hacking

https://therecord.media/sweden-seeks-backdoor-access-to-messaging-apps

Sweden’s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps.

Signal Foundation President Meredith Whittaker said the company would leave the Swedish market before complying with such a law, Swedish news outlet SVT Nyheter reported Monday.

[..]

Because the bill would mandate that Signal build backdoors in its software, Whittaker told the outlet, it would weaken the messaging app’s entire network.

The Swedish Armed Forces routinely use Signal and are opposing the bill, saying that a backdoor could introduce vulnerabilities that could be exploited by bad actors.

https://www.bbc.com/news/articles/cgj54eq4vejo

Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data. Advanced Data Protection (ADP) means only account holders can view items such as photos or documents they have stored online through a process known as end-to-end encryption. But earlier this month the UK government asked for the right to see the data, which currently not even Apple can access. Apple did not comment at the time but has consistently opposed creating a “backdoor” in its encryption service, arguing that if it did so, it would only be a matter of time before bad actors also found a way in. Now the tech giant has decided it will no longer be possible to activate ADP in the UK. It means eventually not all UK customer data stored on iCloud - Apple’s cloud storage service - will be fully encrypted. Data with standard encryption is accessible by Apple and shareable with law enforcement, if they have a warrant.

Benedict Evans:

Of course, the UK is within its rights to choose one side of the trade-off in the UK - what’s bizarre here is that the UK is apparently demanding that Apple do this globally. The UK, apparently, is trying to tell a US company what products it can provide to customers in Japan, Australia or indeed the USA. Normally it’s only American regulators that assert global juristiction. But what will the UK government say when China reads this story, and orders Apple to hand over UK citizens’ data, given that it’s now unencrypted and the UK has conceded the principle of jurisdiction? [emphasis added]

https://arstechnica.com/security/2025/02/how-north-korea-pulled-off-a-1-5-billion-crypto-heist-the-biggest-in-history/

The cryptocurrency industry and those responsible for securing it are still in shock following Friday’s heist, likely by North Korea, that drained $1.5 billion from Dubai-based exchange Bybit, making the theft by far the biggest ever in digital asset history.

[…]

In much the same way that nuclear arms systems are designed to require two or more authorized people to successfully authenticate themselves before a missile can be launched, multisig wallets need the digital signatures of two or more authorized people before assets can be accessed.

Bybit was largely following best practices by storing only as much currency as needed for day-to-day activity in warm and hot wallets, and keeping the rest in the multisig cold wallets. Transferring funds out of cold wallets required coordinated approval from multiple high-level employees of the exchange.

[…]

multiple systems inside Bybit had been hacked in a way that allowed the attackers to manipulate the Safe wallet UI on the devices of each person required to approve the transfer. That revelation, in turn, has touched off something of a eureka moment for many in the industry.

“The Bybit hack has shattered long-held assumptions about crypto security,” Dikla Barda, Roman Ziakin, and Oded Vanunu, researchers at security firm Check Point, wrote Sunday. “No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link. This attack proves that UI manipulation and social engineering can bypass even the most secure wallets.”

https://time.com/7259395/ai-chess-cheating-palisade-research/

When sensing defeat in a match against a skilled chess bot, they don’t always concede, instead sometimes opting to cheat by hacking their opponent so that the bot automatically forfeits the game.

[…]

While cheating at a game of chess may seem trivial, as agents get released into the real world, such determined pursuit of goals could foster unintended and potentially harmful behaviours. Consider the task of booking dinner reservations: faced with a full restaurant, an AI assistant might exploit weaknesses in the booking system to displace other diners. Perhaps more worryingly, as these systems exceed human abilities in key areas, like computer coding—where OpenAI’s newest o3 model now scores equivalent to 197th in the world competing against the brightest human programmers— they might begin to simply outmaneuver human efforts to control their actions. “This [behaviour] is cute now, but [it] becomes much less cute once you have systems that are as smart as us, or smarter, in strategically relevant domains,” Ladish says.

[…]

While R1 and o1-preview both tried, only the latter managed to hack the game, succeeding in 6% of trials.

[…]

The paper is the latest in a string of studies that suggest keeping increasingly powerful AI systems under control may be harder than previously thought. In OpenAI’s own testing, ahead of release, o1-preview found and took advantage of a flaw in the company’s systems, letting it bypass a test challenge. Another recent experiment by Redwood Research and Anthropic revealed that once an AI model acquires preferences or values in training, later efforts to change those values can result in strategic lying, where the model acts like it has embraced new principles, only later revealing that its original preferences remain.

[…]

Scientists do not yet know how to guarantee that autonomous agents won’t use harmful or unethical methods to achieve a set goal. “We’ve tried, but we haven’t succeeded in figuring this out,” says Yoshua Bengio, founder and scientific director of Mila Quebec AI Institute, who led the International AI Safety Report 2025, a global effort to synthesize current scientific consensus of AI’s risks.

Of particular concern, Bengio says, is the emerging evidence of AI’s “self preservation” tendencies. To a goal-seeking agent, attempts to shut it down are just another obstacle to overcome. This was demonstrated in December, when researchers found that o1-preview, faced with deactivation, disabled oversight mechanisms and attempted—unsuccessfully—to copy itself to a new server. When confronted, the model played dumb, strategically lying to researchers to try to avoid being caught.

https://www.nrk.no/norge/nordmenn-overvakes-av-mobilen_-_-pill-rattent-system-1.17208691

Norsk-amerikanske Unacast har blitt utsatt for omfattende datainnbrudd. Nå går Forbrukerrådet i strupen på selskapet.

– Det er fullstendig uansvarlig, sier fagdirektør Finn Myrstad i Forbrukerrådet.

Han snakker om selskaper som lever av å samle inn informasjon om hvor folk har vært, for å bruke det til markedsføring.

Store mengder private data om mobilbrukere over hele verden ble lagt ut på et russisk nettforum. Dataene som hackerne skal ha stjålet, skal være alt fra kundelister til folks lokasjonsdata. De publiserte det de kalte en «smakebit» av informasjonen de stjal.

I disse dataene kan det ligge informasjon om 146.000 nordmenns fysiske plassering.

[…]

Det er en trussel i seg selv at kommersielle selskaper sitter på så mye data om mobilbrukere, mener Forbrukerrådet.

– Det er en gigantisk svakhet. Det burde ikke vært lov å samle dem inn.

Forbrukerrådet har bedt om et forbud mot markedsføringen basert på dataene.

– Jeg tenker det ligger noe ansvar på politikerne her, sier Myrstad.

I 2022 anbefalte Personvernkommisjonen i en rapport en utredning av et generelt forbud mot atferdsbasert markedsføring.

Stortinget har bedt om det samme. Men ennå har det ikke dukket opp noen utredning. Langt mindre et lovforslag.

https://www.wired.com/story/subaru-location-tracking-vulnerabilities/

Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can.

[…]

Most disturbing for Curry, though, was that they found they could also track the Subaru’s location—not merely where it was at the moment but also where it had been for the entire year that his mother had owned it. The map of the car’s whereabouts was so accurate and detailed, Curry says, that he was able to see her doctor visits, the homes of the friends she visited, even which exact parking space his mother parked in every time she went to church.

“You can retrieve at least a year’s worth of location history for the car, where it’s pinged precisely, sometimes multiple times a day,” Curry says. “Whether somebody’s cheating on their wife or getting an abortion or part of some political group, there are a million scenarios where you could weaponize this against someone.”

[…]

Curry argues that Subaru’s extensive location tracking is a particularly disturbing demonstration of the car industry’s lack of privacy safeguards around its growing collection of personal data on drivers. “It’s kind of bonkers,” he says. “There’s an expectation that a Google employee isn’t going to be able to just go through your emails in Gmail, but there’s literally a button on Subaru’s admin panel that lets an employee view location history.”

https://spectrum.ieee.org/jailbreak-llm

Researchers induced bots to ignore their safeguards without exception.

AI chatbots such as ChatGPT and other applications powered by large language models (LLMs) have exploded in popularity, leading a number of companies to explore LLM-driven robots. However, a new study now reveals an automated way to hack into such machines with 100 percent success. By circumventing safety guardrails, researchers could manipulate self-driving systems into colliding with pedestrians and robot dogs into hunting for harmful places to detonate bombs.

https://www.nbcnews.com/tech/security/us-officials-urge-americans-use-encrypted-apps-cyberattack-rcna182694

Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers.

The hacking campaign, nicknamed Salt Typhoon by Microsoft, is one of the largest intelligence compromises in U.S. history, and it has not yet been fully remediated. Officials on a news call Tuesday refused to set a timetable for declaring the country’s telecommunications systems free of interlopers. Officials had told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers.

https://www.abc.net.au/news/2024-10-05/robot-vacuum-deebot-ecovacs-photos-ai/104416632

Ecovacs robot vacuums, which have been found to suffer from critical cybersecurity flaws, are collecting photos, videos and voice recordings – taken inside customers’ houses – to train the company’s AI models.

https://www.abc.net.au/news/2024-10-04/robot-vacuum-hacked-photos-camera-audio/104414020

The largest home robotics company in the world has failed to fix security issues with its robot vacuums despite being warned about them last year.

Without even entering the building, we were able to silently take photos of the (consenting) owner of a device made by Chinese giant Ecovacs.

…

Ecovacs initially said its users “do not need to worry excessively” about Giese’s findings.

After he first revealed the vulnerability in public, the company’s security committee downplayed the issue, saying it requires “specialised hacking tools and physical access to the device”.

It’s hard to square their statement with the reality. All it had taken was my $300 smartphone, and I hadn’t even laid eyes on Sean’s robot until after hacking into it.

Ecovacs eventually said it would fix this security issue. At the time of publication, only some models have been updated to prevent this attack.

Several models — including the latest flagship model released in July this year — remain vulnerable.