A pair of flaws in Microsoft's Entra ID identity and access management system could have allowed an attacker to gain access to virtually all Azure customer accounts.

As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

“I was just staring at my screen. I was like, ‘No, this shouldn’'t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

“From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people's configuration, create new and admin users in that tenant, and do anything you would like.”

Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

“We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

“Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all,” says Michael Bargury, the CTO at security firm Zenity. “This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer.”

If the vulnerability had been discovered by, or fallen into the hands of, malicious hackers, the fallout could have been devastating.

“We don't need to guess what the impact may have been; we saw two years ago what happened when Storm-0558 compromised a signing key that allowed them to log in as any user on any tenant,” Bargury says.

While the specific technical details are different, Microsoft revealed in July 2023 that the Chinese cyber espionage group known as Storm-0558 had stolen a cryptographic key that allowed them to generate authentication tokens and access cloud-based Outlook email systems, including those belonging to US government departments.

Conducted over the course of several months, a Microsoft postmortem on the Storm-0558 attack revealed several errors that led to the Chinese group slipping past cloud defenses. The security incident was one of a string of Microsoft issues around that time. These motivated the company to launch its “Secure Future Initiative,” which expanded protections for cloud security systems and set more aggressive goals for responding to vulnerability disclosures and issuing patches.

Mollema says that Microsoft was extremely responsive about his findings and seemed to grasp their urgency. But he emphasizes that his findings could have allowed malicious hackers to go even farther than they did in the 2023 incident.

“With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,” Mollema says. Any Microsoft service “that you use EntraID to sign into, whether that be Azure, whether that be SharePoint, whether that be Exchange—that could have been compromised with this.”

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

Scammers are now using “SMS blasters” to send out up to 100,000 texts per hour to phones that are tricked into thinking the devices are cell towers. Your wireless carrier is powerless to stop them.

Cybercriminals have a new way of sending millions of scam text messages to people. Typically when fraudsters send waves of phishing messages to phones—such as toll or delivery scams—they may use a huge list of phone numbers and automate the sending of messages. But as phone companies and telecom services have rolled out more tools to detect scams in texts, criminals have started driving around cities with fake cell phone towers that send messages directly to nearby phones.

Over the last year, there has been a marked uptick in the use of so-called “SMS blasters” by scammers, with cops in multiple countries detecting and arresting people using the equipment. SMS blasters are small devices, which have been found in the back of criminals’ cars and sometimes backpacks, that impersonate cell phone towers and force phones into using insecure connections. They then push the scam messages, which contain links to fraudulent websites, to the connected phones.

While not a new type of technology, the use of SMS blasters in scamming was originally detected in Southeast Asian countries and has increasingly spread to Europe and South America—just last week, Switzerland’s National Cybersecurity Centre issued a warning about SMS blasters. The devices are capable of sending huge volumes of scam texts indiscriminately. The Swiss agency said some blasters are able to send messages to all phones in a radius of 1,000 meters, while reports about an incident in Bangkok say a blaster was used to send around 100,000 SMS messages per hour.

“This is essentially the first time that we have seen large-scale use of mobile radio-transmitting devices by criminal groups,” says Cathal Mc Daid, VP of technology at telecommunication and cybersecurity firm Enea, who has been tracking the use of SMS blasters. “While some technical expertise would help in using these devices, those actually running the devices don’t need to be experts. This has been shown by reports of arrests of people who have been basically paid to drive around areas with SMS blasters in cars or vans.”

SMS blasters act as illegitimate phone masts, often known as cell-site simulators (CSS). The blasters are not dissimilar to so-called IMSI catchers, or “Stingrays,” which law enforcement officials have used to scoop up people’s phone data. But instead of being used for surveillance, they broadcast false signals to targeted devices.

Phones near a blaster can be forced to connect to its illegitimate 4G signals, before the blaster pushes devices to downgrade to the less secure 2G signal. “The 2G fake base station is then used to send (blast) malicious SMSes to the mobile phones initially captured by the 4G false base station,” Mc Daid says. “The whole process—4G capture, downgrade to 2G, sending of SMS and release—can take less than 10 seconds,” Mc Daid explains. It’s something people who receive the messages may not even notice.

The growth of SMS blasters comes at a time when scams are rampant. In recent years, technology firms and mobile network operators have increasingly rolled out greater protections against fraudulent text messages—from better filtering and detection of possible scam messages to blocking tens of millions of messages per month. This month, UK telecom Virgin Media O2 said it has blocked more than 600 million scam text messages during 2025, which is more than its combined totals for the last two years. Still, millions of scam messages get through, and cybercriminals are quick to try to evade detection systems.

Because blasters operate outside of traditional mobile networks, the messages they send are not subject to the security measures that have been put in place by mobile providers. “None of our security controls apply to the messages that phones receive from them,” says Anton Reynaldo Bonifacio, the chief information security officer and chief AI officer at Philippines communications firm Globe Telecom. “Once phones are connected to these fake cell sites, they can spoof any sender ID or number to send the scam message.”

Back in 2022, Globe Telecom made the decision to stop delivering SMS messages that contain URLs, and Bonifacio says he believes scammers use the blasters to “bypass” these measures. “The technology used to be more niche, but I think sales and assembly of these IMSI catcher devices have become more prevalent for criminal organizations,” he says. Researchers have found SMS blasters being sold openly online for thousands of dollars.

Samantha Kight, the head of industry security at the mobile operator industry group the GSMA, says the Asia-Pacific region has been most impacted by SMS blasters so far, but there are cases appearing in Western Europe and South America. “It might be a problem in one or two regions, but then we tend to see these things pop up in different regions,” Kight says. Reporting from Commsrisk and Risky Business, have highlighted reports of SMS blasters being used in Thailand, Vietnam, Japan, New Zealand, Qatar, Indonesia, Oman, Brazil, Hong Kong, and more in recent months. Law enforcement officials in London say they have so far seized seven SMS blasters, and in June, a student from China was sentenced to jail for more than a year after being caught using one of the devices.

Kight says that tackling SMS blasters involves telecom operators and government regulators being aware of the devices, law enforcement agencies taking actions, as well as people recognizing and reporting scam messages to the relevant authorities. “As the mobile industry, we want to be able to find these, we want people to trust what’s on their device, and we want to be able to protect them,” Kight says.

Yomna Nasser, a software engineer at Android, says people can stop their phones connecting to 2G networks in their settings. “Once enabled, your device will no longer scan for or connect to 2G cell towers,” Nasser says, adding the only exception is if an emergency call is being made and 3G, 4G and 5G are not available. Android’s Advanced Protection mode will also disable 2G automatically on some newer phones. Apple did not answer WIRED’s request for comment by the time of publication, although its Lockdown Mode will disable 2G connections.

Ultimately, you may not know if an SMS blaster is used to send you a scam. Ben Hurley, a detective sergeant with the City of London’s Dedicated Card and Payment Crime Unit, which is investigating cases locally, says that while the delivery is different, the actual scams themselves haven’t changed. Phishing messages are often designed to get you to click on a malicious link and hand over your personal information. “It’s a new way of doing the same thing,” Hurley says. “It’s changed how we have to investigate it, but actually it’s not changed the end result,” he says, adding that people should always be cautious of clicking links in unknown messages and take a moment before acting if the message feels suspicious.

As with all cybercrime, though, there is a chance that those operating the schemes and blasters could evolve their tactics. “The actual SMS blaster devices they use are relatively unsophisticated so far,” Mc Daid says, adding that the type of technology originally came from the world of governments, law enforcement, and militaries. If criminals are able to gain access to more sophisticated technology and expertise, he says, “this could be the beginning of a cat and mouse game.”

Cybercriminals Have a Weird New Way to Target You With Scam Texts

A misconfigured platform used by the Department of Homeland Security left national security information—including some related to the surveillance of Americans—accessible to thousands of people.

The Department of Homeland Security's mandate to carry out domestic surveillance has been a concern for privacy advocates since the organization was first created in the wake of the September 11 attacks. Now a data leak affecting the DHS's intelligence arm has shed light not just on how the department gathers and stores that sensitive information—including about its surveillance of Americans—but on how it once left that data exposed to thousands of government and private sector workers and even foreign nationals who were never authorized to see it.

An internal DHS memo obtained by a Freedom of Information Act (FOIA) request and shared with WIRED reveals that from March to May of 2023, a DHS online platform used by the DHS Office of Intelligence and Analysis (I&A) to share sensitive but unclassified intelligence information and investigative leads among the DHS, the FBI, the National Counterterrorism Center, local law enforcement, and intelligence fusion centers across the US was misconfigured, accidentally exposing restricted intelligence information to all users of the platform.

Access to the data, according to a DHS inquiry described in the memo, was meant to be limited to users of the Homeland Security Information Network's intelligence section, known as HSIN-Intel. Instead it was set to grant access to “everyone,” exposing the information to HSIN's tens of thousands of users. The unauthorized users who had access included US government workers focused on fields unrelated to intelligence or law enforcement such as disaster response, as well as private sector contractors and foreign government staff with access to HSIN.

“DHS advertises HSIN as secure and says the information it holds is sensitive, critical national security information,” says Spencer Reynolds, an attorney for the Brennan Center for Justice who obtained the memo via FOIA and shared it with WIRED. “But this incident raises questions about how seriously they take information security. Thousands and thousands of users gained access to information they were never supposed to have.”

HSIN-Intel's data includes everything from law enforcement leads and tips to reports on foreign hacking and disinformation campaigns, to analysis of domestic protest movements. The memo about the HSIN-Intel breach specifically mentions, for instance, a report discussing “protests relating to a police training facility in Atlanta”—likely the Stop Cop City protests opposing the creation of the Atlanta Public Safety Training Center—noting that it focused on “media praising actions like throwing stones, fireworks and Molotov cocktails at police.”

In total, according to the memo about the DHS internal inquiry, 439 I&A “products” on the HSIN-Intel portion of the platform were improperly accessed 1,525 times. Of those unauthorized access instances, the report found that 518 were private sector users and another 46 were non-US citizens. The instances of foreign user accesses were “almost entirely” focused on cybersecurity information, the report notes, and 39 percent of all the improperly accessed intelligence products involved cybersecurity, such as foreign state-sponsored hacker groups and foreign targeting of government IT systems. The memo also noted that some of the unauthorized US users who viewed the information would have been eligible to have accessed the restricted information if they’d asked to be considered for authorization.

“When this coding error was discovered, I&A immediately fixed the problem and investigated any potential harm,” a DHS spokesperson told WIRED in a statement. “Following an extensive review, multiple oversight bodies determined there was no impactful or serious security breach. DHS takes all security and privacy measures seriously and is committed to ensuring its intelligence is shared with federal, state, local, tribal, territorial, and private sector partners to protect our homeland from the numerous adversarial threats we face."

The Office of the Director of National Intelligence, which oversees US intelligence agencies, didn’t respond to a request for comment.

Although the exposure occurred under the Biden administration, the memo highlights the risks of surveillance data collected on Americans that persists under the current administration, argues Jeramie Scott, the director of the Surveillance Oversight Program at the Electronic Privacy Information Center, a digital rights nonprofit. In fact, he argues, the relative lack of transparency of the Trump administration and DHS's hostility to oversight measures suggests that if a similar data breach occurred now, the public might never know. As an example, he points to the effective shuttering of the 150-person DHS oversight arm known as the Office for Civil Rights and Civil Liberties. “If this was occurring then, is this type of thing going to be captured now?” Scott asks. "Everyone should be concerned about the fact that things like this happen, and oversight has only deteriorated since this incident occurred."

According to the memo about the DHS's inquiry into its intelligence exposure, the DHS Office of Privacy initially considered the breach to have had “minimal to low impact." But the author of the memo, whose name has been redacted in the form released under FOIA, determined that the Office of Privacy hadn't fully considered the personally identifiable information (PII) exposed in the breach, particularly that of Americans, contradicting that “low impact” assessment. The memo recommended as one finding of the inquiry that I&A retrain staff on the definitions of PII.

Two pieces of legislation currently before Congress seek to reform or restrict DHS's surveillance powers, one called the Strengthening Oversight of DHS Intelligence Act and another that would amend the Intelligence Authorization Act of 2026 to place new restrictions on funding for some DHS domestic surveillance programs. The Brennan Center's Reynolds notes, however, that the amendments have specific exceptions for DHS's sharing of intelligence with other government agencies or contractors, so likely wouldn't affect HSIN-Intel.

The memo about the DHS's inquiry into the HSIN-Intel data exposure, Reynolds also points out, doesn't assess the effects of the breach on all of the other organizations whose data was leaked in the incident, or even mention that other agencies' troves of sensitive data were impacted. “Given the volume of data, it's highly likely they would have been,” Reynolds says. “This should raise alarm bells for the agencies nationwide who trust the Office of Intelligence and Analysis with their information.”

More broadly, EPIC's Scott argues that the breach should concern not just the DHS or its partner agencies, but everyone who potentially falls under the DHS's surveillance remit—in other words, every American. “It affects everyone in the US because of the broadness of the surveillance and intelligence programs that they conduct," says Scott. “We're talking about an agency that's doing domestic intelligence. This implicates all of us.”

A DHS Data Hub Exposed Sensitive Intel to Thousands of Unauthorized Users

Obtaining and using a true burner phone is hard—but not impossible. Here are the steps you need to take to protect your mobile communications based on the risks you face.

Authorities around the world can use your cell phone to track your location and potentially access other sensitive private information about you. One possible protection from this data collection is a burner phone. As invasive state surveillance ramps up globally—including new initiatives in the United States to monitor travelers, protesters, and vulnerable populations—privacy tools that were formerly the domain of digital hermits and people involved in organized crime are now more and more appealing to everyone.

Burner phones, which are often “dumb” flip phones, can be loaded with prepaid minutes and offer anonymity when rotated frequently, purchased with cash, and siloed from any connections to you or your digital life. The idea is that cops, or other actors, are unlikely to be tracking a fresh burner phone in real time. But the crucial additional layer of protection that properly used burner phones offer is that even if they are—or they later tie communications from a burner phone to activity they are investigating—they can’t use digital ties to establish who was using it.

“Burner phones are used for a very specific, time-limited purpose and then discarded,” says Danacea Vo, founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “They’re mostly used to separate your identity from the identity of the device. Anonymity is the goal.”

Using a burner phone may seem like overkill, and it takes money, time, and some know-how to actually use them effectively. But once you understand the concepts, you can apply them to your specific situation to make more informed choices about how to best protect yourself and your privacy. This guide talks about burner phones that meet the strict definition, as well as “alternative” phones, or altphones, that apply many of the same concepts of burner phones but don’t offer the same degree of anonymity.

**Assessing Your Risks**

Whether you should be using a burner phone depends on your risk model—the factors and concerns that are specific to you. Every one of us is exposed to a different set of risks that can vary depending on your nationality, citizenship, political views, profession, and much more. For example, lawyers, activists, and journalists may be at higher risk of being targeted by authoritarian governments than, say, an electrician or a stay-at-home mom.

Your risk level and tolerance changes over time—possibly even from one day to the next—and this influences how you communicate with people and the devices you use to do so. When considering using a burner device, think about who you are trying to keep from getting your data or communications.

“Use cases for burners may include: crossing borders, traveling to a risky environment, or participating in or documenting a protest,” says Mohammed Al-Maskati, digital security helpline director at the rights group Access Now. “People should make these decisions based on their risk profile and the threats they feasibly face.”

Even if you conclude that using a true burner phone is right for you in certain situations, keep in mind that you can, and should, still use your regular devices for the vast majority of your digital activity. Unless you are actively hiding your existence or residence, you likely do not need to regularly use burner phones. And that’s a good thing, because taking the precautions required to establish the anonymity needed to maintain a device as a true burner phone—even for just one day—is challenging.

“Burner phones are almost impossible to keep anonymous,” says Rebecca Williams, a senior strategist for the American Civil Liberties Union’s privacy and data governance unit, who recently organized a community burner phone workshop in Brooklyn, New York. “No burner phone is perfect.”

**Setting Up a Burner Phone**

The hardest—and arguably the most critical—aspect of setting up a burner phone is purchasing the device and corresponding prepaid service in a way that preserves your anonymity. It’s not a burner phone, for example, if you purchased it with your credit card, your best friend’s credit card, or your neighbor’s credit card.

So purchase your burner with cash or consider using a prepaid debit card that you previously purchased with cash. Depending on where you’re shopping for your burner phone, these transactions may blend in a bit more than a cash purchase. Keep in mind, though, that for the latter to work you also have to take steps to shield your identity when purchasing the debit card.

Ideally, authorities or other actors will never discover the activity of your burner phone; but realistically, you need to be operating under the assumption that they eventually will. That is the point at which the separation between your identity and the burner phone is tested. But even if you can’t perfectly shield yourself, you can make it more difficult to establish a connection.

Every step in traveling to and from the purchase requires the same forethought as buying the phone itself. First, leave your personal phone or any other devices that connect to Wi-Fi or cell service at home. Wear a hat, mask, and generic, unmarked clothing to travel and purchase the device. Make sure to cover identifying features like tattoos. Also, remember not to use a car connected to you or anyone you know to get there since license plate readers and data collected by a vehicle could reveal your travels. Paying for public transit with a credit card or taking a rideshare ride through your personal account could also create a link, particularly if you are planning to buy your device in a low-traffic area, so plan your travel carefully.

You should buy the device in a location where you don’t normally shop or visit. Keep in mind, too, that almost all mainstream electronics retailers and big box stores implement extensive surveillance that includes security cameras, but also potentially things like facial recognition scanning. Your mask and neutral clothing can help, but if you can find an independently owned store that sells prepaid phones and may not be monetizing customer data as aggressively as a big company, there may be fewer surveillance records capturing the transaction.

If you’re contemplating having someone else buy the burner device for you, consider a couple of things. First, having them purchase the phone for you potentially involves them in whatever you’re planning to do with the phone, even if they are otherwise completely unconnected to the activity. Relatedly, you may think that no one knows that you’re pals with, say, certain customers you see regularly at your job or an acquaintance from your gym—but if someone is going to all the trouble of tracking your burner phone in a massive haystack of cell phone data, they can potentially figure out your connections to your decoy.

“A good thing about burner phones is they can serve a purpose without compromising a wider network, for example your family. Using one reduces risk not just for the individual, but for the group,” says Cyberlixir’s Vo. “They reduce the risk of association.”

In the United States you do not need to show identification or any other documentation to purchase a prepaid phone or SIM card, though some other countries record identity information alongside purchases. Many prepaid cell phones do require activation and a certain amount of setup that salespeople may offer to help you with on the spot. Wait to do the setup later, though.

In books, movies, and television, burner phones are often depicted as old-school flip phones, and this type of phone is a convenient choice because their feature set is so limited, leaving less room for mistakes that could potentially expose your identity. A prepaid smartphone package or Wi-Fi-only device newly purchased with cash can also be a burner phone—but you should only log into purpose-made burner accounts and only use the burner phone on highly trafficked public Wi-Fi. Never join your home Wi-Fi or any other Wi-Fi that could reveal your everyday habits or movements, because this would leave digital breadcrumbs tied to your identity that are routinely used in law enforcement investigations.

**Using a Burner Phone**

Do not turn on the burner phone at all until you are about to use it for its limited duration purpose. Remember that the first time you turn on a cell phone and it connects to the network, the mobile provider starts getting location data based on which cell tower the phone is connected to.

“Do not power the phone on near your home, work, or usual hangouts,” Cyberlixir’s Vo says. “Activate and test the phone somewhere far away, preferably in a crowded or busy area where you blend in.”

Keep the phone off and ideally in a faraday bag whenever you are going about your daily life, preventing it from inadvertently generating data about your movements. Only use it for short stints and ideally for one to seven days max. No matter how careful you are, using a burner phone long term will eventually erode its anonymity, because anyone who cares to look could start to see patterns in the cell data over time.

Another important detail: Using a “dumb phone” as a burner phone almost always means that you will not have access to end-to-end encrypted communications software on the device. In other words, part of the necessity of rotating the phones regularly is that authorities would be able to access call records and text messages. Access to end-to-end encrypted communication apps is one potential advantage of taking on a prepaid smartphone as a burner, but you have to weigh the pros and cons for your scenario.

In either case, you should use your burner phone in an extremely, obsessively limited way for its intended purpose and absolutely nothing else. Write down phone numbers that you will contact using the burner phone rather than sending them or saving them in your regular personal devices, and never send your burner phone number to anyone from one of your everyday devices.

When you are done with the burner phone, make sure that you get rid of it in a thoughtful way as well. “At the end of the intended use, consider steps to eliminate information, remove SIM cards and/or memory cards, making sure not to leave a potential vulnerability after you,” says Access Now’s Al-Maskati.

**Using an Alternative Phone**

Depending on your risk model, it may not be appropriate or even the most practical to use a true burner phone. Instead, you may want to consider using an altphone to separate elements of your digital life.

“There is a lot of confusion, because ‘burner phone’ is a generic term,” says Matt Mitchell, CEO of the risk mitigation firm Safety Sync Group. “I usually try to group tactics and advice based on goals. It begins with why a normal phone isn't good for privacy and then a dial on how private you’re trying to get. The privacy goals are the dial—from safer hygiene, to more secure operating systems, to straight-up locked-down phones.”

For many people, an altphone or “lighter” burner phone is likely to be a smartphone that allows a wide range of communications and access to privacy-enhancing tools such as encrypted messaging apps like Signal, VPNs, online tracker blockers, and more. This way you can tune your personal privacy dial to keep certain web browsing, software use, media consumption, or communication more private and anonymous than it would be on your normal devices.

“What are you trying to protect? If you're just trying to obscure your phone number from somebody, you can do that in a much lighter way” than using a heavily anonymized device, the ACLU’s Williams says. “But if you're really trying to go off grid, you have to do all this other stuff.

An altphone may be a smartphone that you separate as much as possible from your identity, perhaps a phone that you only use for attending protests. Or it could be an old phone you repurpose and use for things like traveling. How you set the privacy dial depends on the use case.

“A repurposed phone can be used for an extended period of time,” Cyberlixir’s Vo says. “A repurposed phone already has your traces, even with factory reset. There might be a sales receipt, CCTV log, or someone taking a picture of you talking on the phone. So they are useful for compartmentalizing activities. Work versus personal phone is the most obvious example. Or one for international travel.” Reused devices also retain certain identifiers such as IMEI numbers over time.

Using a smartphone as a second device does have its own considerations. When it comes to mainstream devices, “smartphones do a terrible job at protecting people’s privacy and securing their communications,” says Access Now’s Al-Maskati. “If people obtain a smartphone to use as a burner, it’s best to reset to factory settings, never connect any real accounts (AppleID, Google, social media), and do not sync any other information, as well as disabling unnecessary location and other services.”

You should only use your altphone for its intended purpose—if it’s a phone you want to take to protests, for example, it shouldn’t be used for texting friends or online shopping. As with a true burner phone, you should avoid using it in the same location that you use other devices—in other words, avoid connecting to the same Wi-Fi networks. Don’t turn your altphone on alongside your day-to-day devices and, relatedly, don’t carry them all together unless your altphone is in a Faraday bag. Only provide contact information for the altphone to those who need it.

Whether you’re using a burner phone or an altphone, though, the bottom line is that there are no guarantees or perfect solutions. And if there is absolutely no room for error, go analogue and don’t bring or involve a phone in whatever you’re doing.

How to Set Up and Use a Burner Phone

Every VPN says it’s the best, but only some of them are telling the truth.

*   **The Best VPN for Streaming**
    
    Screenshot courtesy of Scott Gilberson via NordVPN
    
    NordVPN has a long history, and it's one of the most prominent VPN services on the market. It comes with one of the largest VPN networks available, enough features to make Surfshark blush, and decent (though not the best) speeds. It's a little more expensive than I'd hoped for, but that's the price you pay for such an extensive network and feature set.
    
    Where NordVPN really excels is in media. Streaming providers like Netflix and HBO Max are privy to how VPNs circumvent geo-restrictions, and a small network means you're more likely to get blocked. The fact that NordVPN has such a large network gives it an edge in streaming and less sensitive online browsing. It really wins with its NordWhisper protocol. The company recommends using its WireGuard-based NordLynx protocol most of the time, but NordWhisper sacrifices a bit of speed to obfuscate VPN traffic further, getting around most blocks.
    
    NordWhisper isn't made for normal streaming environments, but it's great to have on restrictive networks. If you're traveling internationally and using hotel Wi-Fi, for instance, NordWhisper can help circumvent VPN blocks. The company saw a minor breach in 2018 and stirred up controversy in 2022 with a subtle change in wording regarding cooperation with law enforcement. In both cases, it responded quickly and maintained transparency, so contrary to what you may have read, NordVPN is safe to use.
    
    Specs
    
    **Number of devices:** 10
    
    **Number of servers:** 7,400+
    
    **Applications:** Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Edge, Google TV, Apple TV
    
    **Features:** Kill switch, split tunneling, double-hop, dark web monitoring, P2P servers
    

**Other VPNs We’ve Tested**

**Private Internet Access (PIA)** has a long history in the VPN space, and it's maintained a track record of defending user privacy—even in the face of actual criminal activity. In 2016, a criminal complaint was filed in Florida against Preston Alexander McWaters for threats made online. McWaters was eventually convicted and sentenced to 42 months in prison. Investigators traced the online threats back to PIA's servers and subpoenaed the company. As the complaint reads, “A subpoena was sent to \[Private Internet Access\] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States.” McWaters engaged in several other identifying activities, according to the complaint, but PIA wasn't among them. Despite such a clear view of a VPN provider upholding its no-logging policy, PIA didn't impress me during my tests. It's slightly more expensive than a lot of our top picks, and it delivered the worst speeds out of any VPN I tested, with more than a 50 percent drop on the closest US server. (Windscribe, for context, only dropped 15.6 percent of my speed.)

**MysteriumVPN** is the go-to dVPN, or decentralized VPN, as far as I can tell. The concept of a decentralized VPN has existed for a while, but it's really gained traction over the last couple of years. The idea is to have a network of residential IP addresses that make up the network, routing your traffic through normal IP addresses to get around the increasingly common block lists for VPN servers. Mysterium accomplishes this network with MystNodes. It's a crypto node. People buy the node to earn crypto, and they're put into the Mysterium network. It's not inherently bad, but routing your traffic through a single residential IP is a little worrisome. Even without the decentralized kick, Mysterium was slow, and it doesn't maintain any sort of privacy materials, be it a third-party audit, warranty canary, or transparency report.

**PrivadoVPN** is one of the popular options to recommend as a free VPN. It offers a decent free service, with a handful of full-speed servers and 10 GB of data per month. You'll have to suffer through four—yes, four—redirects begging you to pay for a subscription before signing up, but the free plan works. The problem is how new PrivadoVPN is. There's no transparency report or audit available, and although the speeds are decent, they aren't as good as Proton, Windscribe, or Surfshark. PrivadoVPN isn't bad, but it's hard to recommend when Proton and Windscribe exist with free plans that are equally as good.

**How We Test VPNs**

Functionally, a VPN should do two things: keep your internet speed reasonably fast, and actually protect your browsing data. That's where I focused my testing. Extra features, a comfy UI, and customization settings are great, but they don't matter if the core service is broken.

Speed testing requires spot-checking, as the time of day, the network you're connected to, and the specific VPN server you're using can all influence speeds. Because of that, I always set a baseline speed on my unprotected connection directly before recording results, and I ran the test three times across both US and UK servers. With those baseline drops, I spot-checked at different times of the day over the course of a week to see if the speed decrease was similar.

Security is a bit more involved. For starters, I checked for DNS, WebRTC, and IP leaks every time I connected to a server using Browser Leaks. I also ran brief tests sniffing my connection with Wireshark to ensure all of the packets being sent were secured with the VPN protocol in use.

On the privacy front, the top-recommended services included on this list have been independently audited, and they all maintain some sort of transparency report. In most cases, there's a proper report, but in others, such as Windscribe, that transparency is exposed through legal proceedings.

5 Best VPN Services (2025), Tested and Reviewed

Russian military exercises near NATO borders follow the recent incursion of Russian drones into the airspace of Poland and Romania, further stoking tensions with the West.

On Sunday, Russia released images of its launch of a 3M22 Zircon hypersonic missile from a frigate in the Barents Sea, in the Arctic Ocean, near NATO borders. The launch comes against a backdrop of rising tensions with the West, just days after several Russian drones violated the airspace of North Atlantic Treaty Organization member countries Poland and Romania.

The Zircon test is part of the Zapad 2025 joint maneuvers with Belarus, a week of military exercises aimed at assessing defensive and coordination capabilities between the two allied countries. It also serves to show that Russia's military force has not lost its strength, despite heavy losses more than three years after the start of the invasion of Ukraine.

In the video originally shared on Telegram, the crew aboard the frigate Admiral Golovko fires the Zircon at a target in the Barents Sea, an area bounded to the west by the Norwegian Sea. According to the Russian Defense Ministry, the target was destroyed in a direct hit by its hypersonic missile, which can reach a distance of up to 1,000 kilometers and travel at Mach 9—nine times the speed of sound.

The images also show exercises with Sukoi Su-34 supersonic fighter-bombers, a two-seater fighter-bomber that can carry up to eight tons of armament and can fly up to 2,485 miles (4,000 kilometers) without refueling (or more than 4,350 miles, or 7,000 km, with external tanks).

There is evidence that Russia has employed hypersonic missiles against civilian targets in Ukraine, such as the Zircon or Kinzhal, which are virtually impossible to intercept. This is not only because of their speed, but also because of their maneuvering capabilities, allowing them to change course mid-flight to evade defense systems (albeit in a limited way).

Remnants of a Russian Zircon hypersonic missile, after it hit a five-story residential building in Kyiv during an aerial bombardment, November 17, 2024.

SERGEI SUPINSKY/AFP via Getty Images

**Deliberate Provocation or Accident?**

This week, NATO set off international alarms due to a series of Russian drone incursions into Polish and Romanian airspace, a violation that had not been recorded so far in the Russia-Ukraine war, at least not on this scale. On September 10, at least 19 drones from Russia invaded Polish airspace, being intercepted and shot down by NATO fighters with no major damage on the ground. The incident was described by the Polish government as an "unprecedented violation" and a “large-scale provocation,” expressions shared by Mark Rutte, NATO's secretary general.

Poland then invoked Article 4 of the NATO Charter, which establishes a mechanism for consultation between NATO members “to exchange views and information and discuss issues before reaching agreement and taking action.” Following this debate among member countries, they launched Operation Eastern Sentinel, a military initiative to strengthen the defensive posture on the alliance's eastern flank through the deployment of advanced fighters and defense systems, among other measures, to counter missile and drone threats.

The alerts were triggered again on September 13, when Romania detected a drone, allegedly from Russia, in its airspace. Russian drone incursions into NATO airspace generated widespread international condemnation. The United States expressed support for the affected countries. “We consider this an unacceptable, regrettable and dangerous event,” said Marco Rubio, the US secretary of state. “No doubt the drones were intentionally launched. The question is whether they were intended to enter Poland.” The Russian government claimed it was not targeting Poland, while Belarus suggested the drones deviated from their initial trajectory.

Notwithstanding the attempts to offer explanations, the joint Zapad 2025 military exercises between Russia and Belarus do little to reduce tensions in Eastern Europe. Although both nations insist that the exercises are defensive in nature, the proximity of the exercises to NATO borders, as well as tests of hypersonic missiles in the Arctic, raise new concerns among Atlantic Alliance member countries.

Russia Tests Hypersonic Missile at NATO’s Doorstep—and Shares the Video

Plus: ICE deploys secretive phone surveillance tech, officials warn of Chinese surveillance tools in US highway infrastructure, and more.

Right-wing internet personality and Turning Point USA cofounder Charlie Kirk was shot and killed on Wednesday during a speaking engagement at Utah Valley University in Orem, Utah. After a chaotic 24-hour manhunt, the FBI named 22-year-old Utah resident Tyler Robinson as a suspect in the murder.

As polarization and political violence continues to increase in the US, a new platform from the Public Service Alliance is offering tools like data-removal services and threat monitoring to public servants who increasingly need to defend themselves and their data. Meanwhile, new research this week warned that the number of US investors putting money into invasive commercial spyware rose significantly in 2024. According to the report, other countries are also increasingly emerging with new ties to spyware as well.

A massive data leak from the Chinese company Geedge Networks shows how the firm, which has ties to the “father” of China’s Great Firewall, is selling its censorship and surveillance products to at least four other countries in Asia and Africa.

On Wednesday, Poland shot down several Russian drones that entered its airspace and others crashed, the first time such an incident had occurred since the Kremlin’s 2022 invasion of Ukraine. The incident disrupted Polish air travel and stoked tensions in the region.

WIRED spoke with Cindy Cohn, the Electronic Frontier Foundation’s executive director who is stepping down after 25 years at the organization. She reflected on encryption and AI, and emphasized that even though she is leaving EFF, she is not ending her fight for digital rights. Meanwhile, alongside a slew of new products, Apple said this week that its new iPhones will ship with an integrated hardware and software feature known as Memory Integrity Enforcement that aims to eliminate the most frequently exploited type of iOS vulnerabilities.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**18,000 Epstein Emails Reveal Ghislaine Maxwell’s Role**

In a jaw-dropping new report, Bloomberg has obtained more than 18,000 emails from Jeffrey Epstein’s personal Yahoo account, offering a raw and unsettling window into the convicted sex offender and disgraced financier’s world—and that of his longtime associate Ghislaine Maxwell. The story reveals that Maxwell and Epstein remained deeply intertwined long after she claimed to have stepped away from his orbit. The correspondence details her role in managing his finances, property, and personal relationships, as well as efforts to discredit women who accused them of abuse. Among the revelations: Maxwell opened a foreign bank account using Epstein’s address, was listed as a director at one of his main companies, and even coordinated the distribution of luxury gifts to associates and victims alike.

The emails are a stark reminder of Maxwell’s complicity in Epstein’s crimes at a time when she is widely seen as courting favor with the Trump administration. Beyond advising Epstein on plea negotiations and scheming to discredit accusers, Maxwell appears to have remained the linchpin in his social network, connecting him to politicians, celebrities, and business titans, according to the emails reviewed by Bloomberg. The archive reveals her helping arrange gifts and payments—from a $71,000 Lexus for a lawyer to lingerie for teenage girls who later testified against them—while simultaneously navigating her own mounting exposure.

Against the background of Trump officials weighing whether to release the sealed “Epstein files” and speculation over a potential pardon, the correspondence positions Maxwell not only as Epstein’s fixer but someone who has long worked to secure her standing with those in power.

**ICE Deploys “Stingray” Tech, Renewing Surveillance Concerns**

In a newly unsealed warrant reviewed by Forbes, Immigration and Customs Enforcement was authorized to use a cell-site simulator—a controversial surveillance tool that tracks phones by mimicking real cell towers—in an effort to locate a Venezuelan national. Initial location data narrowed the man to a 30-block area, prompting ICE to request more precise tracking using the device. It’s unclear if he was ever caught.

The case highlights ICE’s reliance on surveillance tools long criticized by civil liberties groups for sweeping up swaths of data from bystanders alongside targets. In May, procurement records show ICE spent nearly $1 million on “cell site simulator vehicles,” building on a 2024 contract launched under the previous administration. ICE also reportedly maintains a $4.4 million deal with Harris Corporation, maker of the notorious “Stingray,” which has become an eponym for nearly all cell-site simulators used by law enforcement.

The devices work by tricking cell phones into believing they’re real cell towers, allowing police to identify a target device and track its movements far more precisely than the broad geolocation data available from phone companies. While a normal trace may only provide a rough radius or general direction, with a stingray—and a few attachments—police can shrink the search to a specific block, home, or apartment. The devices are controversial because in certain modes, they don’t just capture the target’s phone signal—they scoop up data from every device in range, sweeping up information about bystanders’ calls without their knowledge or consent.

**US Transportation Department Report Warns of Hidden Radios in Highway Infrastructure**

A security advisory from the US Department of Transportation’s Federal Highway Administration said last month that highway infrastructure including chargers, traffic cameras, and roadside weather stations should be checked for hidden equipment. The report said, according to Reuters, that investigators have found “undocumented cellular radios” in some power inverters and battery management systems used for solar power in US highway equipment. The warning comes as the US government has increasingly sounded the alarm in recent years about the risk of backdoors in Chinese-made equipment that could undermine US infrastructure.

**US Issues Sanctions Over Digital Scamming in Cambodia and Myanmar**

The US Treasury Department sanctioned almost 20 companies and individuals in Myanmar and Cambodia this week for their alleged roles in the multibillion-dollar global scam industry. The swindles target victims around the world with investment, romance, and other digital confidence scams using the forced labor of human trafficking victims. The US issued financial and diplomatic sanctions against nine entities in Myanmar’s Shwe Kokko city as well as 10 in Cambodia. In a release about the action, John K. Hurley, undersecretary of the treasury for terrorism and financial intelligence, said,“Southeast Asia’s cyber scam industry not only threatens the well-being and financial security of Americans, but also subjects thousands of people to modern slavery.”

Jeffrey Epstein’s Yahoo Inbox Revealed

Authorities have named Tyler Robinson as a suspect in the murder of right-wing influencer Charlie Kirk, citing Discord messages as evidence of his alleged role.

The manhunt for the shooter who killed conservative activist Charlie Kirk ended Friday with a suspect taken into custody, authorities said.

Utah’s Department of Public Safety and the FBI confirmed the arrest during a morning briefing, capping a two-day search that began after the 31-year-old podcaster and Turning Point USA cofounder was fatally shot at Utah Valley University in Orem, Utah, on Wednesday.

Authorities identified the suspect as 22-year-old Tyler Robinson of Washington, Utah, after receiving a tip from a friend of Robinson’s family. Officials said the tip came late Thursday night, prompting agents to move quickly to locate and arrest him. A $100,000 reward for information leading to the identification and arrest of the shooter was announced Thursday.

President Donald Trump first announced the arrest in a live interview on Fox News, claiming, “With a high degree of certainty, we have him.”

At a press briefing Friday, Utah governor Spencer Cox announced Robinson had been arrested in the early hours of September 12 after a family member reached out to a family friend, who contacted authorities. The friend told investigators that Robinson had hinted at his involvement in the shooting. The tip was relayed through local law enforcement to the FBI and Utah county investigators, who matched Robinson’s gray Dodge Challenger and clothing to campus surveillance footage from the day of the shooting. A family member also told investigators that Robinson spoke critically of Kirk.

Cox said Robinson’s roommate also cooperated, showing investigators Discord messages in which Robinson discussed retrieving and hiding a rifle, leaving it wrapped in a towel, monitoring the drop site, and engraving bullets.

Later on Friday, Discord told NBC News in a statement that the company “identified a Discord account associated with the suspect,” which Discord has now removed. However, the company said the discussion Cox cited did not involve that account.

“The messages referenced in recent reporting about planning details do not appear to be Discord messages,” a Discord spokesperson told NBC News. “These were communications between the suspect’s roommate and a friend after the shooting, where the roommate was recounting the contents of a note the suspect had left elsewhere.”

FBI director Kash Patel outlined the bureau’s role in the investigation, stressing the speed of the response and coordination with Utah authorities. He said agents arrived on scene within 16 minutes of the shooting, secured the area alongside local police, and quickly began moving evidence to FBI labs in Quantico for analysis. “The FBI and our partners are proud to stand here today together to bring justice to the family of Charlie Kirk and honor his memory,” he said.

Patel closed his remarks with a brief eulogy for Kirk, saying, “I’ll see you in Valhalla.”

Beyond the Discord account mentioned by Cox, Robinson appears to have had virtually no online footprint that could be immediately identified in public or private databases. Internet users produced images they claimed came from family photo albums posted online, but the accounts of his immediate family members were shut down quickly, and these images couldn't be verified; none pointed to any obvious motive or ideology.

In a statement, Utah State University confirmed that Robinson briefly attended the school for one semester in 2021.

Investigators recovered a Mauser .30-caliber hunting rifle near the scene of the shooting, allegedly abandoned by the gunman as he fled into a wooded area. A spent round was found in the chamber, with three live cartridges in the magazine. Cox said Friday that the casings bore engraved inscriptions. They reportedly include memes to crude jokes, such as “if you read this, you are gay. LMAO.”

Authorities say the shooter fired from a rooftop overlooking a courtyard where Kirk was hosting one of his trademark “prove me wrong” campus debates. Widely shared footage online shows Kirk addressing a question on mass shootings when a bullet suddenly strikes him in the neck.

Roughly 3,000 people are estimated to have been in attendance. Millions more were confronted by gruesome footage of the incident online, in some cases autoplaying across major platforms like TikTok, Instagram, and X, where researchers say efforts to combat the spread of violent content have broadly declined.

The investigation unfolded at a moment when the FBI was already under fire. In recent weeks, the bureau has endured sweeping dismissals of senior and mid-level agents, moves alleged in a lawsuit this week to be politically motivated purges. The shake-ups are said to have sapped institutional knowledge and morale, signaling to agents that defying political directives could cost them their careers.

The days after the shooting were marked by confusion. Within hours, state and federal officials issued conflicting accounts of whether anyone had been detained. The FBI’s Patel briefly announced that a “subject” was in custody, only to later announce that the person had been released. Scrapped press conferences and uneven briefings fueled further uncertainty, with rampant speculation on TV news and social media rushing to fill the gaps in credible information.

Far-right influencers and extremist groups took to posting the personal details of people they accused of celebrating Kirk’s death, triggering harassment campaigns and death threats. Within hours of the shooting, a website began compiling names, social media handles, and employers of accused offenders.

That atmosphere grew even darker on Thursday, when the Democratic National Committee’s headquarters in Washington, DC, was briefly locked down over a bomb threat, which Capitol Police later deemed not credible. More than a dozen historically Black colleges and universities received hoax threats that forced lockdowns and class cancellations across several campuses.

Patel defended the FBI’s investigation during Friday’s press conference, saying it took “less than 36 hours—33 hours, in fact” for authorities to arrest Robinson. “This is what happens when you let good cops be cops,” Patel said.

FBI communications reviewed by WIRED show that agents had previously flagged Kirk’s events as potential flash points. In an April 2021 email, first obtained by the nonprofit Property of the People via public records request, a member of a Seattle-based FBI intelligence group is shown alerting other agents to Kirk’s appearances in Washington state. The events are listed among others flagged for having the potential to “lead to political violence.”

_Updated 3 pm ET, September 12, 2025: Added comment from Discord regarding messages related to the shooting._

Charlie Kirk Shooting Suspect Identified as 22-Year-Old Utah Man

A series of corporate leaks show that Chinese technology companies function far more like their Western peers than one might imagine.

A trove of internal documents leaked from a little-known Chinese company has pulled back the curtain on how digital censorship tools are being marketed and exported globally. Geedge Networks sells what amounts to a commercialized “Great Firewall” to at least four countries, including Kazakhstan, Pakistan, Ethiopia, and Myanmar. The groundbreaking leak shows in granular detail the capabilities this company has to monitor, intercept, and hack internet traffic. Researchers who examined the files described it as “digital authoritarianism as a service.”

But I want to focus on another thing the documents demonstrate: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance technology in the West. Geedge collaborates with academic institutions on research and development, adapts its business strategy to fit different clients’ needs, and even repurposes leftover infrastructure from its competitors. In Pakistan, for example, Geedge landed a contract to work with and later replace gear made by the Canadian company Sandvine, the leaked files show.

Coincidentally, another leak from a different Chinese company published this week reinforces the same point. On Monday, researchers at Vanderbilt University made public a 399-page document from GoLaxy, a Chinese company that uses AI to analyze social media and generate propaganda materials. The leaked documents, which include internal pitch decks, business goals, and meeting notes, may have come from a disgruntled former employee—the last two pages accuse GoLaxy of mistreating workers by underpaying them and mandating long hours. The document had been sitting on the open internet for months before another researcher flagged it to Brett Goldstein, a research professor in the School of Engineering at Vanderbilt.

GoLaxy’s main business is different from Geedge’s: It collects open source information from social media, maps relationships among political figures and news organizations, and pushes targeted narratives online through synthetic social media profiles. In the leaked document, GoLaxy claims to be the “number one brand in intelligence big data analysis” in China, servicing three main customers: the Chinese Communist Party, the Chinese government, and the Chinese military. The included technology demos focus heavily on geopolitical issues like Taiwan, Hong Kong, and US elections. And unlike Geedge, GoLaxy seems to be targeting only domestic government entities as clients.

But there are also quite a few things that make the two companies comparable, particularly in terms of how their businesses function. Both Geedge and GoLaxy maintain close relationships with the Chinese Academy of Sciences (CAS), the top government-affiliated research institution in the world, according to the Nature Index. And they both market their services to Chinese provincial-level government agencies, who have localized issues they want to monitor and budgets to spend on surveillance and propaganda tools.

GoLaxy didn’t immediately respond to a request for comment from WIRED. In a previous response to The New York Times, the company denied collecting data targeting US officials and called the outlet’s reporting misinformation. Vanderbilt researchers say they witnessed the company remove pages from its website after the initial reporting.

****Closer Than They Seem****

In the West, when academic scholars see opportunities to commercialize their cutting-edge research, they often become startup founders or start side businesses. GoLaxy seems to be no exception. Many key researchers at the company, according to the leaked document, still occupy spots at CAS.

But there’s no guarantee that CAS researchers will get government grants—just like a public university professor in the US can’t bet on their startup winning federal contracts. Instead, they need to go after government agencies like any private company would go after clients. One document in the leak shows that GoLaxy assigned sales targets to five employees and was aiming to secure 42 million RMB (about $5.9 million) in contracts with Chinese government agencies in 2020. Another spreadsheet from around 2021 lists the company’s current clients, which include branches of the Chinese military, state security, and provincial police departments, as well as other potential customers it was targeting.

Together, these two leaks show how the surveillance and propaganda industry in China is driven as much by economic forces as political ideology. “This echoes what I saw in researching emotion recognition AI and other surveillance tech, whose sales often appeared to be more motivated by market logic than by a grand plan to make the world more authoritarian,” says Shazeda Ahmed, a DataX postdoctoral scholar at UCLA.

****A Striking Detail****

The parallels with the West are hard to miss. A number of American surveillance and propaganda firms also started as academic projects before they were spun out into startups and grew by chasing government contracts. The difference is that in China, these companies operate with far less transparency. Their work comes to light only when a trove of documents slips onto the internet.

One of the aha moments I had reading the GoLaxy leak was when it explained the importance of its work by comparing it to Cambridge Analytica, a political consulting firm that harvested Facebook data from millions of users to target ads and influence elections.

“Internationally, besides helping Donald Trump win the 2016 US presidential election, the British company Cambridge Analytica had actually participated in more than 40 American political campaigns, and played an important behind-the-scenes role in events such as Ukraine’s Orange Revolution and the Brexit movement in the UK,” the document boasted.

An Associated Press investigation this week reveals that US companies have also allegedly participated in China’s surveillance market themselves. Over the course of decades, American firms sold software and hardware to Chinese police entities, some with features explicitly marketed for monitoring minority populations.

It is tempting to think of the Great Firewall or Chinese propaganda as the outcome of a top-down master plan that only the Chinese Communist Party could pull off. But these leaks suggest a more complicated reality. Censorship and propaganda efforts must be marketed, financed, and maintained. They are shaped by the logic of corporate quarterly financial targets and competitive bids as much as by ideology—except the customers are governments, and the products can control or shape entire societies.

_This is an edition of_ _**Zeyi Yang**_ _and_ _**Louise Matsakis’**_ _**Made in China newsletter**_. _Read previous newsletters_ _**here.**_

How China’s Propaganda and Surveillance Systems Really Operate

Alongside new iPhones, Apple released a new security architecture on Tuesday: Memory Integrity Enforcement aims to eliminate the most frequently exploited class of iOS bugs.

Apple launched a slate of new iPhones on Tuesday loaded with the company's new A19 and A19 Pro chips. Along with an ultrathin iPhone Air and other redesigns, the new phones come with a less flashy upgrade that could turn out to be the true killer feature. A security improvement called Memory Integrity Enforcement combines always-on, chip-level protections with software defenses in an effort to harden iPhones against the most common—and commonly exploited—software vulnerabilities.

In recent years, a movement has been steadily growing across the global tech industry to address a ubiquitous and insidious type of bugs known as memory-safety vulnerabilities. A computer's memory is a shared resource among all programs, and memory safety issues crop up when software can pull data that should be off limits from a computer's memory or manipulate data in memory that shouldn't be accessible to the program. When developers—even experienced and security-conscious developers—write software in ubiquitous, historic programming languages, like C and C++, it's easy to make mistakes that lead to memory safety vulnerabilities. That's why proactive tools like special programming languages have been proliferating with the goal of making it structurally impossible for software to contain these vulnerabilities, rather than attempting to avoid introducing them or catch all of them.

“The importance of memory safety cannot be overstated,” the US National Security Agency and Cybersecurity and Infrastructure Security Agency wrote in a June report. “The consequences of memory safety vulnerabilities can be severe, ranging from data breaches to system crashes and operational disruptions.”

Apple's Swift programming language, released in 2014, is memory-safe. The company says it has been writing new code in Swift for years as well as attempting to strategically overhaul and rewrite existing code in the memory-safe language to make its systems more secure. This reflects the challenge of memory safety across the industry, because even if new code is written more securely, the world's software was all written in memory-unsafe languages for decades. And while, in general, Apple's locked down ecosystem has so far succeeded at preventing widespread malware attacks against iPhones, motivated attackers, particularly spyware makers, do still develop complex iOS exploit chains at high cost to target specific victims' iPhones.

Even with the work Apple has done to begin overhauling its code for memory safety, the company has found that these rarefied attack chains virtually always still include exploitation of memory bugs.

“Known mercenary spyware chains used against iOS share a common denominator with those targeting Windows and Android: they exploit memory safety vulnerabilities, which are interchangeable, powerful, and exist throughout the industry,” Apple wrote in its Memory Integrity Enforcement announcement on Wednesday.

Apple has increasingly invested in memory safety with Swift and secure memory allocators that manage which regions of memory are “allocated” and “deallocated” for which data—a major factor in, and source of, memory safety vulnerabilities. But Memory Integrity Enforcement itself was originally inspired by work at the hardware level to protect code integrity even when a system has suffered memory corruption.

With memory-unsafe programming languages underlying so much of the world's collective code base, Apple's Security Engineering and Architecture team felt that putting memory safety mechanisms at the heart of Apple's chips could be a deus ex machina for a seemingly intractable problem. The group built on a specification known as Memory Tagging Extension (MTE) released in 2019 by the chipmaker Arm. The idea was to essentially password protect every memory allocation in hardware so that future requests to access that region of memory are only granted by the system if the request includes the right secret.

Arm developed MTE as a tool to help developers find and fix memory corruption bugs. If the system receives a memory access request without passing the secret check, the app will crash and the system will log the sequence of events for developers to review. Apple's engineers wondered whether MTE could run all the time rather than just being used as a debugging tool, and the group worked with Arm to release a version of the specification for this purpose in 2022 called Enhanced Memory Tagging Extension.

To make all of this a constant, real-time defense against exploitation of memory safety vulnerabilities, Apple spent years architecting the protection deeply within its chips so the feature could be on all the time for users without sacrificing overall processor and memory performance. In other words, you can see how generating and attaching secrets to every memory allocation and then demanding that programs manage and produce these secrets for every memory request could dent performance. But Apple says that it has been able to thread the needle.

Memory Integrity Enforcement “is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air and offers unparalleled, always-on memory safety protection for our key attack surfaces including the kernel, while maintaining the power and performance that users expect,” Apple wrote in the announcement.

The company also released a version of the Enhanced Memory Tagging Extension specification for all Apple developers in Xcode so app makers can start to incorporate the protection into their products. Researchers who participate in Apple's special device program will also be encouraged to test and attack Memory Integrity Enforcement in the new version of the devices that contain A19 series chips.

Apple has often been criticized for how restrictive its walled-garden ecosystem can be, including when lack of transparency prevents security researchers from fully vetting Apple's systems. But the approach has also proved effective in many ways. And initial reactions to the announcement about Memory Integrity Enforcement were largely positive given the security benefits it promises.

“The deep integration of Apple's ecosystem means that security enhancements like Memory Integrity Enforcement have an enormous impact on overall user security and privacy,” says Alex Zenla, chief technology officer of the sandbox cloud security firm Edera. “Security can be effectively built-in from the ground up when properly designed.”

Source

Wired