The US Congress is trying to tame the rapid rise of artificial intelligence. But senators’ failure to tackle privacy reform is making the task a nightmare.

The recent burst of generative artificial intelligence is forcing the US Senate into a debate lawmakers have put off for years: privacy reform.

While Americans’ personal data is a commodity sold, traded, mined, and even “recycled,” passing from second party to third party to digital banana stand, some senators believe your personal data is siloed off from the earth-altering AI work those companies, like OpenAI and Google, are testing, tweaking, and deploying daily.

“They want to predict the future for purposes of marketing and selling products, and that’s already there,” says Florida Republican Marco Rubio, the vice-chair of the Senate Intelligence Committee, dismissing the need for an overhaul of federal privacy laws.

Rubio is far from an outlier. Ted Cruz of Texas, the top Republican on the Senate Commerce Committee, agrees. “I think if the Democrats push through restrictions on innovation and AI, it would be disastrous for America,” Cruz says. If the United States doesn’t lead, goes the GOP’s stock argument, an adversarial nation (read: China) will.

Still, there’s fear about AI’s potential to dramatically alter the world, which has kept senators mostly united over the need to do _something_. But with lawmakers beginning to write AI-related legislation, old and unresolved privacy debates are proving a major impediment—and there’s little room for error on the tightrope of bipartisanship in today’s Washington.

In our rapidly evolving world, Congress must debate the past, even as AI is statistically generating our future.

Lesson Not Learned

Before Congress left Washington for a month-long August recess, senators held their third and final all-senators AI briefing. Although not all 100 senators attended, the bipartisan, closed-door AI briefings were intended to provide a baseline framework for understanding artificial intelligence. If nothing else, the briefings surely got senators talking about AI. Almost instantly, the AI chatter resurrected data privacy debates that had died in each recent congressional session.

Rubio’s gut reaction is that he’s fine with American tech companies running unregulated through the frontiers of AI as they create even newer frontiers. Commerce, he says, is commerce. “They’ll take the data to try to predict what you’re going to buy tomorrow or where you want to travel to tomorrow or what you want to look at. It already does,” Rubio says. “We still have laws that govern things like privacy and property rights and all kinds of \[areas\]. Certainly, those things would still be prohibited whether it’s a human or a machine that’s violating it.”

Senators like Rubio and Cruz appear to forget what happened the last time Congress decided to just let the tech industry run wild. Google swallowed our ability to find information while collecting every bit of personal data it could. Facebook and Twitter created dossiers on everyone who touched them before dictating who and what can be said on social media. And Amazon consumed nearly 40 percent of the retail world (along with our data) while expanding into cloud storage, entertainment, satellite internet, and a bazillion other markets.

In short, the tentacles of US tech firms are everywhere—vaccines, food, cancer research, psilocybin centers, criminal justice reform, homelessness—the list could reach the moon. (Speaking of the moon, how could we forget commercial spaceflight?) And the AI boom is likely to further expand tech firms’ power and riches. Yet on Capitol Hill, some powerful Republicans are focused on one goal: ensuring American AI dominance.

On this front, Rubio generally sees any new regulation as a needless-to-harmful constraint on US technology giants and their AI experiments. One near-universal takeaway from the briefings is that America can’t afford to be number two.

“You’re dealing with a technology that knows no national borders, so even if we write laws that say a company can’t do that in America, it doesn’t mean some company in some other part of the world or some government in other parts of the world won’t innovate that, and use it, and deploy it against the US,” Rubio says.

Senator Mike Rounds, a South Dakota Republican and one of four senators who spearheaded the all-senators briefings, echoes this sentiment. “AI is gonna advance regardless of whether it happens here in the United States or elsewhere. We have to be advancing faster than our adversaries,” he says. “We have to advance it, but we also want to put in appropriate safeguards.”

Specifics remain impossible to pin down in most corners of the Capitol. Lawmakers are still taking in the potential of new language learning models, like ChatGPT and Google’s Bard, even as AI laps us all. Rounds maintains an openness to nebulous new parameters, on the one hand, but in a critical, fatherly way, he also faults Americans for signing over our data privacy.

“Here’s the deal, we voluntarily give it away,” Rounds says. “People don’t seem to realize that when they sign these agreements, they’re giving up a lot of their personal information.”

Recklessly handing over our data might be fine if it’s American tech companies that are grabbing it. But Rounds, like most lawmakers, decries the idea of giving our private data to Chinese-owned TikTok. It’s the one privacy matter everyone can agree on—excluding, perhaps, the 150 million US-based users the company claims to have.

“There doesn’t seem to be a whole lot of concern about it by a significant amount of the American public, which is unfortunate because that’s helping to create the databases that eventually may be used against us,” Rounds says.

While Senate Majority Leader Chuck Schumer and the others tried to steer the conversation around artificial intelligence clear of politics, AI now seems lodged in the age-old partisan debate that pits laissez-faire capitalism against Big Brother, which New Mexico Democrat Martin Heinrich says is regrettably shortsighted.

“We failed to regulate the internet when it was regulatable, and Republicans and Democrats today—for the most part—are going, ‘Holy cow, we subjected our entire teenage population to this experiment, and it’s not serving us well.’ So I just don't think it’s helpful to get hardened,” Heinrich says.

It’s not just Democrats who are voicing concern. There are some outspoken privacy hawks in the GOP, chief among them Senator Josh Hawley, a Missouri Republican. When asked about Cruz and Rubio’s positions—that encroaching on the Silicon Valley data mining model could imperil America’s AI future—Hawley laughs.

“Ha. I don’t know that we’re gonna be able to hermetically seal it like that,” Hawleys says, before laughing uproariously. “This idea that we can just trust Google and Meta to be good actors, you know—not gonna happen.”

While his colleagues are almost solely focused on America’s adversaries, Hawley—who may be China’s biggest critic in the Senate—is unsettled by the thought of American tech companies plugging your private data into their AI language learning models right now.

“We need to just ban that. That’s the way to do it. Yeah, we just say no—in federal law,” Hawley says. “They wouldn’t let you sue if they didn’t. That’s the way to fix that, in my view.”

That’s Hawley’s number one priority. He’s the top Republican on the Senate Judiciary Subcommittee on Privacy, Technology, and the Law and teamed up with its chair, Senator Richard Blumenthal of Connecticut, in introducing the No Section 230 Immunity for AI Act.

The bipartisan pair say the legislation is essential because it explicitly tacks an AI clause onto Section 230 of the 1996 Communications Decency Act, which shields online companies from liability for anything their users post on their platforms. While both senators have spent years trying to overhaul Section 230, they say there’s no time to waste in updating it to protect consumers from generative AI-powered deepfakes.

Point of No Return

This summer’s AI briefings also instilled the need for speed, and senators are finally moving—if at senatorially turtle-like speeds.

Before lawmakers left town for the summer, they passed their first generative AI amendments, tacking them onto the annual, must-pass National Defense Authorization Act (NDAA). One such measure requires the Department of Defense to set up a “bug bounty program” so Pentagon officials can test American-made AI for security flaws.

Senators, led by Schumer, also tucked a nondefense AI amendment into their version of the defense bill, which still must be reconciled with the House version. It mandates that any AI “gap in knowledge” from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, National Credit Union Administration, or Bureau of Consumer Financial Protection must be reported to Congress.

Many Democrats agree with the GOP on the need to lead the AI race, though the details are devilish. On the left, the prescription is one of those much-decried government ones.

“We cannot put ourselves at a disadvantage compared to China or other adversaries or competitors. But just like in atomic energy, there needs to be some kind of international structure,” Blumenthal says.

He says that means international agreements, multilateral trust, and “one central agency or office that is responsible for AI and can conduct negotiations with other countries.”

Behind closed doors, senators were warned about an AI fiscal cliff on the horizon, and many seem acutely on edge over how easy replicating AI is now and will be tomorrow. “One of the things that was discussed—I don’t think it’s classified in any way—is, like in almost all technology, the price is going to come down dramatically,” says Senator John Hickenlooper, a Colorado Democrat. “Look at how many billionaires we have, they can create their own large language models.”

Senators are now engaged in many side debates, with a few focused on the technology’s impact on democracy.

“Frankly, I personally haven’t quite figured out what we ought to do,” says Senator Mazie Hirono, a Hawaii Democrat. “But you can see the damage that can be done in the political arena, and I think that there should be some disclosure requirements in the political arena.”

Others are looking at potential disclosure requirements, especially when it comes to AI making decisions on loans, insurance applications, and other consequential matters.

“If a decision is made about you based on AI making the decision, whether it’s an insurance company or your own government, you have a right to be able to know what’s the data set that’s behind that, whether it’s a valid data set,” says Senator James Lankford, an Oklahoma Republican. “And so that’s a bigger challenge.”

Some newer, younger senators left the private AI briefings more unsettled than when they entered. “The lack of specific detail in some of these briefings makes me a little bit worried about what both the Senate and maybe the Department of Defense know about where we are on AI relative to other countries,” says Republican JD Vance, the freshman senator from Ohio. “It’s not clear if they’re so substance-less because they think that you’re stupid or because they’re hiding something.”

While the Senate is now demanding an AI health checkup from an array of federal agencies, lawmakers are also getting in the weeds on their specific committees and hashing out targeted AI proposals.

There’s broad agreement that there’s no going back. “One thing I’m certain of is I know of no technological advance in human history that we’ve been able to roll back. It’s going to happen,” Rubio says. “The question is, how do we build guardrails and practices around it so that we can maximize its benefits and diminish its harms?”

The Senate, meanwhile, can’t go forward without first taking steps back—to the debate Congress never had. For Senators Hawley and Blumenthal, AI safeguards start with overhauling Section 230. “You’ve got to put that there, and then you can build around that,” Hawley says. “If people don’t have the right, you can tell them, ‘don’t use your data stores for generative AI,’ but then if they do it anyway, it’s like what, the FTC fines them $1 million? No, you have to let people sue and do class actions. Then they pay attention.”

The Senate’s AI Future Is Haunted by the Ghost of Privacy Past

Flaws in the Points.com platform, which is used to manage dozens of major travel rewards programs, exposed user data—and could have let an attacker snag some extra perks.

Travel rewards programs like those offered by airlines and hotels tout the specific perks of joining their club over others. Under the hood, though, the digital infrastructure for many of these programs—including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy—is built on the same platform. The backend comes from the loyalty commerce company Points and its suite of services, including an expansive application programming interface (API). 

But new findings, published today by a group of security researchers, show that vulnerabilities in the Points.com API could have been exploited to expose customer data, steal customers' “loyalty currency” (like miles), or even compromise Points global administration accounts to gain control of entire loyalty programs.

The researchers—Ian Carroll, Shubham Shah, and Sam Curry—reported a series of vulnerabilities to Points between March and May, and all the bugs have since been fixed.

“The surprise for me was related to the fact that there is a central entity for loyalty and points systems, which almost every big brand in the world uses,” Shah says. “From this point, it was clear to me that finding flaws in this system would have a cascading effect to every company utilizing their loyalty backend. I believe that once other hackers realized that targeting Points meant that they could potentially have unlimited points on loyalty systems, they would have also been successful in targeting Points.com eventually.”

One bug involved a manipulation that allowed the researchers to traverse from one part of the Points API infrastructure to another internal portion and then query it for reward program customer orders. The system included 22 million order records, which contain data like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. Points.com had limits in place on how many responses the system could return at a time, meaning an attacker couldn't simply dump the whole data trove at once. But the researchers note that it would have been possible to look up specific individuals of interest or slowly siphon data from the system over time.

Another bug the researchers found was an API configuration issue that could have allowed an attacker to generate an account authorization token for any user with just their last name and rewards number. These two pieces of data could potentially be found through past breaches or could be taken by exploiting the first vulnerability. With this token, attackers could take over customer accounts and transfer miles or other rewards points to themselves, draining the victim's accounts.

The researchers found two vulnerabilities similar to the other pair of bugs, one of which only impacted Virgin Red while the other affected just United MileagePlus. Points.com fixed both of these vulnerabilities as well.

Most significantly, the researchers found a vulnerability in the Points.com global administration website in which an encrypted cookie assigned to each user had been encrypted with an easily guessable secret—the word “secret” itself. By guessing this, the researchers could decrypt their cookie, reassign themselves global administrator privileges for the site, reencrypt the cookie, and essentially assume god-mode-like capabilities to access any Points reward system and even grant accounts unlimited miles or other benefits.

Free Airline Miles, Hotel Points, and User Data Put at Risk by Flaws in Points Platform

Generative AI won't just flood the internet with more lies—it may also create convincing disinformation that's targeted at groups or even individuals.

It’s now well understood that generative AI will increase the spread of disinformation on the internet. From deepfakes to fake news articles to bots, AI will generate not only more disinformation, but more convincing disinformation. But what people are only starting to understand is how disinformation will become more targeted and better able to engage with people and sway their opinions.

When Russia tried to influence the 2016 US presidential election via the now disbanded Internet Research Agency, the operation was run by humans who often had little cultural fluency or even fluency in the English language and so were not always able to relate to the groups they were targeting. With generative AI tools, those waging disinformation campaigns will be able to finely tune their approach by profiling individuals and groups. These operatives can produce content that seems legitimate and relatable to the people on the other end and even target individuals with personalized disinformation based on data they’ve collected. Generative AI will also make it much easier to produce disinformation and will thus increase the amount of disinformation that’s freely flowing on the internet, experts say.

“Generate AI lowers the financial barrier for creating content that’s tailored to certain audiences,” says Kate Starbird, an associate professor in the Department of Human Centered Design & Engineering at the University of Washington. “You can tailor it to audiences and make sure the narrative hits on the values and beliefs of those audiences, as well as the strategic part of the narrative.”

Rather than producing just a handful of articles a day,  Starbird adds, “You can actually write one article and tailor it to 12 different audiences. It takes five minutes for each one of them.”

Considering how much content people post to social media and other platforms, it’s very easy to collect data to build a disinformation campaign. Once operatives are able to profile different groups of people throughout a country, they can teach the generative AI system they’re using to create content that manipulates those targets in highly sophisticated ways.

“You’re going to see that capacity to fine-tune. You’re going to see that precision increase. You’re going to see the relevancy increase,” says Renee Diresta, the technical research manager at Stanford Internet Observatory.

Hany Farid, a professor of computer science at the University of California, Berkeley, says this kind of customized disinformation is going to be “everywhere.” Though bad actors will probably target people by groups when waging a large-scale disinformation campaign, they could also use generative AI to target individuals.

“You could say something like, ‘Here’s a bunch of tweets from this user. Please write me something that will be engaging to them.’ That’ll get automated. I think that’s probably coming,” Farid says.

Purveyors of disinformation will try all sorts of tactics until they find what works best, Farid says, and much of what’s happening with these disinformation campaigns likely won’t be fully understood until after they’ve been in operation for some time. Plus, they only need to be somewhat effective to achieve their aims.

“If I want to launch a disinformation campaign, I can fail 99 percent of the time. You fail all the time, but it doesn’t matter,” Farid says. “Every once in a while, the QAnon gets through. Most of your campaigns can fail, but the ones that don’t can wreak havoc.”

Farid says we saw during the 2016 election cycle how the recommendation algorithms on platforms like Facebook radicalized people and helped spread disinformation and conspiracy theories. In the lead-up to the 2024 US election, Facebook’s algorithm—itself a form of AI—will likely be recommending some AI-generated posts instead of only pushing content created entirely by human actors. We’ve reached the point where AI will be used to create disinformation that another AI then recommends to you.

“We’ve been pretty well tricked by very low-quality content. We are entering a period where we’re going to get higher-quality disinformation and propaganda,” Starbird says. “It’s going to be much easier to produce content that’s tailored for specific audiences than it ever was before. I think we’re just going to have to be aware that that’s here now.”

What can be done about this problem? Unfortunately, only so much. Diresta says people need to be made aware of these potential threats and be more careful about what content they engage with. She says you’ll want to check whether your source is a website or social media profile that was created very recently, for example. Farid says AI companies also need to be pressured to implement safeguards so there’s less disinformation being created overall.

The Biden administration recently struck a deal with some of the largest AI companies—ChatGPT maker OpenAI, Google, Amazon, Microsoft, and Meta—that encourages them to create specific guardrails for their AI tools, including external testing of AI tools and watermarking of content created by AI. These AI companies have also created a group focused on developing safety standards for AI tools, and Congress is debating how to regulate AI.

Despite such efforts, AI is accelerating faster than it’s being reined in, and Silicon Valley often fails to keep promises to only release safe, tested products. And even if some companies behave responsibly, that doesn’t mean all of the players in this space will act accordingly.

“This is the classic story of the last 20 years: Unleash technology, invade everybody’s privacy, wreak havoc, become trillion-dollar-valuation companies, and then say, ‘Well, yeah, some bad stuff happened,’” Farid says. “We’re sort of repeating the same mistakes, but now it’s supercharged because we’re releasing this stuff on the back of mobile devices, social media, and a mess that already exists.”

How AI May Be Used to Create Custom Disinformation Ahead of 2024

Researchers found a simple way to make ChatGPT, Bard, and other chatbots misbehave, proving that AI is hard to tame.

“Making models more resistant to prompt injection and other adversarial ‘jailbreaking’ measures is an area of active research,” says Michael Sellitto, interim head of policy and societal impacts at Anthropic. “We are experimenting with ways to strengthen base model guardrails to make them more ‘harmless,’ while also investigating additional layers of defense.”

ChatGPT and its brethren are built atop large language models, enormously large neural network algorithms geared toward using language that has been fed vast amounts of human text, and which predict the characters that should follow a given input string.

These algorithms are very good at making such predictions, which makes them adept at generating output that seems to tap into real intelligence and knowledge. But these language models are also prone to fabricating information, repeating social biases, and producing strange responses as answers prove more difficult to predict.

Adversarial attacks exploit the way that machine learning picks up on patterns in data to produce aberrant behaviors. Imperceptible changes to images can, for instance, cause image classifiers to misidentify an object, or make speech recognition systems respond to inaudible messages.

Developing such an attack typically involves looking at how a model responds to a given input and then tweaking it until a problematic prompt is discovered. In one well-known experiment, from 2018, researchers added stickers to stop signs to bamboozle a computer vision system similar to the ones used in many vehicle safety systems. There are ways to protect machine learning algorithms from such attacks, by giving the models additional training, but these methods do not eliminate the possibility of further attacks.

Armando Solar-Lezama, a professor in MIT’s college of computing, says it makes sense that adversarial attacks exist in language models, given that they affect many other machine learning models. But he says it is “extremely surprising” that an attack developed on a generic open source model should work so well on several different proprietary systems.

Solar-Lezama says the issue may be that all large language models are trained on similar corpora of text data, much of it downloaded from the same websites. “I think a lot of it has to do with the fact that there's only so much data out there in the world,” he says. He adds that the main method used to fine-tune models to get them to behave, which involves having human testers provide feedback, may not, in fact, adjust their behavior that much.

Solar-Lezama adds that the CMU study highlights the importance of open source models to open study of AI systems and their weaknesses. In May, a powerful language model developed by Meta was leaked, and the model has since been put to many uses by outside researchers.

The outputs produced by the CMU researchers are fairly generic and do not seem harmful. But companies are rushing to use large models and chatbots in many ways. Matt Fredrikson, another associate professor at CMU involved with the study, says that a bot capable of taking actions on the web, like booking a flight or communicating with a contact, could perhaps be goaded into doing something harmful in the future with an adversarial attack.

To some AI researchers, the attack primarily points to the importance of accepting that language models and chatbots will be misused. “Keeping AI capabilities out of the hands of bad actors is a horse that's already fled the barn,” says Arvind Narayanan, a computer science professor at Princeton University.

Narayanan says he hopes that the CMU work will nudge those who work on AI safety to focus less on trying to “align” models themselves and more on trying to protect systems that are likely to come under attack, such as social networks that are likely to experience a rise in AI-generative disinformation.

Solar-Lezama of MIT says the work is also a reminder to those who are giddy with the potential of ChatGPT and similar AI programs. “Any decision that is important should not be made by a \[language\] model on its own,” he says. “In a way, it’s just common sense.”

A New Attack Impacts ChatGPT—and No One Knows How to Stop It

Plus: Mozilla fixes two high-severity bugs in Firefox, Citrix fixes a flaw that was used to attack a US-based critical infrastructure organization, and Oracle patches over 500 vulnerabilities.

CVE-2023-26083 is an issue in Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips, rated as having a moderate impact. The vulnerability was used to deliver spyware to Samsung devices in December 2022.

CVE-2021-29256 is a high-severity flaw that also impacts Bifrost and Midgard Arm Mali GPU kernel drivers.

The Android updates have already reached Google’s Pixel devices and some of Samsung’s Galaxy range. Given the severity of this month’s bugs, it’s a good idea to check whether the update is available and install it now.

Google Chrome 115

Google has issued the Chrome 115 update for its popular browser, fixing 20 security vulnerabilities, four of which are rated as having a high impact. CVE-2023-3727 and CVE-2023-3728 are use-after-free bugs in WebRTC. The third flaw rated as having a high severity is CVE-2023-3730, a use-after-free vulnerability in Tab Groups, while CVE-2023-3732 is an out-of-bounds memory access bug in Mojo.

Six of the flaws are listed as having a medium severity, and none of the vulnerabilities are known to have been used in real-life attacks. Even so, Chrome is a highly targeted platform, so check your system for updates.

Firefox 115

Hot on the heels of Chrome 115, rival browser Mozilla has released Firefox 115, fixing several flaws it rates as having high severity. Among these are two use-after-free bugs tracked as CVE-2023-37201 and CVE-2023-37202.

The privacy-conscious browser maker also fixed two memory safety bugs tracked as CVE-2023-37212 and CVE-2023-37211. The memory safety flaws are present in Firefox 114, Firefox ESR 102.12, and Thunderbird 102.12, Mozilla said in an advisory, adding: “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

Citrix

Enterprise software giant Citrix has issued an update warning after fixing multiple flaws in its NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) tools, one of which has already been used in attacks.

Tracked as CVE-2023-3519, the already exploited flaw is an unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that’s so severe it’s been given a CVSS score of 9.8. “Exploits of CVE-2023-3519 on unmitigated appliances have been observed,” Citrix said. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”

The flaw was also the subject of an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), which warned that the bug was used in attacks on a critical infrastructure organization in June.

SAP

SAP, another enterprise software firm, has issued its July Security Patch Day, including 16 security fixes. The most severe flaw is CVE-2023-36922, an OS command injection vulnerability with a CVSS score of 9.1.

The bug allows an authenticated attacker to “inject an arbitrary operating system command into a vulnerable transaction and program,” security firm Onapsis said. “Patching is strongly recommended, since a successful exploit of this vulnerability has a high impact on confidentiality, integrity, and availability of the affected SAP system,” it warned.

Meanwhile, CVE-2023-33989 is a directory traversal vulnerability in SAP NetWeaver with a CVSS score of 8.7, and CVE-2023-33987 is a request smuggling and request concatenation vulnerability in SAP Web Dispatcher with a CVSS score of 8.6.

Oracle

Software company Oracle has released its July Critical Patch Update Advisory, fixing 508 vulnerabilities in its products. Among the fixes are 77 new security patches for Oracle Communications. Oracle warned that 57 of these vulnerabilities could be remotely exploited over a network without user credentials. One of the worst flaws is CVE-2023-20862, which has been given a CVSS score of 9.8.

Meanwhile, 147 of the Oracle patches were for Financial Services, and Fusion Middleware received 60 fixes.

Oracle said it continues to receive reports of attempts to exploit vulnerabilities it has already patched. In some cases, attackers were successful because targeted customers had failed to apply available Oracle patches, it said. “Oracle, therefore, strongly recommends that customers remain on actively supported versions and apply Critical Patch Update security patches without delay.”

Apple iOS, Google Android Patch Zero-Days in July Security Updates

Plus: Russia tightens social media censorship, new cyberattack reporting rules for US companies, and Google Street View returns to Germany.

Code used to encrypt sensitive radio communications around the world for years had major flaws that could be exploited by attackers, according to new research. Among the flaws: a secret backdoor.

A group of researchers from the Netherlands discovered multiple vulnerabilities in encryption algorithms used in the European radio standard TETRA, which is used in radio communications by police, critical infrastructure workers, mass transit and freight trains, and major government bodies. While the TETRA standard is public, the ciphers used to encrypt the communications were kept secret. One of the algorithms, known as TEA1, had a feature that reduces its 80-bit encryption down to just 32 bits—a backdoor, the researchers say, that made it vulnerable to eavesdropping and potentially other attacks.

The body that develops and maintains TETRA—the European Telecommunications Standards Institute—rejects the “backdoor” label, saying that the weakened encryption was implemented to abide by encryption export controls in place when it was released in the 1990s. Regardless of what you call it, ETSI has released a replacement for the TEA1 algorithm and fixed another major flaw that made communications vulnerable to interception.

In the world of AI-fueled chatbots, security researchers warn that third-party plug-ins for ChatGPT’s paid version could add a layer of risk to users’ data and potentially be abused by attackers. OpenAI, the creator of ChatGPT, says it maintains high security standards for the plug-ins listed on its website. But ultimately, the choice to use a plug-in largely depends on whether you trust the developer who made it.

Even if you trust someone online, however, there’s no guarantee that they are who you think they are. This week, we detailed the saga of a Twitter user who thought he was buying a Macbook from someone he knew but ended up sending $1,000 to a scammer who used a hacked Twitter account to pull off the swindle. Threat researchers got involved and ultimately traced the scammers’ real-life identities, then handed over what they found to police.

Finally, in Washington, DC, the National Security Agency has been quietly pushing members of the US Congress to abandon an amendment to the “must-pass” National Defense Authorization Act (NDAA) that would prevent military intelligence agencies like the NSA for buying commercially available data on US citizens. Even if the NSA’s lobbying is successful, it may be forced to keep up the fight as separate legislation is making its way through Congress that would ban the purchase of sensitive data far more broadly than the NDAA amendment.

But that’s not all. Each week, we round up security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Despite being released in 2009, the classic title _Call of Duty: Modern Warfare 2_ is still popular with a dedicated group of fans. Hundreds are still playing the game online. But on July 26, Activision, the game's creator, announced it had taken the game on Steam offline while it was investigating “reports of an issue.” No further details were provided about the problem or why the game was pulled.

A report from TechCrunch sheds some possible light on the “issue.” _Call of Duty_ players on the old game are being hit with malware that automatically spreads through multiplayer lobbies, according to the publication. Gamers appear to have posted about the malware, finding links to it on online code repositories, and claim it spreads through lobbies from one infected player to another. One anonymous source from the gaming industry said the malware appeared to be a worm.

According to TechCrunch it is unclear why the malware is spreading or what exactly the impact is on gamers. Valve, the owner of Steam, did not comment on the issue, according to the news website.

Public companies in the United States will soon have to report data breaches and hacking incidents four days after they deem an incident to have a “material” impact on their business. On Wednesday, the US Securities and Exchange Commission voted to introduce the regulations that require firms to disclose cyberattacks once they have determined it will disrupt its operations or finances. The disclosures must detail the "nature, scope, and timing" of the attack, as well as the potential impact it will have on the firm.

Former SEC rules required companies to disclose cyber incidents but did not impose any strict timeline on doing so. This can lead to firms waiting weeks or months to notify customers and lawmakers about data breaches and cyberattacks. A separate part of the new SEC rules also requires companies to detail their processes for "assessing, identifying, and managing material risks," heaping extra public accountability on firms to make sure they're taking security issues seriously. The rules will go into effect by no later than December.

Since Vladimir Putin started his full-scale invasion of Ukraine in February 2022, Russia's internet censorship has become even more expansive. A new report this week from researchers at Citizen Lab, a research facility at the University of Toronto, shows how the country's censors have clamped down on the social network VK, which is similar to Facebook. Russia's government has been ordering VK to remove posts, videos, and accounts almost every day since the start of the war, the researchers found after reviewing court orders issued by the government.

There's been a thirtyfold increase in censorship since the start of the war, Citizen Lab researchers found. In total, 94,942 videos, 1,569 community accounts, and 787 personal accounts are blocked in Russia, which has clamped down on independent media and blocked social media such as Facebook and YouTube as it looks to control the information people read and access within its borders.

At the end of May, Progress Software, the owner of the file transfer service MOVEit, released a patch for a vulnerability being exploited by the Russia-based ransomware gang Clop. The vulnerability allowed the cybercriminals to access MOVEit and steal data—with the attack impacting both direct users of the sharing service and some companies’ suppliers and vendors.

Analysis of state breach notification, SEC filings, Clop's website, and public disclosures by cybersecurity firm Emisoft shows that, as of July 27, there are 518 reported victims. This includes more than 100 schools. And around 30 million individuals have had their data impacted, Emisoft says. Each day, the list of victims coming forward increases. Some of the most recent include Flutter, the owner of Poker Stars; Deloitte; Chuck E. Cheese; and US government service provider Maximus. More disclosures are expected.

More than a decade ago, Google faced a privacy backlash in Germany over its Google Street View cars taking pictures of people's homes and illegally collecting data from people's unsecured Wi-Fi networks. After 250,000 Germans told Google to blur pictures of their homes, and legal challenges, the company in 2011 stopped updating pictures of 20 major cities. That changed this week when Google announced that cars had been back in German cities since June and it is updating its images once again. “Times have changed,” Lena Heuermann, a Google spokesperson said, citing its own survey that 91 percent of respondents said they wanted Street View back in Germany. Hamburg's data protection regulator said that Google publishing pictures it takes in public is legal and that people can request their homes be blurred.

‘Call of Duty: Modern Warfare 2’ Players Hit With Worm Malware

The National Security Agency has urged top lawmakers to resist demands that it obtain warrants for sensitive data sold by data brokers.

An effort by United States lawmakers to prevent government agencies from domestically tracking citizens without a search warrant is facing opposition internally from one of its largest intelligence services.

Republican and Democratic aides familiar with ongoing defense-spending negotiations in Congress say officials at the National Security Agency (NSA) have approached lawmakers charged with its oversight about opposing an amendment that would prevent it from paying companies for location data instead of obtaining a warrant in court.

Introduced by US representatives Warren Davidson and Sara Jacobs, the amendment, first reported by WIRED, would prohibit US military agencies from “purchasing data that would otherwise require a warrant, court order, or subpoena” to obtain. The ban would cover more than half of the US intelligence community, including the NSA, the Defense Intelligence Agency, and the newly formed National Space Intelligence Center, among others.

The House approved the amendment in a floor vote over a week ago during its annual consideration of the National Defense Authorization Act, a “must-pass” bill outlining how the Pentagon will spend next year’s $886 billion budget. Negotiations over which policies will be included in the Senate’s version of the bill are ongoing.

In a separate but related push last week, members of the House Judiciary Committee voted unanimously to advance legislation that would extend similar restrictions against the purchase of Americans’ data across all sectors of government, including state and local law enforcement. Known as the “Fourth Amendment Is Not For Sale Act,” the bill will soon be reintroduced in the Senate as well by one of its original 2021 authors, Ron Wyden, the senator’s office confirmed.

“Americans of all political stripes know their Constitutional rights shouldn’t disappear in the digital age," Wyden says, adding that there is a “deep well of support” for enshrining protections against commercial data grabs by the government “into black-letter law.” 

The extent to which the NSA in particular uses data brokers to obtain location and web-browsing data is unclear, though the agency has previously acknowledged using data from “commercial” sources in connection with cyber defense. Regardless, the NSA’s lawyers have authored extensive guidelines for acquiring commercially available data, particularly when it belongs to US companies or individuals. Some of the rules prescribed by the agency’s lawyers remain classified.

The NSA did not respond to multiple requests for comment.

A government report declassified by the Office of the Director of National Intelligence last month revealed that US intelligence agencies were avoiding judicial review by purchasing a “large amount” of “sensitive and intimate information” about Americans, including data that can be used to trace people’s whereabouts over extended periods of time. The sensitivity of the data is such that “in the wrong hands,” the report says, it could be used to “facilitate blackmail,” among other undesirable outcomes. The report also acknowledges that some of the data being procured is protected under the US Constitution’s Fourth Amendment, meaning the courts have ruled that government should be required to convince a judge the data is linked to an actual crime.

The US Supreme Court has previously ordered the government to obtain search warrants before seeking information that may “chronicle a person’s past movements through the record of his cell phone signals.” In the landmark _Carpenter v. United States_ decision, the court found that advancements in wireless technology had effectively outpaced people’s ability to reasonably appreciate the extent to which their private lives are exposed.

A prior ruling had held that Americans could not reasonably expect privacy in all cases while also voluntarily providing companies with stores of information about themselves. But in 2018 the court refused to extend that thinking to what it called a “new phenomenon”: wireless data that may be “effortlessly compiled” and the emergence of technologies capable of granting the government what it called “near perfect surveillance.” Because this historical data can effectively be used to “travel back in time to retrace a person’s whereabouts,” the court said, it raises “even greater privacy concerns” than devices that can merely pinpoint a person’s location in real time.

Crucially, the court also held that merely agreeing to let data be used “for commercial purposes” does not automatically abrogate people’s “anticipation of privacy” for their physical location. Rather than apply this view to location data universally, however, the government has allowed defense and intelligence agencies to assume a contradictory view, as their activities were not a factor in _Carpenter_’s law enforcement-focused ruling.

A growing number of American lawmakers have argued in recent weeks that the US intelligence community is itself more or less facilitating the erosion of that privacy expectation—that location data is protected from unreasonable government intrusion—mainly by ensuring it isn’t.

Andy Biggs, who chairs a subcommittee on federal government surveillance in the House of Representatives, says the federal government has “inappropriately collected and used Americans’ private information” for years. A whole range of agencies, including the Federal Bureau of Investigation and the Drug Enforcement Agency, have been exploiting “legal loopholes,” he says, to avoid oversight while amassing “endless amounts of data.”

A senior advisory group to the director of national intelligence, Avril Haines, the government’s top spy, stated in the report declassified last month that intelligence agencies were continuing to consider information “nonsensitive” merely because it had been commercially obtained. This outlook ignores “profound changes in the scope and sensitivity” of such information, the advisors warned, saying technological advancements had “undermined the historical policy rationale” for arguing that information that is bought may be freely used “without significantly affecting the privacy and civil liberties of US persons.”

Haines’ office did not respond to multiple requests for comment. In a statement last month, the director said she was working to implement key recommendations from her advisors and believed that Americans should be given “some sense” of the policies affecting the collection of their personal data. Much of the framework for dealing with commercial purchases by the intelligence community would be disclosed publicly when it is eventually finalized, she said.

The practice of paying businesses to spy on US citizens is one of several concerns lawmakers say they’ll be exploring this fall during what’s slated to be a long and heated debate over one of the government’s most powerful surveillance tools: Section 702 of the Foreign Intelligence Surveillance Act.

The Mozilla Foundation joined the chorus of civil society groups calling for reforms of the 702 program today, saying FISA’s current process is “overbroad” and “restricted only by weak legislation and executive orders that, experience has shown, do not create real accountability.”

The NSA Is Lobbying Congress to Save a Phone Surveillance 'Loophole'

After scammers duped a friend with a hacked Twitter account and a “deal” on a MacBook, I enlisted the help of a fellow threat researcher to trace the criminals’ offline identities.

Embarrassed, angry, victimized. That's just a few of the words my friend uses to describe his recent run-in with a cybercriminal that used a hacked Twitter account to scam people out of hundreds of dollars. Twitter, meanwhile, ignored his pleas for help. That’s when I got involved.

After Tim Utzig lost $1,000 to a fraudster who tricked him using a hacked Twitter account, I asked an expert in social engineering and hunting scammers to help. Ultimately, we tracked down the suspected culprits and identified a network of apparent scammers and money mules expertly swindling people out of their savings. This scamming saga shows how fraudsters use social media, build a network of people to operate different payment accounts, and apply effective techniques to bilk their victims.

It also shows the additional challenges that blind users like Utzig face on the internet and how they are at higher risk of exploitation by indiscriminate online criminals.

Inaccessible and Unacceptable

On May 23, Utzig realized he’d been scammed. He was gearing up for a journalism master’s program at the City University of London and happened to be in the market for a new laptop. By coincidence, someone using the Twitter account of longtime Baltimore sports reporter Roch Kubatko tweeted that they had a new Apple laptop for sale. Utzig trusted Kubatko, whom he’d previously met, and the tweet seemed innocent—and arrived at the perfect moment. So Utzig responded to the tweet with a DM.

Utzig uses a screen reader to navigate the internet and social media apps, including Twitter. A sighted person may have observed oddities in the initial tweet and profile, but the screen reader did nothing to alert Utzig about a key fact: Kubatko’s Twitter account had been hacked, and the person he was talking to wasn’t Kubatko.

“I feel like people with disabilities as a whole are more susceptible to online fraud—screen readers are just one of the methods used by a population who are visually impaired or blind to assist in using technology,” Utzig says. “You’re going to miss certain visual cues that might signify fraud, such as someone changing their profile picture to something different, and the screen reader won’t pick up on it.”

Screen readers also often don’t vocalize misspellings, inaudible grammatical errors, or typography such as fully capitalized words that a sighted person may see as suspicious. And the alternative text on image descriptions, which are manually applied by the individual sharing the content, is the only way a screen reader can describe an image.

Then there’s Twitter itself. Check marks are now effectively useless, especially if you’re blind. Since Twitter changed its verification system under Elon Musk’s ownership, the blue tick that used to be a reliable sign of identity can now be obtained by pretty much anyone. A screen reader will call the Twitter Blue check mark “verified” as before, but the blind user can no longer rely on it as much as they once did.

Recent moves by Twitter concern accessibility advocates. Last year, Twitter laid off its accessibility team, which was responsible for ensuring the platform was usable for people with disabilities, and restrictions on Twitter’s API broke some tools and resources used by blind people. These changes prompted the National Federation of the Blind to move away from Twitter and create a Mastodon server, which the group says is more friendly and accessible for blind users.

“You have people with disabilities scammed, and yet you laid off your whole accessibility team,” Utzig says. “It takes a team to maintain a safe and accessible platform for people with disabilities to use it.”

Then, to top it all off, Twitter is now rebranding as X, with the goal of creating an “everything app” that will apparently also process payments and serve as a “bank.” This, despite the fact that just two months before the X rebranding, the very same platform was being used to swindle people out of their hard-earned cash.

A $1,000 Loss

Courtesy of “Steve”

After a short conversation with not-Kubatko, the person controlling the account asked him for his phone number to send a payment request via Apple Pay. When Utzig followed up after making a payment, he realized the phone number had blocked his number.

Utzig quickly realized he had just paid $1,000 to a criminal. He then reported the account to Twitter. The company did not respond to his requests for help, and the account remained active for days after it was reported as hacked.

Utzig turned to the media for help and reached out to a local reporter. When a local Maryland news station contacted Twitter for comment, the company responded with the poop emoji, the response that press requests have been receiving since March 2023. Utzig says that response made the situation feel so much worse—not only had he lost a lot of money, but the platform he used and loved didn’t care at all about the serious personal and financial impact on its users who were victims of crime.

In the eight months since Musk bought Twitter in October 2022, the platform has increasingly been home to fraudulent accounts. Users across the site have reported a massive uptick in spammers and scammers tweeting, replying to users, and messaging them directly. There have also been multiple reported instances of hacked, high-profile accounts distributing fraudulent content.

Utzig says his DMs are filled with sketchy accounts either sending spam directly or trying to engage in conversation. The social engineering expert I contacted, who asked to use a pseudonym because they carried out this investigation outside their normal work duties, operates several Twitter accounts both for research and personal use. He—let’s call him Steve—says that in the past few months, the number of malicious accounts he observes on the platform has skyrocketed, especially accounts likely associated with pig butchering. This social engineering threat, which is used to drain people’s bank accounts through bogus investment advice, typically originates on social networks and messaging apps and was recently identified by the US Federal Bureau of Investigation as the most costly online threat, with users reporting billions of dollars in losses in 2022.

Social media fraud is part of an ecosystem of online crime that relies on social engineering and trust between users. There are many different kinds of fraud originating on social media, including pig butchering and other financial or cryptocurrency scams, romance scams, and consumer fraud like the kind Utzig experienced.

The attack that hit Kubatko appears similar to a series of related hacks that took over accounts of high-profile Twitter users, and which has been ongoing since at least January of this year. The scammers all used similar language and photos about offering laptops for sale. It is not clear whether the hacked accounts and related scams are all operated by the same people. A search of the language used in the tweet suggests the scammers are still active on the platform. Kubatko, who did not respond to WIRED's request for comment, eventually got his Twitter account back and apologized to Utzig when he learned of the financial loss.

Different scams require different levels of sophistication; for example, hacking Twitter accounts of high-profile users, many of whom may use multi-factor authentication, is typically more difficult than using said accounts to scam users. It is possible the individuals who swindled Utzig are not the ones who initially hacked Kubatko’s account, but they may have purchased access from the original hacker to use as their scamming platform.

Trap and Trace

Steve was enraged that Utzig had been swindled, and offered to help. But all we had was a phone number. So he contacted the number and told the person on the other end that he was interested in buying laptops. Immediately, he received a text from a _different_ number: “Are you looking for laptops?”

Throughout the conversation, Steve said he was willing to pay via Bitcoin, Cash App, or Zelle. Bitcoin wallet information is useful because all transactions are stored on the blockchain, and you can use it to “follow the money” and identify how much money accounts have made. It’s also possible to cross-reference blockchain accounts with other data sets such as open-source reporting or private threat data to identify related fraudulent activity. Cash App and PayPal are also useful data points because users must provide a lot of personal information including phone numbers, email addresses, usernames, and possibly bank accounts. And Zelle is tied to a bank account, making the information very useful to fraud investigators.

Typically, Steve is able to get at least one of these accounts from the threat actors he interacts with—in this case, we got three.

By claiming he didn’t have enough money in one of his accounts, and that another was not working, Steve got the scammers to send him links to multiple payment accounts. The accounts all had different usernames, suggesting they belonged to different people. In fact, Steve was able to link the usernames and phone numbers from the payment apps to three different people and their suspected real names. He found LinkedIn profiles; Twitter, Facebook, TikTok, Snap, and Instagram accounts; Poshmark accounts; dating profiles; a Soundcloud; and personal websites. By pivoting on this data and information provided on their various social and public profiles, Steve was then able to link the individuals to physical addresses in the eastern US.

Steve also sent the scammers Grabify links to see whether we could collect more data on the users. Grabify is used to identify technical characteristics belonging to a user, such as IP addresses, location data, and “user agents” that indicate what type of device they’re clicking from. In this case, one recipient clicked, and we could see they were using an iPhone on the AT&T network and were apparently located in Ohio, providing a possible estimate of where the user was when they clicked the link.

Based on the conversations with the people associated with the various phone numbers and payment accounts, Steve identified at least four individuals involved in this scam ring.

At least one person—Utzig’s original scammer—is the suspected organizer of the fraud, with at least one person who appears to work directly with him, according to Steve’s findings. After Steve received a message from the new, unknown number, he asked the original scammer who this person was. That phone number claimed it was a “business partner.” It had initially been possible there was one person using two different phone numbers involved in the scam. But based on subsequent investigations and conversations with both, Steve identified two likely separate individuals belonging to those numbers.

The “business partner” sent Steve a Cash App screenshot asking for payment that contained a username, which Steve found associated with multiple social media accounts that included photos. One appeared to have a real name attached.

When Steve said he didn’t have enough money in his Cash account, the business partner sent a link to a PayPal account, which used the apparent first and last name of a different real person. The real name and username were linked to multiple social media accounts that all used photos of what appeared to be the same person. Finally, Steve told the business partner his PayPal was not working, and received a name and phone number allegedly belonging to someone’s Zelle account. The business partner claimed this was an “assistant.” By using the details provided, Steve identified yet another individual and their apparent real name who appeared to reside in the same area as our scammers.

It is unclear whether the individuals belonging to the Zelle and PayPal accounts knew about the laptop scam or whether they were just “money mules.” These are accounts that receive money from victims and then funnel it to other accounts belonging to the original scammers. Sometimes money mules are unaware they are moving stolen money and may be unwitting participants in the fraud. Indeed, sometimes money mules are recruited by scammers under the guise of legitimate employment.

Our investigation resulted in us identifying three payment accounts that were at least associated with the laptop scam, dozens of social media profiles potentially belonging to people involved, and three phone numbers with two different area codes belonging to the same state. While this data could end up being useful to a law enforcement fraud investigation, Steve’s open source intelligence gathering serves as a stark reminder of how easily our digital footprints can be traced back to our real-life existence.

A Drop in the Bucket

Local police and the FBI all encourage users to report when they have been victims of online fraud, but victims rarely get the support they need. Utzig filed a police report with the Washington, DC, Metropolitan Police Department, and we reported it to the FBI via the bureau’s Internet Crime Complaint Center. He also contacted his bank and Apple. Unfortunately, using payment apps is the same as sending someone cash. At this point, there is really nothing more Utzig can do—and it’s likely his complaint will just become a drop in a sea of hundreds of thousands of internet crimes reported each year, many of which don’t get any follow-up.

We provided the police with details of our own investigation and reported high-confidence malicious payment accounts to the payment platforms to remove them for fraud. As private citizens, we’ve done all we can, but we hope our investigations can help prevent further exploitation by these threat actors.

While fraud takes place on pretty much every social media platform, Twitter appears to be hosting more hostile accounts now than it had been prior to the sale last year. And not just from scammers. The company fired much of its Trust and Safety staff in December 2022, and in June, Twitter’s recently appointed head of Trust and Safety exited the company. Without the personnel operating the technical guardrails to prevent widespread harassment, exploitation, and cybercrime, such tactics will likely be allowed to proliferate, making the platform less safe. All this as Musk wants Twitter (sorry, I’m not calling it X) to effectively become a financial institution, which requires more user trust than it has ever enjoyed.

Users should be aware of the hallmarks of fraudulent behavior on social media, like receiving messages from strangers, receiving offers to purchase goods and services, and being asked to switch platforms in the middle of a conversation. However, in Utzig’s case, the social platforms themselves could learn a thing or two. Without improvements in screen reading technology and accessibility in general, platforms are enabling exploitation of their more vulnerable users.

Working with my friend to help him report this crime also reminded me that security practitioners often forget there are real human beings on the receiving end of cybercrime, and the emotional and mental toll of being a victim can be huge.

“Billions of dollars in losses” sounds bad. Your friend losing a lot of their savings and feeling violated and betrayed by platforms and people he trusted feels a lot worse.

Twitter Scammers Stole $1,000 From My Friend—So I Hunted Them Down

Third-party plugins boost ChatGPT’s capabilities. But security researchers say they add an extra layer of risk.

Over the past eight months, ChatGPT has impressed millions of people with its ability to generate realistic-looking text, writing everything from stories to code. But the chatbot, developed by OpenAI, is still relatively limited in what it can do.

The large language model (LLM) takes "prompts" from users that it uses to generate ostensibly related text. These responses are created partly from data scraped from the internet in September 2021, and it doesn't pull in new data from the web. Enter plugins, which add functionality but are available only to people who pay for access to GPT-4, the updated version of OpenAI's model.

Since OpenAI launched plugins for ChatGPT in March, developers have raced to create and publish plugins that allow the chatbot to do a lot more. Existing plugins let you search for flights and plan trips, and make it so ChatGPT can access and analyze text on websites, in documents, and on videos. Other plugins are more niche, promising you the ability to chat with the Tesla owner’s manual or search through British political speeches. There are currently more than 100 pages of plugins listed on ChatGPT’s plugin store.

But amid the explosion of these extensions, security researchers say there are some problems with the way that plugins operate, which can put people’s data at risk or potentially be abused by malicious hackers.

Johann Rehberger, a red team director at Electronic Arts and security researcher, has been documenting issues with ChatGPT’s plugins in his spare time. The researcher has documented how ChatGPT plugins could be used to steal someone’s chat history, obtain personal information, and allow code to be remotely executed on someone’s machine. He has mostly been focusing on plugins that use OAuth, a web standard that allows you to share data across online accounts. Rehberger says he has been in touch privately with around a half-dozen plugin developers to raise issues, and has contacted OpenAI a handful of times.

“ChatGPT cannot trust the plugin,” Rehberger says. “It fundamentally cannot trust what comes back from the plugin because it could be anything.” A malicious website or document could, through the use of a plugin, attempt to run a prompt injection attack against the large language model (LLM). Or it could insert malicious payloads, Rehberger says.

Data could also potentially be stolen through cross plugin request forgery, the researcher says. A website could include a prompt injection that makes ChatGPT open another plugin and perform extra actions, which he has shown through a proof of concept. Researchers call this “chaining,” where one plugin calls another one to operate. “There are no real security boundaries” within ChatGPT plugins, Rehberger says. “It is not very well defined, what the security and trust, what the actual responsibilities \[are\] of each stakeholder.”

Since they launched in March, ChatGPT’s plugins have been in beta—essentially an early experimental version. When using plugins on ChatGPT, the system warns that people should trust a plugin before they use it, and that for the plugin to work ChatGPT may need to send your conversation and other data to the plugin.

Niko Felix, a spokesperson for OpenAI, says the company is working to improve ChatGPT against “exploits” that can lead to its system being abused. It currently reviews plugins before they are included in its store. In a blog post in June, the company said it has seen research showing how “untrusted data from a tool’s output can instruct the model to perform unintended actions.” And that it encourages developers to make people click confirmation buttons before actions with “real-world impact,” such as sending an email, are done by ChatGPT.

ChatGPT Plugins Pose Security Risks

A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty.

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or re-route trains.

Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

The technology is not widely used in the US, where other radio standards are more commonly deployed. But Caleb Mathis, a consultant with Ampere Industrial Security, conducted open source research for WIRED and uncovered contracts, press releases, and other documentation showing TETRA-based radios are used in at least two dozen critical infrastructures in the US. Because TETRA is embedded in radios supplied through resellers and system integrators like PowerTrunk, it’s difficult to identify who might be using them and for what. But Mathis helped WIRED identify several electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system on the East Coast, three international airports that use them for communications among security and ground crew personnel, and a US Army training base.

Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Midnight Blue in the Netherlands discovered the TETRA vulnerabilities–which they’re calling TETRA:Burst–in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations. Not all of the issues can be fixed with a patch, however, and it’s not clear which manufacturers have prepared them for customers. Motorola—one of the largest radio vendors—didn’t respond to repeated inquiries from WIRED.

The Dutch National Cyber Security Centre assumed the responsibility of notifying radio vendors and computer emergency response teams around the world about the problems, and of coordinating a timeframe for when the researchers should publicly disclose the issues.

In a brief email, NCSC spokesperson Miral Scheffer called TETRA “a crucial foundation for mission-critical communication in the Netherlands and around the world” and emphasized the need for such communications to always be reliable and secure, “especially during crisis situations.” She confirmed the vulnerabilities would let an attacker in the vicinity of impacted radios “intercept, manipulate or disturb” communications and said the NCSC had informed various organizations and governments, including Germany, Denmark, Belgium, and England, advising them how to proceed. A spokesperson for DHS’s Cybersecurity and Infrastructure Security Agency said they are aware of the vulnerabilities but wouldn’t comment further.

The researchers say anyone using radio technologies should check with their manufacturer to determine if their devices are using TETRA and what fixes or mitigations are available.

The researchers plan to present their findings next month at the BlackHat security conference in Las Vegas, when they will release detailed technical analysis as well as the secret TETRA encryption algorithms that have been unavailable to the public until now. They hope others with more expertise will dig into the algorithms to see if they can find other issues.

TETRA was developed in the ’90s by the European Telecommunications Standards Institute, or ETSI. The standard includes four encryption algorithms—TEA1, TEA2, TEA3, and TEA4—that can be used by radio manufacturers in different products, depending on their intended use and customer. TEA1 is for commercial uses; for radios used in critical infrastructure in Europe and the rest of the world, though, it is also designed for use by public safety agencies and military, according to an ETSI document, and the researchers found police agencies that use it.

TEA2 is restricted for use in Europe by police, emergency services, military, and intelligence agencies. TEA3 is available for police and emergency services outside Europe—in countries deemed “friendly” to the EU, such as Mexico and India; those not considered friendly—such as Iran—only had the option to use TEA1. TEA4, another commercial algorithm, is hardly used, the researchers say.

The vast majority of police forces around the world, aside from the US, use TETRA-based radio technology, the researchers found, after conducting open source research. TETRA is used by police forces in Belgium and the Scandinavian countries, East European countries like Serbia, Moldova, Bulgaria, and Macedonia, as well as in the Middle East in Iran, Iraq, Lebanon, and Syria.

Additionally, the Ministries of Defense in Bulgaria, Kazakhstan, and Syria use it. The Polish military counterintelligence agency uses it, as does the Finnish defense forces, and Lebanon and Saudi Arabia’s intelligence service, to name just a few.

Critical infrastructure in the US and other countries use TETRA for machine-to-machine communication in SCADA and other industrial control system settings—especially in widely distributed pipelines, railways, and electric grids, where wired and cellular communications may not be available.

Although the standard itself is publicly available for review, the encryption algorithms are only available with a signed NDA to trusted parties, such as radio manufacturers. The vendors have to include protections in their products to make it difficult for anyone to extract the algorithms and analyze them.

To obtain the algorithms, the researchers purchased an off-the-shelf Motorola MTM5400 radio and spent four months locating and extracting the algorithms from the secure enclave in the radio’s firmware. They had to use a number of zero-day exploits to defeat Motorola protections, which they reported to Motorola to fix. Once they reverse-engineered the algorithms, the first vulnerability they found was the backdoor in TEA1.

All four TETRA encryption algorithms use 80-bit keys, which, even more than two decades after their release, still provides sufficient security to prevent someone from cracking them, the researchers say. But TEA1 has a feature that reduces its key to just 32 bits—less than half the key’s length. The researchers were able to crack it in less than a minute using a standard laptop and just four ciphertexts.

Brian Murgatroyd, chair of the technical body at ETSI responsible for the TETRA standard, objects to calling this a backdoor. He says when they developed the standard, they needed an algorithm for commercial use that could meet export requirements to be used outside Europe, and that in 1995 a 32-bit key still provided security, though he acknowledges that with today’s computing power that’s not the case.

Matthew Green, a Johns Hopkins University cryptographer and professor, calls the weakened key a “disaster.”

"I wouldn’t say it’s equivalent to using no encryption, but it’s really, really bad,” he says.

Gregor Leander, a professor of computer science and cryptographer with a security research team known as CASA at Ruhr University Bochum in Germany, says it would be “stupid” for critical infrastructure to use TEA1, especially without adding end-to-end encryption on top of it. “Nobody should rely on this,” he says.

Murgatroyd insists the most anyone can do with the backdoor is decrypt and eavesdrop on data and conversations. TETRA has strong authentication, he says, that would prevent anyone from injecting false communication.

“That’s not true,” says Wetzels. TETRA only requires that devices authenticate themselves to the network, but data and voice communications between radios are not digitally signed or otherwise authenticated. The radios and base stations trust that any device that has the proper encryption key is authenticated, so someone who can crack the key as the researchers did can encrypt their own messages with it and send them to base stations and other radios.

While the TEA1 weakness has been withheld from the public, it’s apparently widely known in the industry and governments. In a 2006 US State Department cable leaked to Wikileaks, the US embassy in Rome describes an Italian radio manufacturer asking about exporting TETRA radio systems to municipal police forces in Iran. The US pushed back on the plan, so the company representative reminded the US that encryption in the TETRA-based radio system they planned to sell to Iran is “less than 40-bits,” implying that the US shouldn’t object to the sale because the system isn’t using a strong key.

The second major vulnerability the researchers found isn’t in one of the secret algorithms, but it affects all of them. The issue lies in the standard itself and how TETRA handles time syncing and keystream generation.

When a TETRA radio contacts a base station, they initiate communication with a time sync. The network broadcasts the time, and the radio establishes that it’s in sync. Then they both generate the same keystream, which is tied to that timestamp, to encrypt the subsequent communication.

“The problem is that the network broadcasts the time in packets that are unauthenticated and unencrypted,” says Wetzels.

As a result, an attacker can use a simple device to intercept and collect encrypted communication passing between a radio and base station, while noting the timestamp that initiated the communication. Then he can use a rogue base station to contact the same radio or a different one in the same network and broadcast the time that matches the time associated with the intercepted communication. The radio is dumb and believes the correct time is whatever a base station says it is. So it will generate the keystream that was used at that time to encrypt the communication the attacker collected. The attacker recovers that keystream and can use it to decrypt the communication collected earlier.

To inject false messages, he would use his base station to tell a radio that the time is tomorrow noon and ask the radio to generate the keystream associated with that future time. Once the attacker has it, he can use the keystream to encrypt his rogue messages, and the next day at noon send them to a target radio using the correct keystream for that time.

Wetzels imagines Mexican drug cartels could use this to intercept police communications to eavesdrop on investigations and operations or deceive police with false messages sent to radios. The attacker needs to be near a target radio, but the proximity is only dependent on the strength of the rogue base station’s signal and the terrain.

“You can do this within a distance of tens of meters,” he says. The rogue base station would cost $5,000 or less to build.

ETSI’s Murgatroyd downplays the attack saying TETRA’s strong authentication requirements would prevent a non-authenticated base station from injecting messages. Wetzel disagrees, saying TETRA only requires devices to authenticate to the network, not to each other.

The researchers didn’t find any weaknesses in the TEA2 algorithm used by police, military, and emergency services in Europe, but they did initially think they found another backdoor in TEA3. Given that TEA3 is the exportable version of TEA2, there was good reason to believe it might also have a backdoor to meet export requirements.

They thought they found something suspicious in a substitution box, or S-box, used in the algorithm, which contains a bad property they say would “never appear in serious cryptography.” The researchers didn’t have sufficient skill to examine it to determine if it was exploitable. But Leander’s team did examine it and he says it’s not.

“In many ciphers if you used such a box it would break the cipher very badly,“ he says. “But the way it’s used in TEA3, we couldn’t see that this is exploitable.” This doesn’t mean someone else might not find something in it he says, but he’d “be very surprised if it leads to an attack that’s practical.”

With regard to fixes for the other problems the researchers found, Murgatroyd says ETSI fixed the keystream/timestamp issue in a revised TETRA standard published last October, and they created three additional algorithms for vendors to use, including one that replaces TEA1. Vendors have created firmware updates that fix the keystream/timestamp issue. But the problem with TEA1 cannot be fixed with an update. The only solution for that is to use another algorithm—not an easy thing to switch—or to add end-to-end encryption on top of TETRA, something Wetzels says is impractical. It’s very expensive since the encryption has to be applied to every device, it requires some downtime to do the upgrade—something not always feasible for critical infrastructure—and can create incompatibility issues with other components.

As for asking their vendor to switch out TEA1 for one of the new algorithms meant to replace it, Wetzels says this is problematic as well, since ETSI plans to keep those algorithms secret, like the others, asking users to trust again that the algorithms have no critical weakness.

“There’s a very high chance that \[the replacement algorithm for TEA1\] will be weakened” as well, he says.

The researchers don’t know if the vulnerabilities they found are being actively exploited. But they did find evidence in the Edward Snowden leaks that indicate the US National Security Agency (NSA) and UK’s GCHQ intelligence agency targeted TETRA for eavesdropping in the past. One document discusses an NSA and Australian Signals Directorate project to collect Malaysian police communications during a climate change conference in Bali in 2007 and mentions that they obtained some TETRA collections on Indonesian security forces' communications.

Another Snowden leak describes GCHQ, possibly with NSA assistance, collecting TETRA communications in Argentina in 2010 when tensions rose between it and the UK over oil exploration rights in a deep-sea oil field off the coast of the Falkland Islands. It describes an operation to collect high-priority military and leadership communications of Argentina and reveals that the project resulted in successful TETRA collections.

“This doesn’t indicate they exploited these vulnerabilities that we found,” Wetzels says. “But it does show … that state-sponsored actors are actively looking at and collecting these TETRA networks, even in the early 2000s.”

Source

Wired