Plus: France blames Russia for a series of cyberattacks, the US is taking steps to crack down on a gray market allegedly used by scammers, and Microsoft pushes the password one step closer to death.

Researchers unveiled a cluster of vulnerabilities in Apple’s wireless media streaming platform AirPlay this week that leave millions of third-party devices like speakers and TVs vulnerable to takeover if an attacker is on the same Wi-Fi network as the victim gadget. These “AirBorne” vulnerabilities have all been patched—including some that potentially impacted Apple’s Mac computers—but, in practice, third-party devices may not all get fixes, and even if they do, patch adoption could be low.

Records reviewed by WIRED show that utilizing car subscription features can substantially raise your risk of being subjected to government surveillance, because such services generate troves of data that are valuable to law enforcement. WIRED also did a deep dive on North Korea’s yearslong campaign to place IT workers inside companies in North American, the United Kingdom, and Europe. The schemes are more effective than ever as scammers incorporate AI into their workflows.

WhatsApp designed a special cloud processing platform called Private Processing to allow new AI tools to work in the secure messenger without compromising its end-to-end encryption. Experts warn, though, that it could create enticing targets for hackers. And we have a guide for navigating the privacy risks of using ChatGPT’s new image generator to do seemingly fun and innocuous projects like making an action figure version of yourself.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Three British Retailers Hacked in Spate of Cyberattacks**

Three separate retailers in the UK—including the supermarket Co-op and thedepartment stores Marks & Spencer and Harrods—have all revealed they have recently been subject to cyberattacks, with the intrusions and widespread impact seemingly ongoing. Toward the end of April, Marks & Spencer revealed it had been the victim of a “cyber incident.” Over the following two weeks, it has been forced to pause online orders within its apps, some food has been missing from its shelves, and it has paused recruitment and other “normal processes.” Staff at Co-op have been told to keep webcams turned on during remote meetings and check who is attending calls, after shutting down parts of its IT systems in response to its own hack. Harrods, meanwhile, told customers to “not do anything differently at this point.”

At the time of writing, none of the retailers have detailed the specific nature of the cyberattacks or the full scale of the impacts. It is also unclear if the attacks are linked. Bloomberg has reported a ransomware cartel dubbed DragonForce has claimed it and its partners were behind the attacks. The so-called cartel provides “infrastructure and tools” to hackers but “doesn't require affiliates to deploy its ransomware,” according to research from security firm Secureworks. The hacked companies did not respond to Bloomberg about the claims.

Bleeping Computer originally reported that the threat actors known as Scattered Spider were allegedly behind the attack on Marks & Spencer. The publication reported that the company’s servers were encrypted by ransomware, with the intrusion beginning as early as February. The attribution to Scattered Spider has not been confirmed by Marks & Spencer.

Over the past two years, Scattered Spider has emerged as one of the most prolific and dangerous sets of hackers currently operating. The threat actors are not a well-defined group of hackers. Instead, they’re more a loose collective that uses social engineering—such as phishing and voice calls—to gain initial access into company networks. Scattered Spider members are often English-speaking, teenaged, and can be members of the heinous criminal group the Com. The hackers have been active since June 2022 and have targeted more than 100 companies—including the high-profile hacks on Caesar's Entertainment and MGM Resorts in 2023.

**France (Finally) Names Russian Hackers for the First Time**

French authorities have condemned Russia’s military intelligence agency, accusing it of orchestrating a series of high-profile cyberattacks—including the hacking of Emmanuel Macron’s 2017 presidential campaign, a brazen 2015 assault on the TV channel TV5 Monde, and recent intrusion attempts targeting organizations involved in preparing the 2024 Paris Olympic Games.

French authorities have also disclosed the name and location of a GRU unit tied to the notorious hacking group APT28—information that had never before been officially released. Unit 20728 is based in the southern Russian city of Rostov-on-Don and operates out of the "166th Information Research Center."

This marks the first time French officials have publicly assigned blame to a foreign intelligence service following an internal attribution process. The timing is significant, coming as Paris positions itself at the forefront of Europe’s support for Ukraine.

**US Moves to Crack Down on ‘Largest Illicit Marketplace’**

The Trump administration has taken the first step toward blacklisting a Cambodian financial conglomerate at the center of a global money laundering network. On Thursday, the Treasury Department designated Huione Group as a money-laundering operation, alleging that the company and its affiliates have laundered more than $4 billion for criminals, including North Korean hackers and online scammers.

These scammers—who defraud victims through bogus investments and other schemes—rely on Huione and its affiliates to move funds abroad to evade both law enforcement and anti-money-laundering systems. The proposed action represents the most significant effort yet to crack down on Huione, which is tied to what experts believe to be the “largest illicit marketplace”: Huione Guarantee. According to WIRED’s January report, the marketplace has likely facilitated over $24 billion in gray-market transactions. Experts believe the platform operates as a one-stop shop for scammers, offering everything from victim contact lists and deepfake tools to fake investment websites and other illicit services.

**New Microsoft Accounts Won’t Need Passwords Anymore**

Slowly but surely, the password is dying. Over the past two years, passkeys—a stronger method of authentication that doesn’t require you to remember or use a password—have become more common. The rollout of the technology has been piecemeal, but big tech companies have worked for years to create the alternative, which is more secure than passwords. This week, Microsoft announced that people setting up new accounts with the company won’t have to create passwords at all. “New Microsoft accounts will now be ‘passwordless by default,’” the company wrote in a blog post. Microsoft is also pushing people further away from passwords and will “detect” the best way for people to lo in to their accounts if they have set up alternatives to passwords.

Hacking Spree Hits UK Retail Giants

A photo taken this week showed Mike Waltz using an app that looks like—but is not—Signal to communicate with top officials. "I don't even know where to start with this," says one expert.

On ThursdaY, Reuters published a photo depicting then-United States national security adviser Mike Waltz checking his phone during a cabinet meeting held by President Trump in the White House. If you enlarge the portion of the image that captures Waltz’s screen, it seems to show him using the end-to-end encrypted messaging app Signal. But if you look more closely, a notification on the screen refers to the app as “TM SGNL.” During a White House cabinet meeting on Wednesday, then, Waltz was apparently using an Israeli-made app called TeleMessage Signal to message with people who appear to be top US officials, including JD Vance, Marco Rubio, and Tulsi Gabbard.

After senior Trump administration cabinet members used vanishing Signal messages to coordinate March military strikes in Yemen—and accidentally included the editor in chief of The Atlantic in the group chat—the “SignalGate” scandal highlighted concerning breaches of traditional government “operational security” protocol as well as compliance issues with federal records-retention laws. At the center of the debacle was Waltz, who was ousted by Trump as US national security adviser on Thursday. Waltz created the “Houthi PC Small Group” chat and was the member who added top Atlantic editor Jeffrey Goldberg. "I take full responsibility. I built the group," Waltz told Fox News in late March. "We've got the best technical minds looking at how this happened," he added at the time.

SignalGate had nothing to do with Signal. The app was functioning normally and was simply being used at an inappropriate time for an incredibly sensitive discussion that should have been carried out on special-purpose, hardened federal devices and software platforms. If you're going to flout the protocols, though, Signal is (relatively speaking) a good place to do it, because the app is designed so only the senders and receivers of messages in a group chat can read them. And the app is built to collect as little information as possible about its users and their associates. This means that if US government officials were chatting on the app, spies or malicious hackers could only access their communications by directly compromising participants' devices—a challenge that is potentially surmountable but at least limits possible access points. Using an app like TeleMessage Signal, though, presumably in an attempt to comply with data retention requirements, opens up numerous other paths for adversaries to access messages.

"I don't even know where to start with this," says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. “It's mind-blowing that the federal government is using Israeli tech to route extremely sensitive data for archival purposes. You just know that someone is grabbing a copy of that data. Even if TeleMessage isn't willingly giving it up, they have just become one of the biggest nation-state targets out there.”

TeleMessage was founded in Israel in 1999 by former Israel Defense Forces technologists and run out of the country until it was acquired last year by the US-based digital communications archiving company Smarsh. The service creates duplicates of communication apps that are outfitted with a “mobile archiver” tool to record and store messages sent through the app.

“Capture, archive and monitor mobile communication: SMS, MMS, Voice Calls, WhatsApp, WeChat, Telegram & Signal,” TeleMessage says on its website. For Signal it adds, “Record and capture Signal calls, texts, multimedia and files on corporate-issued and employee BYOD phones.” (BYOD stands for bring your own device.) In other words, there are TeleMessage versions of Signal for essentially any mainstream consumer device. The company says that using TeleMessage Signal, users can “Maintain all Signal app features and functionality as well as the Signal encryption,” adding that the app provides “End-to-End encryption from the mobile phone through to the corporate archive.” The existence of “the corporate archive,” though, undermines the privacy and security of the end-to-end encryption scheme.

TeleMessage apps are not approved for use under the US government's Federal Risk and Authorization Management Program or FedRAMP. TeleMessage and Smarsh did not immediately return requests for comment about whether their products are used by the US federal government and in what capacity.

"As we have said many times, Signal is an approved app for government use and is loaded on government phones,” White House press secretary Anna Kelly tells WIRED. She did not answer questions about whether the White House approves of federal officials using TeleMessage Signal—which is a different app from Signal—or whether other officials aside from Waltz have used the app or currently use it.

The Cybersecurity and Infrastructure Security Agency does not create policy around federal technology use but does release public guidance. When asked about Waltz’s apparent use of TeleMessage Signal, CISA simply referred WIRED to its best-practices guide for mobile communications. The document specifically advises, “When selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and associated services collect and store metadata.”

It is not clear when Waltz started using TeleMessage Signal and whether he was already using it during SignalGate or started using it afterward in response to criticisms that turning on Signal's disappearing messages feature is in conflict with federal data-retention laws.

“I have no doubt the leadership of the US national security apparatus ran this software through a full information-assurance process to ensure there was no information leakage to foreign nations,” says Johns Hopkins cryptographer Matt Green. “Because if they didn’t, we are screwed.”

Mike Waltz Has Somehow Gotten Even Worse at Using Signal

People are using ChatGPT’s new image generator to take part in viral social media trends. But using it also puts your privacy at risk—unless you take a few simple steps to protect yourself.

At the start of April, an influx of action figures started appearing on social media sites including LinkedIn and X. Each figure depicted the person who had created it with uncanny accuracy, complete with personalized accessories such as reusable coffee cups, yoga mats, and headphones.

All this is possible because of OpenAI’s new GPT-4o-powered image generator, which supercharges ChatGPT’s ability to edit pictures, render text, and more. OpenAI’s ChatGPT image generator can also create pictures in the style of Japanese animated film company Studio Ghibli—a trend that quickly went viral, too.

The images are fun and easy to make—all you need is a free ChatGPT account and a photo. Yet to create an action figure or Studio Ghibli-style image, you also need to hand over a lot of data to OpenAI, which could be used to train its models.

**Hidden Data**

The data you are giving away when you use an AI image editor is often hidden. Every time you upload an image to ChatGPT, you’re potentially handing over “an entire bundle of metadata,” says Tom Vazdar, area chair for cybersecurity at Open Institute of Technology. “That includes the EXIF data attached to the image file, such as the time the photo was taken and the GPS coordinates of where it was shot.”

OpenAI also collects data about the device you’re using to access the platform. That means your device type, operating system, browser version, and unique identifiers, says Vazdar. “And because platforms like ChatGPT operate conversationally, there’s also behavioral data, such as what you typed, what kind of images you asked for, how you interacted with the interface and the frequency of those actions.”

It's not just your face. If you upload a high-resolution photo, you're giving OpenAI whatever else is in the image, too—the background, other people, things in your room and anything readable such as documents or badges, says Camden Woollven, group head of AI product marketing at risk management firm GRC International Group.

This type of voluntarily provided, consent-backed data is “a gold mine for training generative models,” especially multimodal ones that rely on visual inputs, says Vazdar.

OpenAI denies it is orchestrating viral photo trends as a ploy to collect user data, yet the firm certainly gains an advantage from it. OpenAI doesn’t need to scrape the web for your face if you’re happily uploading it yourself, Vazdar points out. “This trend, whether by design or a convenient opportunity, is providing the company with massive volumes of fresh, high-quality facial data from diverse age groups, ethnicities, and geographies.”

OpenAI says it does not actively seek out personal information to train models—and it doesn’t use public data on the internet to build profiles about people to advertise to them or sell their data, an OpenAI spokesperson tells WIRED. However, under OpenAI’s current privacy policy, images submitted through ChatGPT can be retained and used to improve its models.

Any data, prompts, or requests you share helps teach the algorithm—and personalized information helps fine tune it further, says Jake Moore, global cybersecurity adviser at security outfit ESET, who created his own action figure to demonstrate the privacy risks of the trend on LinkedIn.

**Uncanny Likeness**

In some markets, your photos are protected by regulation. In the UK and EU, data-protection regulation including the GDPR offer strong protections, including the right to access or delete your data. At the same time, use of biometric data requires explicit consent.

However, photographs become biometric data only when processed through a specific technical means allowing the unique identification of a specific individual, says Melissa Hall, senior associate at law firm MFMac. Processing an image to create a cartoon version of the subject in the original photograph is “unlikely to meet this definition,” she says.

Meanwhile, in the US, privacy protections vary. “California and Illinois are leading with stronger data protection laws, but there is no standard position across all US states,” says Annalisa Checchi, a partner at IP law firm Ionic Legal. And OpenAI’s privacy policy doesn’t contain an explicit carve-out for likeness or biometric data, which “creates a grey area for stylized facial uploads,” Checchi says.

The risks include your image or likeness being retained, potentially used to train future models, or combined with other data for profiling, says Checchi. “While these platforms often prioritize safety, the long-term use of your likeness is still poorly understood—and hard to retract once uploaded.”

OpenAI says its users’ privacy and security is a top priority. The firm wants its AI models to learn about the world, not private individuals, and it actively minimizes the collection of personal information, an OpenAI spokesperson tells WIRED.

Meanwhile, users have control over how their data is used, with self-service tools to access, export, or delete personal information. You can also opt out of having content used to improve models, according to OpenAI.

ChatGPT Free, Plus, and Pro users can control whether they contribute to future model improvements in their data controls settings. OpenAI does not train on ChatGPT Team, Enterprise, and Edu customer data⁠ by default, according to the company.

**Trending Topics**

The next time you are tempted to jump on a ChatGPT-led trend such as the action figure or Studio Ghibli–style images, it’s wise to consider the privacy trade-off. The risks apply to ChatGPT as well as many other AI image editing or generation tools, so it’s important to read the privacy policy before uploading your photos.

There are also steps you can take to protect your data. In ChatGPT, the most effective is to turn off chat history, which helps ensure your data is not used for training, says Vazdar. You can also upload anonymized or modified images, for example, using a filter or generating a digital avatar rather than an actual photo, he says.

It’s worth stripping out metadata from image files before uploading, which is possible using photo editing tools. “Users should avoid prompts that include sensitive personal information and refrain from uploading group photos or anything with identifiable background features,” says Vazdar.

Double-check your OpenAI account settings, especially those related to data use for training, Hall adds. “Be mindful of whether any third-party tools are involved, and never upload someone else’s photo without their consent. OpenAI’s terms make it clear that you’re responsible for what you upload, so awareness is key.”

Checchi recommends disabling model training in OpenAI’s settings, avoiding location-tagged prompts, and steering clear of linking content to social profiles. “Privacy and creativity aren’t mutually exclusive—you just need to be a bit more intentional.”

Think Twice Before Creating That ChatGPT Action Figure

For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.

North Korea Stole Your Job

A new study found that code generated by AI is more likely to contain made-up information that can be used to trick software into interacting with malicious code.

AI-generated computer code is rife with references to nonexistent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions, newly published research shows.

The study, which used 16 of the most widely used large language models to generate 576,000 code samples, found that 440,000 of the package dependencies they contained were “hallucinated,” meaning they were nonexistent. Open source models hallucinated the most, with 21 percent of the dependencies linking to nonexistent libraries. A dependency is an essential code component that a separate piece of code requires to work properly. Dependencies save developers the hassle of rewriting code and are an essential part of the modern software supply chain.

****Package Hallucination Flashbacks****

These nonexistent dependencies represent a threat to the software supply chain by exacerbating so-called dependency confusion attacks. These attacks work by causing a software package to access the wrong component dependency, for instance by publishing a malicious package and giving it the same name as the legitimate one but with a later version stamp. Software that depends on the package will, in some cases, choose the malicious version rather than the legitimate one because the former appears to be more recent.

Also known as package confusion, this form of attack was first demonstrated in 2021 in a proof-of-concept exploit that executed counterfeit code on networks belonging to some of the biggest companies on the planet, Apple, Microsoft, and Tesla included. It's one type of technique used in software supply-chain attacks, which aim to poison software at its very source in an attempt to infect all users downstream.

“Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users,” Joseph Spracklen, a University of Texas at San Antonio PhD student and lead researcher, told Ars via email. “If a user trusts the LLM's output and installs the package without carefully verifying it, the attacker’s payload, hidden in the malicious package, would be executed on the user's system.”

In AI, hallucinations occur when an LLM produces outputs that are factually incorrect, nonsensical, or completely unrelated to the task it was assigned. Hallucinations have long dogged LLMs because they degrade their usefulness and trustworthiness and have proven vexingly difficult to predict and remedy. In a paper scheduled to be presented at the 2025 USENIX Security Symposium, they have dubbed the phenomenon “package hallucination.”

For the study, the researchers ran 30 tests, 16 in the Python programming language and 14 in JavaScript, that generated 19,200 code samples per test, for a total of 576,000 code samples. Of the 2.23 million package references contained in those samples, 440,445, or 19.7 percent, pointed to packages that didn’t exist. Among these 440,445 package hallucinations, 205,474 had unique package names.

One of the things that makes package hallucinations potentially useful in supply-chain attacks is that 43 percent of package hallucinations were repeated over 10 queries. “In addition,” the researchers wrote, “58 percent of the time, a hallucinated package is repeated more than once in 10 iterations, which shows that the majority of hallucinations are not simply random errors but a repeatable phenomenon that persists across multiple iterations. This is significant, because a persistent hallucination is more valuable for malicious actors looking to exploit this vulnerability and makes the hallucination attack vector a more viable threat.”

In other words, many package hallucinations aren’t random, one-off errors. Rather, specific names of nonexistent packages are repeated over and over. Attackers could seize on the pattern by identifying nonexistent packages that are repeatedly hallucinated. The attackers would then publish malware using those names and wait for them to be accessed by large numbers of developers.

The study uncovered disparities in the LLMs and programming languages that produced the most package hallucinations. The average percentage of package hallucinations produced by open source LLMs such as CodeLlama and DeepSeek was nearly 22 percent, compared with a little more than 5 percent by commercial models. Code written in Python resulted in fewer hallucinations than JavaScript code, with an average of almost 16 percent compared with a little over 21 percent for JavaScript. Asked what caused the differences, Spracklen wrote:

_“This is a difficult question because large language models are extraordinarily complex systems, making it hard to directly trace causality. That said, we observed a significant disparity between commercial models (such as the ChatGPT series) and open-source models, which is almost certainly attributable to the much larger parameter counts of the commercial variants. Most estimates suggest that ChatGPT models have at least 10 times more parameters than the open-source models we tested, though the exact architecture and training details remain proprietary. Interestingly, among open-source models, we did not find a clear link between model size and hallucination rate, likely because they all operate within a relatively smaller parameter range._

_“Beyond model size, differences in training data, fine-tuning, instruction training, and safety tuning all likely play a role in package hallucination rate. These processes are intended to improve model usability and reduce certain types of errors, but they may have unforeseen downstream effects on phenomena like package hallucination._

_“Similarly, the higher hallucination rate for JavaScript packages compared to Python is also difficult to attribute definitively. We speculate that it stems from the fact that JavaScript has roughly 10 times more packages in its ecosystem than Python, combined with a more complicated namespace. With a much larger and more complex package landscape, it becomes harder for models to accurately recall specific package names, leading to greater uncertainty in their internal predictions and, ultimately, a higher rate of hallucinated packages.”_

The findings are the latest to demonstrate the inherent untrustworthiness of LLM output. With Microsoft CTO Kevin Scott predicting that 95 percent of code will be AI-generated within five years, here’s hoping developers heed the message.

_This story originally appeared on_ _Ars Technica._

AI Code Hallucinations Increase the Risk of ‘Package Confusion’ Attacks

WhatsApp's AI tools will use a new “Private Processing” system designed to allow cloud access without letting Meta or anyone else see end-to-end encrypted chats. But experts still see risks.

The end-to-end encrypted communication app WhatsApp, used by roughly 3 billion people around the world, will roll out cloud-based AI capabilities in the coming weeks that are designed to preserve WhatsApp’s defining security and privacy guarantees while offering users access to message summarization and composition tools.

Meta has been incorporating generative AI features across its services that are built on its open source large language model, Llama. And WhatsApp already incorporates a light blue circle that gives users access to the Meta AI assistant. But many users have balked at this addition, given that interactions with the AI assistant aren’t shielded from Meta the way end-to-end encrypted WhatsApp chats are. The new feature, dubbed Private Processing, is meant to address these concerns with what the company says is a carefully architected and purpose-built platform devoted to processing data for AI tasks without the information being accessible to Meta, WhatsApp, or any other party. While initial reviews by researchers of the scheme’s integrity have been positive, some note that the move toward AI features could ultimately put WhatsApp on a slippery slope.

“WhatsApp is targeted and looked at by lots of different researchers and threat actors. That means internally it has a well understood threat model,” says Meta security engineering director Chris Rohlf. “There's also an existing set of privacy expectations from users, so this wasn’t just about managing the expansion of that threat model and making sure the expectations for privacy and security were met—it was about careful consideration of the user experience and making this opt-in.”

End-to-end encrypted communications are only accessible to the sender and receiver, or the people in a group chat. The service provider, in this case WhatsApp and its parent company Meta, is boxed out by design and can’t access users’ messages or calls. This setup is incompatible with typical generative AI platforms that run large language models on cloud servers and need access to users’ requests and data for processing. The goal of Private Processing is to create an alternate framework through which the privacy and security guarantees of end-to-end encrypted communication can be upheld while incorporating AI.

Users opt into using WhatsApp’s AI features, and they can also prevent people they’re chatting with from using the AI features in shared communications by turning on a new WhatsApp control known as “Advanced Chat Privacy.”

“When the setting is on, you can block others from exporting chats, auto-downloading media to their phone, and using messages for AI features,” WhatsApp wrote in a blog post last week. Like disappearing messages, anyone in a chat can turn Advanced Chat Privacy on and off—which is recorded for all to see—so participants just need to be mindful of any adjustments.

Private Processing is built with special hardware that isolates sensitive data in a “Trusted Execution Environment,” a siloed, locked-down region of a processor. The system is built to process and retain data for the minimum amount of time possible and is designed grind to a halt and send alerts if it detects any tampering or adjustments. WhatsApp is already inviting third-party audits of different components of the system and will make it part of the Meta bug bounty program to encourage the security community to submit information about flaws and potential vulnerabilities. Meta also says that, ultimately, it plans to make the components of Private Processing open source, both for expanded verification of its security and privacy guarantees and to make it easier for others to build similar services.

Last year, Apple debuted a similar scheme, known as Private Cloud Compute, for its Apple Intelligence AI platform. And users can turn the service on in Apple’s end-to-end encrypted communication app, Messages, to generate message summaries and compose “Smart Reply” messages on both iPhones and Macs.

Looking at Private Cloud Compute and Private Processing side by side is like comparing, well, Apple(s) and oranges, though. Apple’s Private Cloud Compute underpins all of Apple Intelligence everywhere it can be applied. Private Processing, on the other hand, was purpose-built for WhatsApp and doesn’t underpin Meta’s AI features more broadly. Apple Intelligence is also designed to do as much AI processing as possible on-device and only send requests to the Private Cloud Compute infrastructure when necessary. Since such “on device” or “local” processing requires powerful hardware, Apple only designed Apple Intelligence to run at all on its recent generations of mobile hardware. Old iPhones and iPads will never support Apple Intelligence.

Apple is a manufacturer of high-end smartphones and other hardware, while Meta is a software company, and has about 3 billion users who have all types of smartphones, including old and low-end devices. Rohlf and Colin Clemmons, one of the Private Processing lead engineers, say that it wasn’t feasible to design AI features for WhatsApp that could run locally on the spectrum of devices WhatsApp serves. Instead, WhatsApp focused on designing Private Processing to be as unhelpful as possible to attackers if it were to be breached.

“The design is one of risk minimization,” Clemmons says. “We want to minimize the value of compromising the system.”

The whole effort raises a more basic question, though, about why a secure communication platform like WhatsApp needs to offer AI features at all. Meta is adamant, though, that users expect the features at this point and will go wherever they have to to get them.

“Many people want to use AI tools to help them when they are messaging,” WhatsApp head Will Cathcart told WIRED in an email. “We think building a private way to do that is important, because people shouldn’t have to switch to a less-private platform to have the functionality they need.”

“Any end-to-end encrypted system that uses off-device AI inference is going to be riskier than a pure end to end system. You’re sending data to a computer in a data center, and that machine sees your private texts,” says Matt Green, a Johns Hopkins cryptographer who previewed some of the privacy guarantees of Private Processing, but hasn’t audited the complete system. “I believe WhatsApp when they say that they’ve designed this to be as secure as possible, and I believe them when they say that they can’t read your texts. But I also think there are risks here. More private data will go off device, and the machines that process this data will be a target for hackers and nation state adversaries.”

WhatsApp says, too, that beyond basic AI features like text summarization and writing suggestions, Private Processing will hopefully create a foundation for expanding into more complicated and involved AI features in the future that involve processing, and potentially storing, more data.

As Green puts it, “Given all the crazy things people use secure messengers for, any and all of this will make the Private Processing computers into a very big target.”

WhatsApp Is Walking a Tightrope Between AI Features and Privacy

Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party AirPlay-enabled device to surreptitiously run their own code on it.

Apple’s AirPlay feature enables iPhones and Macbooks to seamlessly play music or show photos and videos on other Apple devices or third-party speakers and TVs that integrate the protocol. Now newly uncovered security flaws in AirPlay mean that those same wireless connections could allow hackers to move within a network just as easily, spreading malicious code from one infected device to another. Apple products are known for regularly receiving fixes, but given how rarely some smart-home devices are patched, it’s likely that these wirelessly enabled footholds for malware, across many of the hundreds of models of AirPlay-enabled devices, will persist for years to come.

On Tuesday, researchers from the cybersecurity firm Oligo revealed what they’re calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple’s proprietary radio-based protocol for local wireless communication. Bugs in Apple’s AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they’re on the same Wi-Fi network as the hacker’s machine. Another set of AirBorne vulnerabilities would have allowed hackers to exploit AirPlay-enabled Apple devices too, Apple told Oligo, though these bugs have been patched in updates over the last several months, and Apple tells WIRED that those bugs could have only been exploited when users changed default AirPlay settings.

Those Apple devices aside, Oligo’s chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. “Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch—or they will never be patched,” Elbaz says. “And it's all because of vulnerabilities in one piece of software that affects everything.”

Despite Oligo working with Apple for months to patch the AirBorne bugs in all affected devices, the Tel-Aviv-based security firm warns that the AirBorne vulnerabilities in many third-party gadgets are likely to remain hackable unless users act to update them. If a hacker can get onto the same Wi-Fi network as those vulnerable devices—whether by hacking into another computer on a home or corporate network or by simply connecting to the same coffeeshop or airport Wi-Fi—they can surreptitiously take over these gadgets. From there, they could use this control to maintain a stealthy point of access, hack other targets on the network, or add the machines to a botnet of infected, coordinated machines under the hacker’s control.

Oligo also notes that many of the vulnerable devices have microphones and could be turned into listening devices for espionage. The researchers did not go so far as to create proof-of-concept malware for any particular target that would demonstrate that trick.

Oligo says it warned Apple about its AirBorne findings in the late fall and winter of last year, and Apple responded in the months since then by pushing out security updates. The researchers collaborated with Apple to test and validate the fixes for Macs and other Apple products.

Apple tells WIRED that it has also created patches that are available for impacted third-party devices. The company emphasizes, though, that there are limitations to the attacks that would be possible on AirPlay-enabled devices as a result of the bugs, because an attacker must be on the same Wi-Fi network as a target to exploit them. Apple adds that while there is potentially some user data on devices like TVs and speakers, it is typically very limited.

Below is a video of the Oligo researchers demonstrating their AirBorne hacking technique to take over an AirPlay-enabled Bose speaker to show their company’s logo for AirBorne. (The researchers say they didn’t intend to single out Bose, but just happened to have one of the company’s speakers on hand for testing.) Bose did not immediately respond to WIRED’s request for comment.

The AirBorne vulnerabilities Oligo found also affect CarPlay, the radio protocol used to connect to vehicles’ dashboard interfaces. Oligo warns that this means hackers could hijack a car’s automotive computer, known as its head unit, in any of more than 800 CarPlay-enabled car and truck models. In those car-specific cases, though, the AirBorne vulnerabilities could only be exploited if the hacker is able to pair their own device with the head unit via Bluetooth or a USB connection, which drastically restricts the threat of CarPlay-based vehicle hacking.

The AirPlay SDK flaws in home media devices, by contrast, may present a more practical vulnerability for hackers seeking to hide on a network, whether to install ransomware or carry out stealthy espionage, all while hiding on devices that are often forgotten by both consumers and corporate or government network defenders. “The amount of devices that were vulnerable to these issues, that's what alarms me,” says Oligo researcher Uri Katz. “When was the last time you updated your speaker?”

The researchers originally started thinking about this property of AirPlay, and ultimately discovered the AirBorne vulnerabilities, while working on a different project analyzing vulnerabilities that could allow an attacker to access internal services running on a target’s local network from a malicious website. In that earlier research, Oligo’s hackers found they could defeat the fundamental protections baked into every web browser that are meant to prevent websites from having this type of invasive access on other people’s internal networks.

While playing around with their discovery, the researchers realized that one of the services they could access by exploiting the bugs without authorization on a target’s systems was AirPlay. The crop of AirBorne vulnerabilities revealed today is unconnected to the previous work, but was inspired by AirPlay’s properties as a service built to sit open and at the ready for new connections.

And the fact that the researchers found flaws in the AirPlay SDK means that vulnerabilities are lurking in hundreds of models of devices—and possibly more, given that some manufacturers incorporate the AirPlay SDK without notifying Apple and becoming “certified” AirPlay devices.

“When third-party manufacturers integrate Apple technologies like AirPlay via an SDK, obviously Apple no longer has direct control over the hardware or the patching process,” says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. “As a result, when vulnerabilities arise and third-party vendors fail to update their products promptly—or at all—it not only puts users at risk but could also erode trust in the broader Apple ecosystem."

_Updated 10 am ET, April 29, 2024: Clarified that the logo in Oligo's video is for AirBorne, not the company itself._

Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi

Records reviewed by WIRED show law enforcement agencies are eager to take advantage of the data trails generated by a flood of new internet-connected vehicle features.

Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers’ exposure to government surveillance and the likelihood of being caught up in police investigations.

A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of “connected cars,” with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement’s knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies—not the law—determine driver privacy.

“Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera,” one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. “If the vehicle has an active subscription,” they add, “it does create more data.”

The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely.

One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data—revealing its location—roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead.

Charlotte McCoy, a GM spokesperson, tells WIRED the company now requires a court order before handing over location data to law enforcement. “We review each request individually to assess the circumstances and the nature of the request before providing any information,” they say. “Connectivity offers many benefits—including navigation, communication, safety, and maintenance—and customers can mask their location or turn off connectivity at any time.”

Other car manufacturers listed in the CHP presentation, including Ford, did not respond to a request for comment.

“There's definitely a role being played by the companies in deciding what kind of standard they're going to insist on,” says Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. “And this is a dynamic we've seen in other areas of tech. Google and Facebook and Apple all played a role in saying, ‘We'll only provide this data in response to a warrant; other data we'll provide in response to a subpoena.’”

When police are investigating a specific suspect, they will often use a technique known as a “ping” to geographically locate a specific device known to belong to that individual. But when canvassing near a crime scene for an unknown perpetrator, authorities commonly rely on a procedure known as a “tower dump,” requesting that ISPs cast a wider net and identify virtually any devices that have connected to a specific cell tower during a certain window of time. Police analysts can then comb through this data and attempt to identify a culprit, often using surveillance footage or witness testimony about a vehicle’s color, make, or model.

Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car’s systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

In an August 2022 email, one detective noted: “In some vehicles, again \[it\] depends on manufacturer, the vehicle is still doing this despite the lack of an active subscription, and just sending the data back to the mother ship. This could be due to collecting user data for what the manufacturer sells it for, to providing this data to try to sell you on renewing your \[subscription\] package that lapsed.”

The “tower dump” technique is becoming increasingly unpopular in US courts following the US Supreme Court’s acknowledgement in 2018 that location data raises significant Fourth Amendment concerns. While the Supreme Court specifically avoided addressing tower dumps in its landmark _US v. Carpenter_ decision, a Fifth Circuit ruling last year placed the capability in great jeopardy, concluding that a warrant to “geofence” an area and collect evidence from a wide variety of individuals is inherently unconstitutional.

On the back of that decision, a federal magistrate in Mississippi ruled two months ago that tower dumps are likewise unconstitutional. While a “tower dump” and a “geofence” are not precisely the same—the latter relying on GPS coordinates obtained from internet companies such as Google, as opposed to a cell tower—the results are more or less identical: offering police a dragnet with which to accumulate vast amounts of location data on individuals, many if not most of whom are not suspected of committing a crime.

In response to the rapid changes in case law surrounding location data, Google—historically a frequent target of geofence warrants—announced technical changes to its software last year, making it effectively impossible to respond to these types of warrants.

“Location data is some of the most sensitive, revealing information that is generated by our devices, including our cars,” the EFF’s Crocker says. “It's extremely revealing of obviously where you go and where you've been, but also all the people you associate with and all the things you're doing. You can paint a very clear picture of someone's life with just a list of all the places they've been in their car. The Supreme Court has made that very clear.”

The police documents reviewed by WIRED alone demonstrate the arbitrary nature of vehicle surveillance upon this shifting legal landscape, with police noting, for instance, that while Verizon will refuse to allow police to define their own radius when requesting cell tower data, its competitors impose no such limitations. Another document notes that while AT&T will conduct “pings,” locating a device in real time, it will only do so for “voice devices.”

What is also clear from the documents is that US police are aware of the control corporations have over their ability to acquire vehicle location data, expressing fears that they could abruptly decide to kill off certain capabilities at any time.

In a letter sent in April 2024 to the Federal Trade Commission, US senators Ron Wyden and Edward Markey—Democrats from Oregon and Massachusetts, respectively—noted that a range of automakers, from Toyota, Nissan, and Subaru, among others, are willing to disclose location data to the government in response to a subpoena without a court order. Volkswagen, meanwhile, had its own arbitrary rules, limiting subpoenas to fewer than seven days’ worth of data. The senators noted that these policies stood in contrast to public pledges previously made by some automakers to require a warrant or court order before surrendering a customer’s location data.

Automakers “differ significantly on the important issue of whether customers are ever told they were spied on,” the senators wrote. At the time of the letter, only Tesla had a policy, they said, of informing customers about legal demands. “The other car companies do not tell their customers about government demands for their data, even if they are allowed to do so.”

“We respect our customers’ privacy and take our responsibility to protect their personal information seriously,” Bennet Ladyman, a T-Mobile spokesperson, says.

AT&T spokesperson Jim Kimberly says: “Like all companies, we are required by law to provide information to law enforcement and other government entities by complying with court orders, subpoenas, and other lawful discovery requests. In all cases, we review requests to determine whether they are valid. We require a search warrant based on the probable-cause standard for all government demands for real-time or historical location information, except in emergency situations. For government demands for cell tower searches, we require a probable-cause search warrant or a court order, except in emergency situations.”

Verizon did not respond to a request for comment.

“Especially now, with American civil liberties eroding rapidly, people should exercise great caution in granting new surveillance powers to law enforcement,” says Ryan Shapiro, executive director of Property of the People.

Jay Stanley, a senior policy analyst at the American Civil Liberties Union, notes that the police documents reviewed by WIRED contained substantial detail about car surveillance that appear to be publicly unavailable, suggesting that corporations are being far more open with law enforcement than they are with their own customers.

“It's an ongoing scandal that this kind of surveillance is taking place without people being aware of it, let alone giving permission for it,” Stanley says. “If they're carrying out surveillance on the public, the public should know. They should have meaningful knowledge and give meaningful consent before any kind of surveillance is activated, which clearly is not the case.”

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

Plus: Cybercriminals stole a record-breaking fortune from US residents and businesses in 2024, and Google performs its final flip-flop in its yearslong quest to kill tracking cookies.

As the Trump administration’s aggressive immigration policy ramps up, people have started to seriously consider their privacy and security when crossing into the United States. That’s especially true when it comes to searches of travelers’ phones and other devices, which US Customs and Border Protection agents have broad authority to search. Fortunately, there are some steps you can take, such as deleting certain apps from your personal phone or using an alternative phone that’s set up just for traveling internationally.

Operatives with Elon Musk’s so-called Department of Government Efficiency (DOGE) have spent the first months of the Trump administration clawing their way into US government systems. It’s now starting to become clear exactly what those systems are and what kind of data on US residents they hold. WIRED this week detailed the 19 systems DOGE operatives have access to just at the Department of Health and Human Services.

Pope Francis died on Monday at age 88. The passing of the supreme pontiff sets in motion a conclave, the secretive process used to select the new pope. To protect the conclave’s integrity and try to prevent leaks, a wide range of security measures will be put in place, from privacy film on windows at the Vatican to signal jammers and sweeps for hidden microphones.

Google recently announced the initial rollout of end-to-end encrypted email for Google Workspace accounts, which is good news for the privacy of enterprise-level users. When a Workspace user emails a non-Workspace account, the recipient gets an invitation to create a guest account so they can read the email. Unfortunately, security experts say, this will likely create new opportunities for phishing attacks, as scammers try to bait people with fake invitations.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

SignalGate is the scandal that just won’t die—at least not if you’re US secretary of defense Pete Hegseth. On Wednesday, The Washington Post reported that Hegseth had installed Signal on a “second computer in his office” so that he could “use Signal in a classified space, where his cellphone and other personal electronics are not permitted, and communicate with ease with anyone.”

The Associated Press on Thursday added to the picture of Hegseth’s reported Signal use, revealing that Hegseth got a second internet line installed that connected directly to the public internet rather than through the Pentagon’s secured connection, according to sources who spoke with the AP. Hegseth allegedly did this so he could use that second computer with Signal installed. Then on Friday, The New York Times found that the phone number associated with Hegseth’s Signal account—the one he used in that infamous group chat—is easily discoverable online, potentially opening him up to targeted cyberattacks by hostile nations.

**Cybercriminals Stole a Record-Breaking $16.6 Billion From US Entities in 2024**

Despite a steady flow of arrests and takedowns of online scammers, cybercriminals are operating at unprecedented levels and making more money than ever. Two reports released this week reveal the stark scale of online criminality. Last year in the United States, businesses and individuals lost $16.6 billion to online crimes, according to the FBI’s Internet Crime Complaint Center—that’s the highest figure ever reported and a leap of 33 percent compared to 2023. In 2024, there were 859,532 complaints about potential online crimes, with the FBI saying phishing and spoofing complaints account for 193,000 of them, followed by extortion with 86,000 complaints. Investment scams, which often involve cryptocurrency, made up more than $6 billion of the total losses, with business email compromise scams leading to losses of $2.7 billion.

Around the same time, the United Nations Office on Drugs and Crime highlighted that giant scam compounds in Southeast Asia—where human trafficking victims are forced to work scamming people—are generating $40 billion in profits per year and keep on growing. These industrial-scale scam organizations, which are often linked to Chinese criminals, heavily use investment scams (sometimes called pig-butchering) to con people out of their life savings and are expanding outside of the region. “It spreads like a cancer,” Benedikt Hofmann of the UNODC said in a statement.

**Google Chrome Won’t Ditch Creepy Tracking Cookies After All**

Back in 2020, Google announced its Chrome browser would stop using third-party cookies, which track people around the web, and would move to a less creepy way of powering its advertising businesses. Web browsers such as Safari, Firefox, and Brave ditched cookies years before Google made the announcement. But this week, after countless U-turns, failed efforts to develop alternatives, and criticism that proposals to replace cookies would favor Google, the company announced it will, in fact, keep the trackers in Chrome.

“We’ve made the decision to maintain our current approach to offering users third-party cookie choice in Chrome,” wrote Anthony Chavez, the Google VP in charge of its Privacy Sandbox efforts, in a blog post. “As we’ve engaged with the ecosystem, including publishers, developers, regulators, and the ads industry, it remains clear that there are divergent perspectives on making changes that could impact the availability of third-party cookies,” Chavez wrote. While the US government is proposing that Google sell off Chrome as part of its antitrust case against the company, it’s still possible to turn off third-party cookies or use a privacy-friendly browser instead.

Pete Hegseth’s Signal Scandal Spirals Out of Control

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Source

Wired