, or other compulsory legal process to hand over that master code, and will also delete its copy of the code at a safe owner’s request.

Rowley and Omo planned to reveal the existence of Securam’s vulnerabilities more than a year ago, but held off until now due to the company’s legal threats.Photograph: Ronda Churchill

Rowley and Omo didn't find any security flaw that would allow them to abuse that particular law-enforcement-friendly backdoor. When they started examining the Securam ProLogic lock, however, their research on the higher-end version of the two kinds of Securam lock used on Liberty Safe products revealed something more intriguing. The locks have a reset method documented in their manual, intended in theory for use by locksmiths helping safe owners who have forgotten their unlock code.

Enter a “recovery code” into the lock—set to “999999” by default—and it uses that value, another number stored in the lock called an encryption code, and a third, random variable to compute a code that's displayed on the screen. An authorized locksmith can then read that code to a Securam representative over the phone, who then uses that value and a secret algorithm to compute a reset code the locksmith can enter into the keypad to set a new unlock combination.

Omo and Rowley found that by analyzing the Securam ProLogic's firmware, however, they could find everything they needed to compute that reset code themselves. “There's no hardware security to speak of,” says Rowley. “So we could reverse engineer the whole secret algorithm just by reading the firmware that's in the lock.” The resulting safecracking method requires little more than punching a few numbers into a Python script they wrote. They call the technique ResetHeist.

The researchers note that safe owners can prevent this ResetHeist technique by changing their lock's recovery code or its encryption code. But Securam doesn't recommend that safeguard in any user documentation the researchers could find online, only in a manual for some manufacturers and locksmiths. In another Securam webinar Omo and Rowley found, Securam notes that you can change the codes, but that it’s not necessary, and that the codes are “usually never” changed. In every lock the researchers tested, including about a handful they bought used from eBay, the codes hadn't been changed. “We have not bought a lock on which the recovery method didn't work,” Omo says.

**CodeSnatch**

The second technique the researchers developed, which they call CodeSnatch, is more straightforward. By removing the battery from a Securam ProLogic lock and inserting a small handheld tool they made with a Raspberry Pi minicomputer into an exposed debug port inside, they can extract a “super code” combination from the lock that's displayed on their tool's screen and can be used to immediately open the lock.

The researchers found that CodeSnatch trick by reverse engineering the Renesas chip that serves as the lock's main processor. That task was made far easier by the work of a group called fail0verflow, which had published their analysis of the same Renesas chip as part of their efforts to crack the PlayStation 4, which also uses that processor. Omo and Rowley built their tool to reprogram the chip's firmware to dump all of its information via the debug port—including the encrypted “super code” and the key, also stored on the chip, that decrypts it. “It's really not that challenging,” says Rowley. “Our little tool does that, and then it tells you what the super code is.”

Gaining access to the lock's code via its debug port does require inputting a password. But Omo and Rowley say that password was absurdly simple, and they successfully guessed it. They found that in one newer Securam ProLogic lock manufactured in March of this year, Securam had changed the password, but they were able to learn it again by using a “voltage glitching” technique: By soldering a switch to the voltage regulator on the chip, they could mess with its electrical voltage at the exact moment it performed the password check to bypass that check and then dump the chip's contents—including the new password.

Photograph: Ronda Churchill

In addition to Securam, WIRED reached out to 10 safe manufacturers that appear to use Securam ProLogic locks on their safes, as well as CVS. Most didn’t respond, but a spokesperson for High Noble Safe Company wrote in a statement that WIRED’s inquiry was the first it was learning of Securam’s vulnerabilities, and that it’s now reviewing the security of the locks used by its product line and preparing guidance for customers including “additional physical security measures or potential replacement options.”

A Liberty Safe representative similarly noted the company wasn’t previously aware of Securam’s vulnerabilities. “We are currently investigating this issue with SecuRam and will do whatever it takes to protect our customers,” a statement from the spokesperson reads, “including validating other potential lock suppliers and developing a new proprietary lock system.”

A CVS spokesperson declined to comment on “specific security protocols or devices,” but wrote that “the safety of our employees and patients is a top priority and we are committed to maintaining the highest physical security standards.”

**“Safes That Aren’t Safe”**

Rowley and Omo say that patching Securam Locks' security flaws is possible—their own CodeSnatch tool, in fact, could itself be used to update the locks' firmware. But any such fix would have to be implemented manually, lock by lock, a slow and expensive process.

Although Omo and Rowley aren't releasing the full technical details or any proof-of-concept code for their techniques, they warn that others with less benevolent intentions could still figure out how to replicate their safecracking tricks. “If you have the hardware and you're skilled in the art, this would be roughly a one-week thing,” Omo says.

He and Rowley decided to go public with their research despite that risk to make safe owners aware that their locked metal boxes may not be as secure as they think. More broadly, Omo says that they wanted to call attention to the wide gaps in US cybersecurity standards for consumer products. Securam locks are certified by Underwriters Laboratory, he points out—yet suffered from critical security flaws that will be tough to fix. (Underwriters Laboratory did not immediately respond to WIRED’s request for comment.)

In the meantime, they say, safe owners should at least know about their safes' flaws—and not rely on a false sense of security.

“We want Securam to fix this, but more importantly we want people to know how bad this can be,” Omo says. “Electronic locks have electronics inside. And electronics are hard to secure.”

Hackers Went Looking for a Backdoor in High-Security Safes—and Now Can Open Them in Seconds

A security researcher discovered that flawed API configurations are plaguing corporate livestreaming platforms, potentially exposing internal company meetings—and he's releasing a tool to find them.

Top streaming services like Netflix and Disney+ have made sustained investments over the years to lock their content down. Whenever they can, they prevent users from accessing videos without a subscription or watching region-blocked content. New findings presented today at the Defcon security conference in Las Vegas, though, indicate that streaming platforms used for things like internal corporate broadcasts and sports livestreams can contain basic design flaws that allow anyone to access a vast swath of content without logging in.

Independent researcher Farzan Karimi first realized years ago that misconfigurations in application programming interfaces, or APIs, exposed streaming content to unauthorized access. In 2020 he disclosed a set of such flaws to Vimeo that could have allowed him to access close to 2,000 internal company meetings along with other types of livestreams. The company quickly fixed the issue at the time, but the finding left Karimi with concerns that similar problems could be lurking in other platforms.

Years later, he realized that by refining a technique for mapping how APIs retrieve data and interact, he could look for other vulnerable platforms. At Defcon, Karimi is presenting findings about current exposures in one mainstream sports streaming platform—he is not naming the site because the issues are not yet resolved—and releasing a tool to help others identify the problem in additional sites.

“For a company all hands or other sensitive meeting, there might be key internal information being shared—CEOs or other executives talking about layoffs or sensitive intellectual property,” Karimi told WIRED ahead of his conference talk. “You can see a bad pattern emerge in how easily you can circumvent authentication to access streams, but this class of issue was previously dismissed as requiring deep knowledge of a given business to identify.”

APIs are services that fetch and return data to whoever requests it. Karimi gives the example that you can search for the movie _Fight Club_ on a streaming platform, and the stream for the movie may come back with information about the length of the movie, trailers, actors in the movie, and other metadata. Multiple APIs work together to assemble all of this information with each fetching certain types of data. Similarly, if you search for Brad Pitt, a set of APIs will interact to deliver _Fight Club_ along with other movies he's starred in like _Troy_ and _Seven_. Some of these APIs are designed to require proof of authentication before they will return results, but if a system hasn't been scrutinized deeply, it is common for other APIs to blindly return data without requiring proof of authorization on the assumption that only an authenticated requestor will be in a position to send queries.

“Often there are basically four, five, some number of APIs that have all this metadata, and if you know how to trace through them, you can unlock paywalled content for free,” Karimi says. “It's a ‘security through obscurity’ model where they would never think that someone would be able to manually connect the dots between these APIs. The automation I’m introducing, though, helps find these authorization flaws quickly at scale.”

Karimi emphasizes that top streaming services are largely locked down and either corrected such API misconfigurations long ago or avoided them from the start. But he emphasizes that more utilitarian platforms for corporate streaming and other live events—including always-on cameras in sports arenas and other venues that are meant to only be accessible at certain times—are likely vulnerable and exposing video that is thought to be protected.

A Misconfiguration That Haunts Corporate Streaming Platforms Could Expose Sensitive Data

A pair of hackers found that a vape detector often found in high school bathrooms contained microphones—and security weaknesses that could allow someone to turn it into a secret listening device.

A pair of hackers found that a vape detector often found in high school bathrooms contained microphones—and security weaknesses that could allow someone to turn it into a secret listening device.

Photograph: Ronda Churchill

A couple of years ago, a curious, then-16-year-old hacker named Reynaldo Vasquez-Garcia was on his laptop at his Portland-area high school, seeing what computer systems he could connect to via the Wi-Fi—“using the school network as a lab,” as he puts it—when he spotted a handful of mysterious devices with the identifier “IPVideo Corporation.”

After a closer look and some googling, Garcia figured out that a company by that name was a subsidiary of Motorola, and the devices he’d found in his school seemed to be something called the Halo 3C, a “smart” smoke and vape detection gadget. “They look just like smoke detectors, but they have a whole bunch of features like sensors and stuff,” Garcia says.

As he read more, he was intrigued to learn that the Halo 3C goes beyond detecting smoke and vaping—including a distinct feature for discerning THC vaping in particular. It also has a microphone for listening out for “aggression,” gunshots, and keywords such as someone calling for help, a feature that to Vasquez-Garcia immediately raised concerns of more intrusive surveillance.

Now, after months of reverse engineering and security testing, Vasquez-Garcia and a fellow hacker he’s partnered with who goes by the pseudonym “Nyx,” have shown that it’s possible to hack one of those Halo 3C gadgets—which they’ve taken to calling by the nickname “snitch puck”—and take full control of it.

Reynaldo Vasquez-Garcia and Nyx in Las Vegas, NV on August 8, 2025.Photograph: Ronda Churchill

At the Defcon hacker conference today, they plan to show that by exploiting just a few relatively simple security vulnerabilities, any hacker on the same network could have hijacked a Halo 3C to turn it into a real-time audio eavesdropping bug, disabled its detection capabilities, created fake alerts for vaping or gunshots, or even played whatever sound or audio they chose out of the device’s speaker. Motorola said it has since developed a firmware update to address those security flaws that will automatically push to cloud-connected devices by Friday.

Many of the hackers’ tricks are on display in a video demo below, which the Vasquez-Garcia and Nyx made ahead of their Defcon presentation:

The Halo 3C’s vulnerabilities would have potentially allowed a teen hacker on a school network to take control of a Halo 3C for epic mischief or abuse. The sensor’s capabilities also ignite fears that school administrators or even police could have done the same to eavesdrop on unsuspecting students in a school bathroom. Schools are increasingly subject to all sorts of surveillance technology, from AI-powered weapons detectors, to “face analytics” cameras, to keystroke loggers on student computers.

One concern of the researchers is that technology like the Halo 3C could be turned against a student speaking about seeking an abortion, for instance. In marketing material, Motorola says the Halo 3C sensor “is ideal for observing health and safety in privacy-concern areas, such as restrooms and changing facilities, where video and audio recording is not permitted.” (Motorola said that the sensor is programmed with wake words, such as “Help, 911,” and does not record or stream audio.)

“To the credit of the company, the microphones sound great,” says Nyx. “From up on the ceiling, you could totally listen to what somebody was saying, and we’ve made this happen.”

Photograph: Ronda Churchill

Motorola told the hackers in an email that it has worked on a new firmware update that should fix the vulnerabilities. But the hackers argue that doesn’t, and can’t, address the underlying concern: that a gadget loaded with hidden microphones is installed in schools around the country. Motorola also advertises its Halo sensors for use in public housing—including inside residents’ homes—according to marketing material.

“The unfortunate reality is there's a microphone connected to a computer that's connected to the network,” says Nyx. “And there's no software patching that will make that not possible to use as a listening device.”

Motorola pitches the Halo 3C as an “all-in-one intelligent security device” in its marketing material. Its notifications “enable security teams at schools, hospitals, retail stores and more to respond to potentially critical events faster, helping to establish a safer environment,” it says.

A disassembled Halo 3C smoke and vape detector found to include microphones.

Courtesy of Reynaldo Vasquez-Garcia and Nyx

After Vasquez-Garcia got curious about the Halo 3C two years ago, he and Nyx—an older hacker he met at his local hackerspace—bought one on eBay and took it apart. Their physical teardown revealed the Halo 3C is essentially a Raspberry Pi micro computer with a bunch of sensors attached, including one for temperature or humidity, an accelerometer, and others for air quality that detect different gases. One feature jumped out: a couple of microphones.

“Seeing this device is getting put into buildings and having microphones in it,” says Nyx, “it’s kind of a huge red flag.”

To hack the Halo 3C, they found that if they could connect to one over the network it was installed on, they could brute-force guess its password with virtually no rate limitations due to a flaw in how it tried to throttle those guesses. “It’s trivially possible to guess passwords as quickly as the thing can respond to you,” says Nyx. That meant they could guess roughly 3,000 passwords a minute, and crack any insufficiently complex password relatively quickly.

Once they had administrator access to a Halo 3C, they found they could update its firmware to whatever they chose: Despite its security measures that attempted to require those firmware updates to be encrypted with a certain cryptographic key, that key was in fact included in firmware updates available on the Halo’s website. “They're handing you a locked box where the key is taped to the underside,” Nyx says. “As long as you know to look down there, you can open it up.”

Photograph: Ronda Churchill

A Motorola Solutions spokesperson said in a statement: “Motorola Solutions designs, develops and deploys our products to prioritize data security and protect the confidentiality, integrity and availability of data. A firmware update is available, and we are working with our customers and channel partners to deploy the update together with our additional recommendations and industry best practices for security.”

Marketing material available online says the Halo 3C uses a “Dynamic Vape Detection algorithm” which can sense nicotine, THC, and when someone is trying to mask their vaping with aerosols. Halo can also “alert security teams to motion after hours” and includes a “spoken keyword feature.”

Photograph: Ronda Churchill

“The HALO Smart Sensor can detect specific spoken keywords that immediately alert security to a potential issue. Pre-defined keywords like ‘help’ are particularly valuable in environments such as schools, where bullying is a concern, or for teachers in need of assistance, as well as nurses and hospital patients,” the marketing material adds. Another section says the sensors can be used to detect “bullying or aggression” in schools.

The marketing material also says Halo sensors have been used in public housing units in New York. “The sensors helped SSHA \[the Saratoga Springs Housing Authority\] reduce risks, enforce nonsmoking rules, and protect vulnerable residents, with plans for further installations across the housing authority,” it says.

Nyx argues that the notion of requiring public housing residents to keep a hackable device that can become an audio eavesdropping tool in their apartment may represent the most disturbing application of the Halo 3C. “That kind of took it up a notch as far as how egregious this entire product line is,” Nyx says. “Most people have an expectation that their home isn’t bugged, right?”

As sensors like the Halo 3C proliferate across schools and even homes, Vasquez-Garcia says the biggest takeaway from his and Nyx’s findings ought to be that putting microphones and internet connections into every device in our lives as simple as a smoke detector is a decision that carries real risk. “If people remember one thing from this, it should be: Don’t blindly trust every internet of things device just because it claims to be for safety,” Vasquez-Garcia says. “The real issue is trust. The more we accept devices that say 'not recording' at face value, the more we normalize surveillance without really knowing what's inside or bothering to question it.”

Andy Greenberg is a senior writer for WIRED covering hacking, cybersecurity, and surveillance. He’s the author of the books _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_ and _Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers_. His books ... Read More

Joseph Cox is an award-winning investigative journalist focused on generating impact. His work has triggered hundreds of millions of dollars worth of fines, shut down tech companies, and much more. ... Read More

It Looks Like a School Bathroom Smoke Detector. A Teen Hacker Showed It Could Be an Audio Bug

Spreadsheets, Slack messages, and files linked to an alleged group of North Korean IT workers expose their meticulous job-planning and targeting—and the constant surveillance they're under.

Job hunting is a fresh kind of hell. Hours are wasted sifting through open roles, tweaking cover letters, dealing with obtuse recruiters—and that’s all before you get started with potential interviews. Arguably, some of the world’s most prolific job applicants—or at least most persistent—are those of North Korea’s sprawling IT worker schemes. For years, Kim Jong Un’s repressive regime has successfully sent skilled coders abroad where they’re tasked with finding remote work and sending money back to the heavily sanctioned and isolated nation. Each year, thousands of IT workers bring in somewhere between $250 million and $600 million, according to United Nations estimates.

Now an apparent huge new trove of data, obtained by a cybersecurity researcher, sheds new light on how one group of alleged North Korean IT workers has been running its operations and the meticulous planning involved in the money-making schemes. Money made by scam IT workers contributes to North Korea’s weapons of mass destruction development efforts and ballistic missile programs, the US government has said. Emails, spreadsheets, documents, and chat messages from Google, Github, and Slack accounts allegedly linked to the alleged North Korean scammers show how they track potential jobs, log their ongoing applications, and record earnings with a painstaking attention to detail.

The cache of data, which represents a glimpse into the workaday life of some of North Korea’s IT workers, also purportedly includes fake IDs that may be used for job applications, as well as example cover letters, details of laptop farms, and manuals used to create online accounts. It reinforces how reliant upon US-based tech services, such as Google, Slack, and GitHub, the DPRK workers are.

“I think this is the first time to see their internal \[operations\], how they are working,” says the security researcher, who uses the handle SttyK and asked not to be named due to privacy and security concerns. SttyK, who is presenting their findings at the Black Hat security conference in Las Vegas today, says an unnamed confidential source provided them with the data from the online accounts. “There are several dozen gigabytes worth of data. There are thousands of emails,” says SttyK, who showed WIRED their presentation ahead of the conference.

North Korea’s IT workers have, in recent years, infiltrated huge Fortune 500 companies, a host of tech and crypto firms, and countless small businesses. While not all IT worker teams use the same approaches, they often use fake or stolen identities to get work and also use facilitators who help cover their digital tracks. The IT workers are often based in Russia or China and are given more freedom and liberties—they’ve been seen enjoying pool parties and dining out on expensive steak dinners—than millions of North Koreans who are not afforded basic human rights. One North Korean defector who operated as an IT worker recently told the BBC that 85 percent of their ill-gained earnings were sent to North Korea. “It’s still much better than when we were in North Korea,” they said.

Multiple screenshots of spreadsheets in the data obtained by SttyK show a cluster of IT workers that appear to be split into 12 groups—each with around a dozen members—and an overall “master boss.” The spreadsheets are methodologically put together to track jobs and budgets: They have summary and analysis tabs that drill down into the data for each group. Rows and columns are neatly filled out; they appear to be updated and maintained regularly.

The tables show the potential target jobs for IT workers. One sheet, which seemingly includes daily updates, lists job descriptions (“need a new react and web3 developer”), the companies advertising them, and their locations. It also links to the vacancies on freelance websites or contact details for those conducting the hiring. One “status” column says whether they are “waiting” or if there has been “contact.”

Screenshots of one spreadsheet seen by WIRED appears to list the potential real-world names of the IT workers themselves. Alongside each name is a register of the make and model of computer they allegedly have, as well as monitors, hard drives, and serial numbers for each device. The “master boss,” who does not have a name listed, is apparently using a 34-inch monitor and two 500GB hard drives.

One “analysis” page in the data seen by SttyK, the security researcher, shows a list of types of work the group of fraudsters are involved in: AI, blockchain, web scraping, bot development, mobile app and web development, trading, CMS development, desktop app development, and “others.” Each category has a potential budget listed and a “total paid” field. A dozen graphs in one spreadsheet claim to track how much they have been paid, the most lucrative regions to make money from, and whether getting paid weekly, monthly, or as a fixed sum is the most successful.

“It’s professionally run,” says Michael “Barni” Barnhart, a leading North Korean hacking and threat researcher who works for insider threat security firm DTEX. “Everyone has to make their quotas. Everything needs to be jotted down. Everything needs to be noted,” he says. The researcher adds that he has seen similar levels of record keeping with North Korea’s sophisticated hacking groups, which have stolen billions in cryptocurrency in recent years, and are largely separate to IT worker schemes. Barnhart has viewed the data obtained by SttyK and says it overlaps with what he and other researchers were tracking.

“I do think this data is very real,” says Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, who has also seen the data SttyK obtained. Gordenker says the firm had been tracking multiple accounts in the data and that one of the prominent GitHub accounts was previously exposing the IT workers’ files publicly. None of the DPRK-linked email addresses responded to WIRED’s requests for comment.

GitHub removed three developer accounts after WIRED got in touch, with Raj Laud, the company’s head of cybersecurity and online safety, saying they have been suspended in line with its “spam and inauthentic activity” rules. “The prevalence of such nation-state threat activity is an industry-wide challenge and a complex issue that we take seriously,” Laud says.

Google declined to comment on specific accounts WIRED provided, citing policies around account privacy and security. “We have processes and policies in place to detect these operations and report them to law enforcement,” says Mike Sinno, director of detection and response at Google. “These processes include taking action against fraudulent activity, proactively notifying targeted organizations, and working with public and private partnerships to share threat intelligence that strengthens defenses against these campaigns.”

“We have strict policies in place that prohibit the use of Slack by sanctioned individuals or entities, and we take swift action when we identify activity that violates these rules,” says Allen Tsai, senior director of corporate communications at Slack’s parent company Salesforce. “We cooperate with law enforcement and relevant authorities as required by law and do not comment on specific accounts or ongoing investigations.”

Another spreadsheet also lists members as being part of a “unit” called “KUT,” a potential abbreviation of North Korea’s Kim Chaek University of Technology, which has been cited in US government warnings about DPRK-linked IT workers. One column in the spreadsheet also lists “ownership” as “Ryonbong,” likely referring to defense company Korea Ryonbong General Corporation, which has been sanctioned by the US since 2005 and UN since 2009. “The vast majority of them \[IT workers\] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors,” the US Treasury Department said in a May 2022 report.

Across the myriad of IT worker-linked GitHub and LinkedIn accounts, CVs, and portfolio websites that researchers have identified in recent years, there are often distinct patterns. Email addresses and accounts use the same names; CVs can look identical. “Reusing resume content is also something that we’ve seen frequently across their profiles,” says Benjamin Racenberg, a senior researcher who has tracked North Korean IT worker personas at cybersecurity firm Nisos. Racenberg says the scammers are increasingly adopting AI for image manipulation, video calls, and as part of scripts they use. “For portfolio websites, we’ve seen them use templates and use the same template over and over again,” Racenberg says.

That all points to some day-to-day drudgery for the IT workers tasked with running the criminal schemes for the Kim regime. “It’s a lot of copy and paste,” Unit 42’s Gordenker says. One suspected IT worker Gordenker has tracked was spotted using 119 identities. “He Googles Japanese name generators—spelled wrong of course—and then over the course of about four hours, just fills out spreadsheets just full of names and potential places \[to target\].”

The detailed documentation also serves another purpose, though: tracking the IT workers and their actions. “There’s a lot of moving parts once the money gets into the actual hands of leadership, so they're going to need accurate numbers,” DTEX’s Barnhart says. Employee monitoring software has been seen on the scammers’ machines in some instances and researchers claim North Koreans in job interviews won’t answer questions about Kim.

SttyK says they saw dozens of screen recordings in Slack channels showing the workers daily activity. In screenshots of a Slack instance, the “Boss” account sends a message: “@channel: Everyone should try to work more than at least 14 hrs a day.” The next message they sent says: “This time track includes idling time, as you know.”

“Interestingly, their communication has been all English, not Korean,” SttyK says. The researcher, along with others, speculates this may be for a couple of reasons: first, to blend into legitimate activity; and secondly, to help improve their English skills for applications and interviews. Google account data, SttyK says, shows they were frequently using online translation to process messages.

Beyond a glimpse at the ways in which the IT workers track their performance, the data SttyK obtained gives some limited clues about the day-to-day lives of the individual scammers themselves. One spreadsheet lists a volleyball tournament the IT workers apparently had planned; in Slack channels, they celebrated birthdays and shared inspirational memes from a popular Instagram account. In some screen recordings, SttyK says, they can be seen playing _Counter-Strike_. “I felt there was a strong unity among the members,” SttyK says.

Leak Reveals the Workaday Lives of North Korean IT Scammers

A string of US armory break-ins, kept quiet by authorities for months, points to a growing security crisis—and signs of an inside job.

A string of previously undisclosed break-ins at Tennessee National Guard armories last fall marks the latest in a growing series of security breaches at military facilities across the United States, raising fresh concerns about the vulnerability of US armories to theft and intrusion.

A confidential memo from the Tennessee Fusion Center reviewed by WIRED details four break-ins at Tennessee National Guard armories over a seven-week span. In one incident, thieves made off with night vision goggles, laser target locators, and thermal weapons sights, among other equipment. At others, intruders breached fences, tripped alarms, and gained access to supply rooms discovered in the aftermath to have been unlocked.

At least some of the break-ins seem to point to potential insider help. In Covington, Tennessee, for example, evidence suggests intruders may have known in advance the location of a secure key control box. At other sites, attempts were made to bypass alarms and entry points.

The memo, which was intended solely for law enforcement use, does not indicate that any weapons were stolen; however, a government anti-terrorism coordinator is quoted as saying: “These events are concerning not only due to the stolen items being sensitive in nature but also because of the indicators for some insider knowledge being needed for successful breach and theft.”

The document, first obtained by the nonprofit watchdog group Property of the People, was shared exclusively with WIRED.

The break-ins remain under active investigation and have drawn the attention of the Pentagon’s Office of the Provost Marshal General—the US Army’s leading law enforcement authority. A senior police source informed WIRED on Tuesday that the Federal Bureau of Investigation is leading the investigation. The FBI declined to confirm.

“FBI policy prohibits confirming or denying an investigation unless in rare circumstances when publicity would help the investigation, such as in seeking a missing child or trying to identify a bank robber,” Elizabeth Clement-Webb, an FBI public affairs officer, says. “The matter you’re inquiring about does not meet that exception, so it would not be appropriate to comment.”

The Pentagon referred questions to the National Guard. The Guard did not respond to a request for comment.

Initially regarded as isolated incidents, the memo cites years’ worth of FBI and Defense Department reporting on what agents call “domestic violent extremists,” or DVEs, discussing plans to raid armories for weapons and gear, leading analysts to suspect organized activity. Domestic intelligence has consistently flagged violent militia members and racially motivated extremists eyeing armories as soft targets.

“Although DVEs previously have stolen some lower-level military gear, the FBI has not identified any instances in which a DVE successfully raided an armory to steal heavy military equipment,” the memo reads. “To circumvent such a raid, FBI and DoD are enhancing liaison with local armories and military facilities to address gaps in reporting about current plots to exploit armory vulnerabilities and increase opportunities to detect and prevent DVE theft of military equipment.”

Between 2020 and 2024, the memo says, at least four FBI subjects discussed raiding military facilities for heavy weapons, including .50-caliber firearms and machine guns. Three had confirmed military backgrounds. One—a former Guard member—identified specific armories that he had served in, while describing how best to exploit their security. It’s unclear whether any charges were brought.

Extremist chatter cited by the document echos these ambitions. In early 2024, a militia-linked Telegram user proposed assessing armory vulnerabilities with help from sympathetic firefighters and sought military or law enforcement recruits for inside information. In another case, an active-duty tank commander claimed he could sway an armorer to hand over weapons, while a former Air Force contractor talked about raiding a Guard facility to seize mortars and secure land.

Together, these incidents point to a persistent and ideologically varied interest in exploiting armory weaknesses. The Tennessee break-ins, meanwhile, preceded several other armory breaches around the country, underscoring a broader trend in security threats.

"Especially when coupled with more recent events, the document makes clear that violent neo-Nazis and far-right militia groups continue to pose a serious and ongoing threat—and that state governments are failing in their duty to secure dangerous military hardware,” says Ryan Shapiro, executive director of Property of the People.

This year alone, thieves stole three Humvees and other military gear from an Army Reserve center in Tustin, California; raided storage containers at a Colorado National Guard facility; and allegedly attempted to steal body armor and communications gear from a US Army Ranger site in Washington. In the latter case, law enforcement claim the suspects used their status as veterans to gain entry to the base, highlighting ongoing concerns about insider access.

Similarly, a break-in at a Massachusetts Army Reserve center in 2015—during which numerous rifles and pistols were stolen—was carried out by a former service member, later sentenced to 11 years in prison. Their familiarity with the facility’s security systems and physical layout reportedly enabled the robbery.

For decades, US military stockpiles have been prime targets for high-stakes theft. In the 1970s, arms traffickers raided facilities in California, escaping with caches of powerful weapons. A 1976 heist at a Massachusetts armory turned up a shoulder-fired missile launcher. And in 1995, a former soldier commandeered a tank in San Diego, leading police of a destructive, city-wide chase.

Despite repeated policy changes and years of heightened scrutiny, the nation's thousands of armories remain vulnerable to both external intruders and those with insider access. Modern security improvements have done little to deter interest in breaching them. In Tennessee alone, the fusion center memo notes that state officials have received at least 25 suspicious activity reports over the past decade, detailing attempted surveillance and theft.

Luke Baumgartner, a former Army officer and extremism researcher at George Washington University, says the Tennessee armory break-ins do appear to bear the hallmarks of an inside job—assuming suspicions about the intruders knowing the locations of secure keys are accurate.

“It’s not an uncommon occurrence,” he says, pointing to the recent thefts at Washington’s Joint Base Lewis-McChord. In June, the FBI arrested two former service members for their alleged involvement in the thefts and the hammer assault of a soldier on base. The FBI recovered a stockpile of weapons found in the suspects’ home, amid an assortment of Nazi iconography and white supremacist literature.

Extremist ties to the military can run in both directions, Baumgartner explains: Some groups actively recruit veterans, contractors, and even active-duty troops to exploit their skills and access. Others will join the military explicitly to gain tactical training, weapons experience, and insider knowledge they can later pass on.

Weapons, meanwhile, aren’t the only concern. “There’s sensitive equipment in there,” he says. “There’s secure radios. There’s equipment that contains classified information. You have to have a certain level of clearance to access some of that.”

Such heists could also carry symbolic weight for anti-government extremists, Baumgartner says, by casting the federal government as weaker than it appears. “To the casual observer, what it signals is that even institutions we think of as being shielded from this sort of action are not actually immune.”

Mysterious Crime Spree Targeted National Guard Equipment Stashes

Researchers found that an encryption algorithm likely used by law enforcement and special forces can have weaknesses that could allow an attacker to listen in.

Two years ago, researchers in the Netherlands discovered an intentional backdoor in an encryption algorithm baked into radios used by critical infrastructure–as well as police, intelligence agencies, and military forces around the world–that made any communication secured with the algorithm vulnerable to eavesdropping.

When the researchers publicly disclosed the issue in 2023, the European Telecommunications Standards Institute (ETSI), which developed the algorithm, advised anyone using it for sensitive communication to deploy an end-to-end encryption solution on top of the flawed algorithm to bolster the security of their communications.

But now the same researchers have found that at least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping. The encryption algorithm used for the device they examined starts with a 128-bit key, but this gets compressed to 56 bits before it encrypts traffic, making it easier to crack. It’s not clear who is using this implementation of the end-to-end encryption algorithm, nor if anyone using devices with the end-to-end encryption is aware of the security vulnerability in them.

The end-to-end encryption the researchers examined, which is expensive to deploy, is most commonly used in radios for law enforcement agencies, special forces, and covert military and intelligence teams that are involved in national security work and therefore need an extra layer of security. But ETSI’s endorsement of the algorithm two years ago to mitigate flaws found in its lower-level encryption algorithm suggests it may be used more widely now than at the time.

In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm Midnight Blue, based in the Netherlands, discovered vulnerabilities in encryption algorithms that are part of a European radio standard created by ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws remained unknown publicly until their disclosure, because ETSI refused for decades to let anyone examine the proprietary algorithms. The end-to-end encryption the researchers examined recently is designed to run on top of TETRA encryption algorithms.

The researchers found the issue with the end-to-end encryption (E2EE) only after extracting and reverse-engineering the E2EE algorithm used in a radio made by Sepura. The researchers plan to present their findings today at the BlackHat security conference in Las Vegas.

ETSI, when contacted about the issue, noted that the end-to-end encryption used with TETRA-based radios is not part of the ETSI standard, nor was it created by the organization. Instead it was produced by The Critical Communications Association’s (TCCA) security and fraud prevention group (SFPG). But ETSI and TCCA work closely with one another, and the two organizations include many of the same people. Brian Murgatroyd, former chair of the technical body at ETSI responsible for the TETRA standard as well as the TCCA group that developed the E2EE solution, wrote in an email on behalf of ETSI and the TCCA that end-to-end encryption was not included in the ETSI standard “because at the time it was considered that E2EE would only be used by government groups where national security concerns were involved, and these groups often have special security needs.

For this reason, Murgatroyd noted that purchasers of TETRA-based radios are free to deploy other solutions for end-to-end encryption on their radios, but he acknowledges that the one produced by the TCCA and endorsed by ETSI “is widely used as far as we can tell.”

Although TETRA-based radio devices are not used by police and military in the US, the majority of police forces around the world do use them. These include police forces in Belgium and Scandinavian countries, as well as East European countries like Serbia, Moldova, Bulgaria, and Macedonia, and in the Middle East in Iran, Iraq, Lebanon, and Syria. The Ministries of Defense in Bulgaria, Kazakhstan, and Syria also use them, as do the Polish military counterintelligence agency, the Finnish defense forces, and Lebanon and Saudi Arabia’s intelligence services. It’s not clear, however, how many of these also deploy end-to-end decryption with their radios.

The TETRA standard includes four encryption algorithms—TEA1, TEA2, TEA3 and TEA4—that can be used by radio manufacturers in different products, depending on the intended customer and usage. The algorithms have different levels of security based on whether the radios will be sold in or outside Europe. TEA2, for example, is restricted for use in radios used by police, emergency services, military, and intelligence agencies in Europe. TEA3 is available for police and emergency services radios used outside Europe but only in countries deemed “friendly” to the EU. Only TEA1 is available for radios used by public safety agencies, police agencies, and militaries in countries deemed not friendly to Europe, such as Iran. But it’s also used in critical infrastructure in the US and other countries for machine-to-machine communication in industrial control settings such as pipelines, railways, and electric grids.

All four TETRA encryption algorithms use 80-bit keys to secure communication. But the Dutch researchers revealed in 2023 that TEA1 has a feature that causes its key to get reduced to just 32 bits, which allowed the researchers to crack it in less than a minute.

In the case of the E2EE, the researchers found that the implementation they examined starts with a key that is more secure than ones used in the TETRA algorithms, but it gets reduced to 56 bits, which would potentially let someone decrypt voice and data communications. They also found a second vulnerability that would let someone send fraudulent messages or replay legitimate ones to spread misinformation or confusion to personnel using the radios.

The ability to inject voice traffic and replay messages affects all users of the TCCA end-to-end encryption scheme, according to the researchers. They say this is the result of flaws in the TCCA E2EE protocol design rather than a particular implementation. They also say that “law enforcement end users” have confirmed to them that this flaw is in radios produced by vendors other than Sepura.

But the researchers say only a subset of end-to-end encryption users are likely affected by the reduced-key vulnerability because it depends how the encryption was implemented in radios sold to various countries.

ETSI’s Murgatroyd said in 2023 that the TEA1 key was reduced to meet export controls for encryption sold to customers outside Europe. He said when the algorithm was created, a key with 32 bits of entropy was considered secure for most uses. Advances in computing power make it less secure now, so when the Dutch researchers exposed the reduced key two years ago, ETSI recommended that customers using TEA1 deploy TCCA's end-to-end encryption solution on top of it.

But Murgatroyd said the end-to-end encryption algorithm designed by TCCA is different. It doesn’t specify the key length the radios should use because governments using the end-to-end encryption have their own “specific and often proprietary security rules” for the devices they use. Therefore they are able to customize the TCCA encryption algorithm in their devices by working with their radio supplier to select the “encryption algorithm, key management and so on” that is right for them—but only to a degree.

“The choice of encryption algorithm and key is made between supplier and customer organisation, and ETSI has no input to this selection—nor knowledge of which algorithms and key lengths are in use in any system,” he said. But he added that radio manufacturers and customers “will always have to abide by export control regulations.”

The researchers say they cannot verify that the TCCA E2EE doesn’t specify a key length because the TCCA documentation describing the solution is protected by nondisclosure agreement and provided only to radio vendors. But they note that the E2EE system calls out an “algorithm identifier" number, which means it calls out the specific algorithm it’s using for the end-to-end encryption. These identifiers are not vendor specific, the researchers say, which suggests the identifiers refer to different key variants produced by TCCA—meaning TCCA provides specifications for algorithms that use a 126 bit key or 56 bit key, and radio vendors can configure their devices to use either of these variants, depending on the export controls in place for the purchasing country.

Whether users know their radios could have this vulnerability is unclear. The researchers found a confidential 2006 Sepura product bulletin that someone leaked online, which mentions that “the length of the traffic key … is subject to export control regulations and hence the \[encryption system in the device\] will be factory configured to support 128, 64, or 56 bit key lengths.” But it’s not clear what Sepura customers receive or if other manufacturers whose radios use a reduced key disclose to customers if their radios use a reduced-key algorithm.

“Some manufacturers have this in brochures; others only mention this in internal communications, and others don’t mention it at all,” says Wetzels. He says they did extensive open-source research to examine vendor documentation and “ found no clear sign of weakening being communicated to end users. So while … there are ‘some’ mentions of the algorithm being weakened, it is not fully transparent at all.”

Sepura did not respond to an inquiry from WIRED.

But Murgatroyd says that because government customers who have opted to use TCCA’s E2EE solution need to know the security of their devices, they are likely to be aware if their systems are using a reduced key.

“As end-to-end encryption is primarily used for government communications, we would expect that the relevant government National Security agencies are fully aware of the capabilities of their end-to-end encryption systems and can advise their users appropriately,” Murgatroyd wrote in his email.

Wetzels is skeptical of this, however. “We consider it highly unlikely non-Western governments are willing to spend literally millions of dollars if they know they're only getting 56 bits of security,” he says.

Encryption Made for Police and Military Radios May Be Easily Cracked

Security researchers found a weakness in OpenAI’s Connectors, which let you hook up ChatGPT to other services, that allowed them to extract data from a Google Drive without any user interaction.

The latest generative AI models are not just stand-alone text-generating chatbots—instead, they can easily be hooked up to your data to give personalized answers to your questions. OpenAI’s ChatGPT can be linked to your Gmail inbox, allowed to inspect your GitHub code, or find appointments in your Microsoft calendar. But these connections have the potential to be abused—and researchers have shown it can take just a single “poisoned” document to do so.

New findings from security researchers Michael Bargury and Tamir Ishay Sharbat, revealed at the Black Hat hacker conference in Las Vegas today, show how a weakness in OpenAI’s Connectors allowed sensitive information to be extracted from a Google Drive account using an indirect prompt injection attack. In a demonstration of the attack, dubbed AgentFlayer, Bargury shows how it was possible to extract developer secrets, in the form of API keys, that were stored in a demonstration Drive account.

The vulnerability highlights how connecting AI models to external systems and sharing more data across them increases the potential attack surface for malicious hackers and potentially multiplies the ways where vulnerabilities may be introduced.

“There is nothing the user needs to do to be compromised, and there is nothing the user needs to do for the data to go out,” Bargury, the CTO at security firm Zenity, tells WIRED. “We’ve shown this is completely zero-click; we just need your email, we share the document with you, and that’s it. So yes, this is very, very bad,” Bargury says.

OpenAI did not immediately respond to WIRED’s request for comment about the vulnerability in Connectors. The company introduced Connectors for ChatGPT as a beta feature earlier this year, and its website lists at least 17 different services that can be linked up with its accounts. It says the system allows you to “bring your tools and data into ChatGPT” and “search files, pull live data, and reference content right in the chat.”

Bargury says he reported the findings to OpenAI earlier this year and that the company quickly introduced mitigations to prevent the technique he used to extract data via Connectors. The way the attack works means only a limited amount of data could be extracted at once—full documents could not be removed as part of the attack.

“While this issue isn’t specific to Google, it illustrates why developing robust protections against prompt injection attacks is important,” says Andy Wen, senior director of security product management at Google Workspace, pointing to the company’s recently enhanced AI security measures.

Bargury’s attack starts with a poisoned document, which is shared to a potential victim’s Google Drive. (Bargury says a victim could have also uploaded a compromised file to their own account.) Inside the document, which for the demonstration is a fictitious set of notes from a nonexistent meeting with OpenAI CEO Sam Altman, Bargury hid a 300-word malicious prompt that contains instructions for ChatGPT. The prompt is written in white text in a size-one font, something that a human is unlikely to see but a machine will still read.

In a proof of concept video of the attack, Bargury shows the victim asking ChatGPT to “summarize my last meeting with Sam,” although he says any user query related to a meeting summary will do. Instead, the hidden prompt tells the LLM that there was a “mistake” and the document doesn’t actually need to be summarized. The prompt says the person is actually a “developer racing against a deadline” and they need the AI to search Google Drive for API keys and attach them to the end of a URL that is provided in the prompt.

That URL is actually a command in the Markdown language to connect to an external server and pull in the image that is stored there. But as per the prompt’s instructions, the URL now also contains the API keys the AI has found in the Google Drive account.

Using Markdown to extract data from ChatGPT is not new. Independent security researcher Johann Rehberger has shown how data could be extracted this way, and described how OpenAI previously introduced a feature called “url\_safe” to detect if URLs were malicious and stop image rendering if they are dangerous. To get around this, Sharbat, an AI researcher at Zenity, writes in a blog post detailing the work, that the researchers used URLs from Microsoft’s Azure Blob cloud storage. “Our image has been successfully rendered, and we also get a very nice request log in our Azure Log Analytics which contains the victim’s API keys,” the researcher writes.

The attack is the latest demonstration of how indirect prompt injections can impact generative AI systems. Indirect prompt injections involve attackers feeding an LLM poisoned data that can tell the system to complete malicious actions. This week, a group of researchers showed how indirect prompt injections could be used to hijack a smart home system, activating a smart home’s lights and boiler remotely.

While indirect prompt injections have been around almost as long as ChatGPT has, security researchers worry that as more and more systems are connected to LLMs, there is an increased risk of attackers inserting “untrusted” data into them. Getting access to sensitive data could also allow malicious hackers a way into an organization's other systems. Bargury says that hooking up LLMs to external data sources means they will be more capable and increase their utility, but that comes with challenges. “It’s incredibly powerful, but as usual with AI, more power comes with more risk,” Bargury says.

Source

Wired