The Privacy Danger Lurking in Push Notifications

Just days after an international law enforcement operation disrupted LockBit, the ransomware group reemerged with a new dark-web site where it threatened to release documents stolen from Fulton County, Georgia, where Donald Trump and 18 codefendants stand accused of a conspiracy to overturn the 2024 election. But by the time the deadline for Fulton County to pay arrived, all mention of the leak had mysteriously disappeared. Fulton County says it didn’t pay LockBit’s ransom, suggesting that the group may be bluffing. If there is a leak, however, it could wreak havoc on an already chaotic US presidential election, the security of which is already under threat.

Regardless of what’s going on with the Fulton County leak, it’s become clear that ransomware groups are getting faster at rebounding after law enforcement crackdowns. Around two months after the FBI disrupted the ransomware gang known as Blackcat or AlphV, the group successfully attacked Change Healthcare earlier this month, causing ongoing delays at pharmacies around the United States.

US fears over international threats were front and center this week. First, the White House announced a new executive order that aims to prevent “countries of concern,” including China, North Korea, and Russia, from purchasing sensitive data about Americans—a plan that may or may not work. Then the Biden administration said it is launching an investigation into national security threats posed by vehicles imported from China. And the US Department of Commerce imposed sanctions on Canada-based Sandvine, a company whose web-monitoring tech has been used by authoritarian governments to censor the internet.

A study released this week found that Russia has likely launched more than 200 attacks on Ukraine’s power grid since its 2022 full-scale invasion, 66 of which researchers at the Conflict Observatory have confirmed. These attacks are in addition to the blackouts caused by Russia’s military intelligence hacking unit known as Sandworm. In the UK, the interior ministry has been tracking the locations of migrants with GPS devices—a practice ruled illegal by a British court this week.

Meanwhile, the UK version of Pornhub tested a chatbot and warning message built to deter people searching for illegal images of child abuse on the website, finding it resulted in a “meaningful decrease” in the problematic searches. In the world of generative AI, researchers have created a “worm” that is capable of spreading between different AI agents and could potentially be used to steal data or send spam messages. Finally, we rounded up all the major security patches released in the past month—patch as soon as you can.

That’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Law Enforcement Demanded Push Notification Data to ID Suspects in 130 Cases

The push notifications that populate the screens of our smartphones have become a kind of convenient central dashboard for modern digital life. They also serve, it’s becoming increasingly clear, as a powerful hidden surveillance mechanism.

An investigation by The Washington Post revealed this week that law enforcement has sought push notification data from Google, Apple, Facebook, and other tech companies fully 130 times in recent years. Those requests span 14 states and the District of Columbia and have targeted the data of criminal suspects in cases ranging from terrorism to Covid-19 relief fraud to January 6 insurrectionists to Somali pirates, according to the Post. In three cases, the push notification data was used to identify and arrest alleged abusers of children. In another case, it helped identify an alleged murderer.

Most PopularGearPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric RavenscraftGear13 Great Couches You Can Order OnlineBy Louryn StrampeGearThe Best Portable Power StationsBy Simon HillGearThe Best Wireless Earbuds for Working OutBy Adrienne So

To send those notifications that awaken a device and appear on its screen without a user’s interaction, apps and smartphone operating system makers must store tokens that identify the device of the intended recipient. That system has created what US senator Ron Wyden has called a “digital post office” that can be queried by law enforcement to identify users of an app or communications platform. And while it has served as a powerful tool for criminal surveillance, privacy advocates warn that it could just as easily be turned against others such as activists or those seeking an abortion in states where that’s now illegal.

In many cases, tech firms don’t even demand a court order for the data: Apple, in fact, only demanded a subpoena for the data until December. That allowed federal agents and police to obtain the identifying information without the involvement of a judge until it changed its policy to demand a judicial order.

Apple Warns of Security Risks for New Third-Party App Stores

Europe's sweeping Digital Markets Act comes into force next week and is forcing major "gatekeeper" tech companies to open up their services. Meta-owned WhatsApp is opening its encryption to interoperate with other messaging apps; Google is giving European users more control over their data; and Apple will allow third-party app stores and the sideloading of apps for the first time.

Apple's proposed changes have proved controversial, but ahead of the March 7 implementation date the company has reiterated its belief that sideloading apps creates more security and privacy risks. It may be easier for apps on third-party apps stores, the company says in a white paper, to contain malware or try to access people's iPhone data. Apple says it is bringing in new checks to try to make sure apps are safe.

"These safeguards will help keep EU users' iPhone experience as secure, privacy-protecting, and safe as possible—although not to the same degree as in the rest of the world," the company claims. Apple also says it has heard from EU organizations, such as those in banking and defense, which say they are concerned about employees installing third-party apps on work devices.

Court Demands NSO Group Hand Over Pegasus Spyware Code to WhatsApp

WhatsApp scored a landmark legal win this week against the notorious mercenary hacking firm NSO Group in its long-running lawsuit against that spyware seller for allegedly breaching its app and the devices of its users. The judge in the case, Phyllis Hamilton, sided with WhatsApp in its demand that NSO Group hand over the code of its Pegasus spyware, which has long been considered one of the most sophisticated pieces of spyware to target mobile devices, sometimes through vulnerabilities in WhatsApp. The code handover—which includes versions of Pegagus from 2018 to 2020 as well as NSO’s documentation around its spyware—could help WhatsApp prove its allegations that NSO hacked 1,400 of its users, including at least 100 members of “civil society” such as journalists and human rights defenders. “Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law,” a WhatsApp spokesperson told the Guardian.

Major Retailers Sold Egregiously Insecure Video Doorbells

Here’s a solid rule of thumb: Don’t put any device in or around your home that has a camera, an internet connection, and is made by a Chinese manufacturer you’ve never heard of. In the latest reminder of that maxim, Consumer Reports this week revealed that countless brands of video-enabled doorbells have absolutely shambolic security, to the degree that for many of the devices, anyone can walk up to them outside your door, hold a button to pair their own smartphone with it, and then spy through your camera. In some cases, they can even obtain just a serial number from the device that lets them hijack it via the internet from anywhere in the world, according to the investigation. Consumer Reports found that these devices were sold under the brand names Eken and Tuck but that they appeared to share a manufacturer with no fewer than 10 other devices that all had similar designs. And while those devices might sound obscure, they’re reportedly sold through major retail platforms like Amazon, Walmart, Sears, Shein, and Temu. In some cases, Amazon had even marked the devices with their “Amazon’s Choice: Overall Pick” badge—even after Consumer Reports alerted Amazon to the security flaws.

About Andy Greenberg,Andrew Couts,Matt Burgess

Check Also

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were …

Leave a Reply