Records reviewed by WIRED show law enforcement agencies are eager to take advantage of the data trails generated by a flood of new internet-connected vehicle features.

Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers’ exposure to government surveillance and the likelihood of being caught up in police investigations.

A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of “connected cars,” with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement’s knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies—not the law—determine driver privacy.

“Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera,” one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. “If the vehicle has an active subscription,” they add, “it does create more data.”

The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely.

One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data—revealing its location—roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead.

Charlotte McCoy, a GM spokesperson, tells WIRED the company now requires a court order before handing over location data to law enforcement. “We review each request individually to assess the circumstances and the nature of the request before providing any information,” they say. “Connectivity offers many benefits—including navigation, communication, safety, and maintenance—and customers can mask their location or turn off connectivity at any time.”

Other car manufacturers listed in the CHP presentation, including Ford, did not respond to a request for comment.

“There's definitely a role being played by the companies in deciding what kind of standard they're going to insist on,” says Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. “And this is a dynamic we've seen in other areas of tech. Google and Facebook and Apple all played a role in saying, ‘We'll only provide this data in response to a warrant; other data we'll provide in response to a subpoena.’”

When police are investigating a specific suspect, they will often use a technique known as a “ping” to geographically locate a specific device known to belong to that individual. But when canvassing near a crime scene for an unknown perpetrator, authorities commonly rely on a procedure known as a “tower dump,” requesting that ISPs cast a wider net and identify virtually any devices that have connected to a specific cell tower during a certain window of time. Police analysts can then comb through this data and attempt to identify a culprit, often using surveillance footage or witness testimony about a vehicle’s color, make, or model.

Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car’s systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

In an August 2022 email, one detective noted: “In some vehicles, again \[it\] depends on manufacturer, the vehicle is still doing this despite the lack of an active subscription, and just sending the data back to the mother ship. This could be due to collecting user data for what the manufacturer sells it for, to providing this data to try to sell you on renewing your \[subscription\] package that lapsed.”

The “tower dump” technique is becoming increasingly unpopular in US courts following the US Supreme Court’s acknowledgement in 2018 that location data raises significant Fourth Amendment concerns. While the Supreme Court specifically avoided addressing tower dumps in its landmark _US v. Carpenter_ decision, a Fifth Circuit ruling last year placed the capability in great jeopardy, concluding that a warrant to “geofence” an area and collect evidence from a wide variety of individuals is inherently unconstitutional.

On the back of that decision, a federal magistrate in Mississippi ruled two months ago that tower dumps are likewise unconstitutional. While a “tower dump” and a “geofence” are not precisely the same—the latter relying on GPS coordinates obtained from internet companies such as Google, as opposed to a cell tower—the results are more or less identical: offering police a dragnet with which to accumulate vast amounts of location data on individuals, many if not most of whom are not suspected of committing a crime.

In response to the rapid changes in case law surrounding location data, Google—historically a frequent target of geofence warrants—announced technical changes to its software last year, making it effectively impossible to respond to these types of warrants.

“Location data is some of the most sensitive, revealing information that is generated by our devices, including our cars,” the EFF’s Crocker says. “It's extremely revealing of obviously where you go and where you've been, but also all the people you associate with and all the things you're doing. You can paint a very clear picture of someone's life with just a list of all the places they've been in their car. The Supreme Court has made that very clear.”

The police documents reviewed by WIRED alone demonstrate the arbitrary nature of vehicle surveillance upon this shifting legal landscape, with police noting, for instance, that while Verizon will refuse to allow police to define their own radius when requesting cell tower data, its competitors impose no such limitations. Another document notes that while AT&T will conduct “pings,” locating a device in real time, it will only do so for “voice devices.”

What is also clear from the documents is that US police are aware of the control corporations have over their ability to acquire vehicle location data, expressing fears that they could abruptly decide to kill off certain capabilities at any time.

In a letter sent in April 2024 to the Federal Trade Commission, US senators Ron Wyden and Edward Markey—Democrats from Oregon and Massachusetts, respectively—noted that a range of automakers, from Toyota, Nissan, and Subaru, among others, are willing to disclose location data to the government in response to a subpoena without a court order. Volkswagen, meanwhile, had its own arbitrary rules, limiting subpoenas to fewer than seven days’ worth of data. The senators noted that these policies stood in contrast to public pledges previously made by some automakers to require a warrant or court order before surrendering a customer’s location data.

Automakers “differ significantly on the important issue of whether customers are ever told they were spied on,” the senators wrote. At the time of the letter, only Tesla had a policy, they said, of informing customers about legal demands. “The other car companies do not tell their customers about government demands for their data, even if they are allowed to do so.”

“We respect our customers’ privacy and take our responsibility to protect their personal information seriously,” Bennet Ladyman, a T-Mobile spokesperson, says.

AT&T spokesperson Jim Kimberly says: “Like all companies, we are required by law to provide information to law enforcement and other government entities by complying with court orders, subpoenas, and other lawful discovery requests. In all cases, we review requests to determine whether they are valid. We require a search warrant based on the probable-cause standard for all government demands for real-time or historical location information, except in emergency situations. For government demands for cell tower searches, we require a probable-cause search warrant or a court order, except in emergency situations.”

Verizon did not respond to a request for comment.

“Especially now, with American civil liberties eroding rapidly, people should exercise great caution in granting new surveillance powers to law enforcement,” says Ryan Shapiro, executive director of Property of the People.

Jay Stanley, a senior policy analyst at the American Civil Liberties Union, notes that the police documents reviewed by WIRED contained substantial detail about car surveillance that appear to be publicly unavailable, suggesting that corporations are being far more open with law enforcement than they are with their own customers.

“It's an ongoing scandal that this kind of surveillance is taking place without people being aware of it, let alone giving permission for it,” Stanley says. “If they're carrying out surveillance on the public, the public should know. They should have meaningful knowledge and give meaningful consent before any kind of surveillance is activated, which clearly is not the case.”

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Protecting Your Phone—and Your Privacy—at the US Border

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android malware turns phones into malicious tap-to-pay machines 

Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.

Entering the United States has become more precarious since the start of the second Trump administration in January. There has been an apparent surge in both foreign visitors and US visa holders being detained, questioned, and even deported at the border. As the situation evolves, demand for flights from Canada and Europe has plummeted as people reevaluate their travel plans.

Many people, though, can’t avoid border crossings, whether they are returning home after traveling for work or visiting friends and family abroad. Regardless of the reason for travel, US Customs and Border Protection (CBP) officials have the authority to search people’s phones and other devices as they determine who is allowed to enter the country. Multiple travelers have reported being questioned or turned away at the US border in recent weeks in relation to content on their phones.

While not unique to the US border—other nations also have powers to inspect phones—the increasingly volatile nature of the Trump administration’s border policies is causing people to rethink the risks of carrying devices packed with personal information to and from the US. Canadian authorities have updated travel guidance to warn of phone searches and seizures, some corporate executives are reconsidering the devices they carry, some officials in Europe continue to receive burner phones for certain trips to the US, and the Committee to Protect Journalists has warned foreign reporters about device searches at the US border.

With this in mind, here’s the WIRED guide to planning for bringing a smartphone across the border. You should also use WIRED’s guide to entering the US with your digital privacy intact to get a broader view of how to minimize data and take precautions. But start here for everything smartphone.

**What Can CBP Access?**

Do CBP officials have the authority to search your phone at the border? The short answer is yes. Searches are either manual, with a border official looking through the device, or more advanced, involving forensic tools to extract data en masse. To get into your phone, border officials can ask for your PIN or biometric to unlock the phone. However, your legal status and right to enter the US will make a difference in what a search might look like at the border.

Generally, border zones—which includes US international airports—fall outside of Fourth Amendment protections that require a warrant for a device to be searched (though one federal court has ruled otherwise). As such, CBP has the power to search any traveler’s phone or other electronic devices, such as computers and cameras, when they’re entering the country. US citizens and green card holders can refuse a device search without being denied entry, but they may face additional questioning or temporary device seizure. And as the Trump administration pushes the norms of acceptable government conduct, it is possible that, in practice, green card holders could face new repercussions for declining a device search. US visa holders and foreign visitors can face detention and deportation for refusing a device search.

“Not everybody has the same risk profile,” says Molly Rose Freeman Cyr, a member of Amnesty International’s Security Lab. “A person’s legal status, the social media accounts that they use, the messaging apps that they use, and the contents of their chats” should all factor into their risk calculus and the decisions they make about border crossings, Cyr says.

If you feel safe refusing a search, make sure to disable biometrics used to unlock your device, like face or fingerprint scanners, which CBP officers can use to access your device. Instead, use only a PIN or an alphanumeric code (if available on your device). Make sure to keep your phone’s operating system up to date, which can make it hard to crack with forensic tools.

You should also consider factors like nationality, citizenship, profession, and geopolitical views in assessing whether you or someone you’re traveling with could be at higher risk of scrutiny during border crossings.

In short, you need to make some decisions before you travel about whether you would be prepared to refuse a device search and whether you want to make changes to your devices before your trips.

Keep in mind that there are simple steps anyone can take to keep your devices out of sight and, hopefully, out of mind during border crossings. It’s always a good idea to obtain a printed boarding pass or prepare other paper documents for review and then turn your phone off and store it in your bag before you approach a CBP agent.

**Traveling With an Alternate Phone**

There are two ways to approach device privacy for border crossings. One is to start with a clean slate, purchasing a phone for the purpose of traveling or wiping and repurposing your old phone—if it still receives software updates.

The device doesn’t need to be a true “burner” phone, in the sense that you will be carrying it with you as if nothing is out of the ordinary, so you don’t need to purchase it with cash or take other steps to ensure that it can’t be connected to you. The idea, though, is to build a sanitized version of your digital life on the travel phone, ideally with separate communication and social media accounts created specifically for travel. This way, if your device is searched, it won’t have the back catalog of data—old text messages, years of photos, forgotten apps, and access to many or all of your digital accounts—that exists on your primary phone and could reveal details of your political views, your associations, or your movements over time.

Starting with a clean slate makes it easy to practice “data minimization,” or reducing the data available to another person: Simply put the things you’ll need for a trip on the phone without anything you won’t need. You might make a travel email address, some alternate social media accounts, and a separate account for end-to-end encrypted communications using an app like Signal or WhatsApp. Ideally you would totally silo your real digital life from this travel life. But you can also include some of your regular personal apps, building back from the ground up while determining on a selective basis whether you have existing accounts that you feel comfortable potentially exposing. Perhaps, for example, you think that showing a connection to your employer or a community organization could be advantageous in a fraught situation.

Privacy and digital rights advocates largely prefer the approach of building a travel device from scratch, but they caution that a phone that is too squeaky clean, too much like a burner phone, can arouse suspicion.

“You have to ‘seed’ the device. Use the phone for a day or even for a few hours. It just can't be _clean_ clean. That’s weird,” says Matt Mitchell, founder of CryptoHarlem, a security and privacy training and advocacy nonprofit. “My recommendation is to make a finsta for travel, because if they ask you what your profile is, how are you gonna say ‘I don't use any social media’? Many people have a few accounts anyway. One ratchet, one wholesome—add one travel.”

Cyr, from Amnesty International, also points out that a true burner phone would be a “dumb” phone, which wouldn’t be able to run apps for encrypted communications. “The advantage that we all have with smartphones is that you can communicate in an encrypted way,” Cyr says. “People should be conscious that any nonencrypted communication is less secure than a phone call or a message on an application like Signal.”

While a travel device doesn’t need to use a prepaid SIM card bought with cash, it should not share your normal phone number, since this number is likely linked to most if not all of your key digital accounts. Buy a SIM card for your trip or only use the device on Wi-Fi.

**Traveling With Your Primary Phone**

The other approach you can take to protecting your device during border crossings is to modify your primary smartphone before travel. This involves removing old photos and messages and storing them somewhere else, cleaning out nonessential apps, and either removing some apps altogether or logging out of them with your main accounts and logging back in with travel accounts.

Mohammed Al-Maskati, digital security helpline director at the rights group Access Now, says that people should consider this type of clean-out before they travel. “I will look at my device and see what apps I need,” he says. “If I don't need the app, I just remove it.”

Al-Maskati adds that he suggests people particularly remember to remove dating apps and anything related to LGBTQI communities, especially if they consider themselves to be at higher risk of facing a device search. And generally, this approach is only safe if you are particularly diligent about removing every app that might expose you to risk.

You could use your own phone as a travel phone by backing it up, wiping it, building a travel device with only the apps you really need while traveling, going on your trip, and then restoring from the backup when you get home. This approach is doable but time consuming, and it creates more opportunities for operational security mistakes or what are known as “opsec fails.” If you try to delete all of your old, unwanted apps, but miss one, you could end up exposing an old social media account or other historic service that has forgotten data in it. Messaging apps can have easily searchable archives going back years and can automatically save photos and files without you realizing it. And if you back up all of your data to the cloud and take it off your device, but are still logged into the cloud account underpinning other services (like your main Google or Apple account), you could be asked to produce the data from the cloud for inspection.

Still, if you assess that you are at low risk of facing scrutiny during a border crossing or you don’t have access to an additional device for travel, modifying your main smartphone is a good option. Just be careful.

**What To Do, If Nothing Else**

Given all of this, you may be hyped up and ready to throw your phone in the ocean. Or you may be thinking there’s no way in hell that you’re ever going to take the time to deal with any of this. For those in the latter camp, you’ve come this far, so don’t click away just yet. If you don’t want to take the time to make a bunch of changes, and you don’t think you’re at particular risk during border crossings (though keep in mind that it’s possible your risk is higher than you realize), there are still a few easy things you can do to protect your digital privacy that are better than nothing.

First, as mentioned above, print a paper boarding pass and any other documents you might need. Even if you don’t turn your phone off and stow it in a bag for your entire entry or exit process, you can put it in your pocket and have your paper ticket and other documents ready while actually interacting with agents. And taking basic digital hygiene steps, like updating your phone and removing apps and data you no longer need, can go a long way.

“We all need to be recognizing that authorities may scrutinize your online presence, including social media activity and posts you’ve published,” says Danacea Vo, founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Since people have gotten more vocal on social media, they’re very worried about this. Some have even decided not to risk traveling to or from the US this year.”

How to Protect Yourself From Phone Searches at the US Border

A list of topics we covered in the week of April 12 to April 18 of 2025

April 18, 2025 - Text scams come in many forms and are an ever increasing threat doing an awful lot of financial, and other, damage

April 17, 2025 - Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited...

April 16, 2025 - A new variant of the hello pervert emails claims that the target's system is infected with njRAT and spoofs the victims email address

April 15, 2025 - Car rental giant Hertz data suffered a data breach caused by a CL0P ransomware attack on file sharing vendor Cleo

April 14, 2025 - A newly created inetpub folder turns out to be part of a Microsoft update against a vulnerability tracked as CVE-2025-21204

 A week in security (April 12 &#8211; April 18) 

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited...

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Both vulnerabilities allowed an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.

The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

To check if you’re using the latest software version, go to **Settings** > **General** > **Software Update**. You want to be on iOS 18.4.1 or iPadOS 18.4.1, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

Update available

**Technical details**

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:

*   CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution due to a memory corruption issue which was addressed with improved bounds checking.
*   CVE-2025-31201: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. This issue was addressed by removing the vulnerable code.

Given that both vulnerabilities were flagged as used in extremely sophisticated attacks and are patched simultaneously, it stands to reason that they were chained for a successful exploitation.

This deserves a bit of an explanation. Apple’s Pointer Authentication (PA) is a hardware security feature designed to detect and prevent tampering with critical pointers (like function addresses or return addresses) in memory. Computers use memory to store and provide information that software programs use as they run.

When creating a pointer (like a return address), the system adds a cryptographic signature (PAC) using secret keys. Before using the pointer, the system checks if the signature still matches.

A memory corruption issue can give an attacker the option to make a change in the device’s memory, but it’s often limited to a very small portion of the memory.

What could have happened here is that the attacker was able to use that ample space to create a pointer that was able to bypass the Pointer Authentication and use this ability to point from a legitimate application to their malicious code.

In the past researchers have already found bypass scenarios for attackers that already have full memory control.

What exactly happened is unknown, because, as a protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Which is also why it’s important to update before other criminals are using the same exploits in less targeted and more widespread attacks. To help with this, the Malwarebytes iOS app will guide you through “how to fix” and assist with similar cases in the future.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple patches security vulnerabilities in iOS and iPadOS. Update now! 

Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild.
The vulnerabilities in question are listed below -

CVE-2025-31200 (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio

Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks

Millions of scam text messages are sent every month. The Chinese cybercriminals behind many of them are expanding their operations—and quickly innovating.

The scam text messages follow a similar pattern: You need to pay an outstanding toll road fee, or a parcel can’t be properly delivered, they say. “The USPS package arrived at the warehouse but could not be delivered due to incomplete address information,” reads one typical message.

A link in the message points to a realistic website where you are asked to enter more details and make a small payment—while behind the scenes, cybercriminals hoover up your information and credit card digits in real time.

These messages originate from one prolific collection of loosely linked cybercriminals: “smishing” syndicates.

Over the past three years, these Chinese-speaking fraudsters have developed and operated the world’s foremost smishing operation, spamming millions of people with text messages and likely stealing millions of dollars in the process. The term “smishing” is a mashup of SMS and phishing emails, which try to trick people into handing over personal details. Text messages, though, add a layer of urgency and may catch people off-guard as they go about their busy day.

Now, these groups are quickly adapting their methods and expanding their scamming, security experts say.

“They operate very similar to a \[legitimate\] business in a lot of ways,” says Grant Smith, the founder of offensive cybersecurity firm Phantom Security who last year hacked one Chinese-language group and uncovered how its internal phishing kits function.

“The vast majority of the kits I see nowadays are surprisingly well put together,” Smith says. “They are constantly developing these, constantly updating them, making them look better, making them more secure.”

Multiple Chinese-speaking smishing groups and individual actors are involved in the ongoing development of new techniques and running the large-scale fraud. Often, groups will even sell the kits they develop to less sophisticated cybercriminals to easily operate.

Ford Merrill, a security researcher at SecAlliance, part of the CSIS Security Group, has been tracking the syndicates for two years and says there are now seven “major” Chinese “phishing-as-a-service” actors. “They have been enabling global SMS-based phishing campaigns at a massive scale since early 2023 onwards,” he tells WIRED.

Criminals will create websites impersonating companies or brands—such as postal services, tax authorities, telecoms, utilities companies, and increasingly payment providers—and then send texts (either SMS, encrypted iMessage, or RCS) that entice people to enter their personal information and bank cards on the fraudulent websites. This process requires the fraudsters to register thousands of domains and use Apple iCloud accounts.

One of the most prominent of the smishing actors is often referred to as the Smishing Triad—although security researchers group Chinese-speaking threat actors and affiliates in different ways—which has impersonated organizations and brands in at least 121 countries, according to recent research by security company Silent Push.

Around 200,000 domains have been used by the group in recent years, the research says, with around 187 top-level domains—such as .top, .world, and .vip—being used. Across one recent 20-day period, there were more than 1 million page visits to scam websites used by the Smishing Triad, according to Silent Push.

Besides collecting names, emails, addresses, and bank card details, the websites also prompt people to enter one-time passwords or authentication codes that allow the criminals to add bank cards to Apple Pay or Google Wallet, allowing them to use the cards while on the other side of the world.

“They have effectively turned the modern digital wallet, like Apple Pay or Google Wallet, into the best card-cloning device we’ve ever invented,” Merrill says.

In Telegram groups linked to the cybercriminal organizations, some members share photos and videos of bank cards being added to digital wallets on iPhones and Androids. For instance, in one video, scammers allegedly show off dozens of virtual cards that they have added to phones they are using.

Merrill says the criminals may not make payments using the cards they’ve added to digital wallets straightaway, but it probably won’t take long.

“When we first started seeing this, they would wait between 60 and 90 days before actually stealing money from the cards,” he explains, adding that at first the criminals would let the cards “age” on a device in an attempt to look legitimate. “Nowadays you would be lucky if they wait seven days or even a couple days. Once they hit the card, they hit it hard and fast.”

“Security is core to the Google Wallet experience, and we work closely with card issuers to prevent fraud,” says Google communications manager Olivia O'Brien. “For example, banks notify customers when their card has been added to a new Wallet, and we provide signals to help issuers detect fraudulent behavior so they can decide whether to approve added cards.”

Apple did not respond to WIRED’s request for comment.

The giant scam ecosystem is powered in part by commercial underground scamming services. Findings from security firm Resecurity, which has tracked the Smishing Triad for more than two years, says the group has been using “bulk” SMS and message-sending services as it has expanded the number of messages it sends.

Meanwhile, as multiple security researchers have noted, the Smishing Triad group also uses its own software, called Lighthouse, to collect, manage, and store people's personal information and card details. A video of the Lighthouse software originally shared on Telegram and republished by Silent Push shows how the system collects card details.

The latest version of the software, which was updated in March this year, “targets dozens of financial brands” including PayPal, Mastercard, Visa, and Stripe, Silent Push says. In addition, the research says, Australian banking brands appear to be impersonated, indicating a potential further expansion of targets.

The smishing groups are constantly improving their own scamming software. Smith, the researcher who hacked a smishing gang, says he has seen groups operating their own development pipelines for their software and systems.

“Recently they were using some custom-made software that they had to basically replicate Jira and have tickets open for any issues with the platform and any customer complaints,” Smith says. “They would assign them to team members.”

Chinese smishing groups do not appear to be slowing down. The cybercriminals are behind huge waves of toll road text scams sweeping across the United States this year, says Shawn Loveland, the chief operating officer at Resecurity. “They’re increasing in their scale and their volume of attacks,” he says.

Loveland says there may be multiple ways to limit the effectiveness of smishing operations. Domain registrars could get better at detecting fraudulent websites, for example, and improved spam filtering on messages would help potential victims. Plus, law enforcement could target the platforms and systems they use to create accounts and send messages.

Making it harder for smishing groups to successfully operate could reduce profits and have a cooling effect on the surging criminal ecosystem, Loveland says.

“Criminals have a supply chain, and you don't have to go after all the components in the supply chain,” he says. “You can go after choke points in the supply chain.”

Smishing Triad: The Scam Group Stealing the World’s Riches

April Microsoft Patch Tuesday. A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild: 🔻 EoP – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.🔻 […]

**April Microsoft Patch Tuesday.** A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild:

🔻 **EoP** – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.  
🔻 **SFB** – Microsoft Edge (CVE-2025-2783). Sandbox escape with an existing PoC exploit.  
🔻 **RCE** – Microsoft Edge (CVE-2025-24201). Originally reported as a WebKit vuln on Apple OSes. 🤷‍♂️

Microsoft also patched vulnerabilities in Kubernetes with known exploits (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513)

Other notable ones:

🔹 **RCE** – LDAP (CVE-2025-26670, CVE-2025-26663), TCP/IP (CVE-2025-26686), Microsoft Office (CVE-2025-29794, CVE-2025-29793), RDS (CVE-2025-27480, CVE-2025-27482), Hyper-V (CVE-2025-27491)  
🔹 **SFB** – Kerberos (CVE-2025-29809)

🗒 Full Vulristics report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Tag

#apple