Tag: security

A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers

Posted on by faz_business


WhatsApp’s mass adoption stems in part from how easy it is to find a new contact on the messaging platform: Add someone’s phone number, and WhatsApp instantly shows whether they’re on the service, and often their profile picture and name, too.

Repeat that same trick a few billion times with every possible phone number, it turns out, and the same feature can also serve as a convenient way to obtain the cell number of virtually every WhatsApp user on earth—along with, in many cases, profile photos and text that identifies each of those users. The result is a sprawling exposure of personal information for a significant fraction of the world population.

One group of Austrian researchers have now shown that they were able to use that simple method of checking every possible number in WhatsApp’s contact discovery to extract 3.5 billion users’ phone numbers from the messaging service. For about 57 percent of those users, they also found that they could access their profile photos, and for another 29 percent, the text on their profiles. Despite a previous warning about WhatsApp’s exposure of this data from a different researcher in 2017, they say, the service’s parent company, Meta, still failed to limit the speed or number of contact discovery requests the researchers could make by interacting with WhatsApp’s browser-based app, allowing them to check roughly a hundred million numbers an hour.

The result would be “the largest data leak in history, had it not been collated as part of a responsibly conducted research study,” as the researchers describe it in a paper documenting their findings.

“To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented,” says Aljosha Judmayer, one of the researchers at the University of Vienna who worked on the study.

The researchers say they warned Meta about their findings in April and deleted their copy of the 3.5 billion phone numbers. By October, the company had fixed the enumeration problem by enacting a stricter “rate-limiting” measure that prevents the mass-scale contact discovery method the researchers used. But until then, the data exposure could have also been exploited by anyone else using the same scraping technique, adds Max Günther, another researcher from the university who cowrote the paper. “If this could be retrieved by us super easily, others could have also done the same,” he says.

In a statement to WIRED, Meta thanked the researchers, who reported their discovery through Meta’s “bug bounty” system, and described the exposed data as “basic publicly available information,” since profile photos and text weren’t exposed for users who opted to make it private. “We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses,” writes Nitin Gupta, vice president of engineering at WhatsApp. Gupta adds, “We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”

6 Best Smart Locks (2025) for Front Doors, Slider Doors, and Even Garages

Posted on by faz_business


Ultraloq U-Bolt Pro for $170: WIRED reviewer Julian Chokkattu also tested the U-Bolt Pro from Ultraloq, which uses the same app that the Fingerprint models do. He says it took a few attempts to connect to Wi-Fi, but once connected it worked well with no Wi-Fi issues during the year he tested it. It has built-in Wi-Fi, uses four AA batteries that last around two months (less in super colder weather), and has a hidden mechanical keyhole as a backup in case the battery dies when you’re not home, and you get two spare keys. There’s a charging port underneath so you can give it some juice during emergencies if the lock is dead and you don’t have the key, but we wish it was USB-C instead of Micro USB. It’s a good lock, but he prefers the Fingerprint models since it has a nicer build quality and it has eight batteries, so the lock lasts twice as long.

Image may contain Electronics Mobile Phone and Phone

Photograph: Nena Farrell

Yale Assure Lock 2 Touch for $300: I’ve been testing this lock for a few weeks in tandem with ADT’s security system and Google Home. Unlike the other locks in this guide, I didn’t install it—an ADT tech did, and installation can be included in an ADT security package like the one I’ve been testing. For the lock itself, it’s worked well. It’s a full dead-bolt replacement, and came with a single key, and has both a keypad and fingerprint reader for entry options. The fingerprint reader is speedy and efficient, and my husband says the keypad has been easy to use (you activate the keypad by touching the Yale button, but if your finger is registered to the app, that’s also the fingerprint reader button). Instead of using the Yale app, I primarily control this app with the ADT+ app, but there are versions of this lock that don’t use or require ADT’s service. I do wish I could set it to lock after every 10 minutes, rather than three, but that’s the longest option the ADT+ app gives me to set it. I can also partially control it in the Google Home app, but only to lock and unlock it, not to dive into detailed settings like passcodes and auto-lock times.

Yale Assure Touchscreen Lever Lock for $240: I’ve been testing this no-dead-bolt lever door handle with its sleek-looking keypad for four months on the door to my house from inside my garage. Unlike Yale’s Approach Lock, it won’t sense you coming, but it awakens with even a light touch to the keypad. It’s easy to lock and unlock and view the activity log on the Yale Access app, or you can use a pin code to unlock. You can also create different codes for different people to know exactly who’s been coming and going and when. It works with Google Home, Apple Home, and Alexa, and has also got two physical keys for backup in case of battery failure. Setup wasn’t exactly a breeze, requiring the Bilt app to install and then the Yale app to configure, and online reviews are quite voluminous in their complaints of both battery life and the handle becoming loose over time. Neither of these issues has arisen during our test period; however, we will update this review with further observations as time goes on. —Kat Merck

Avoid These Smart Locks

We haven’t loved every smart lock we’ve tried. These are the ones to skip.

Image may contain Blade Razor and Weapon

Defiant Smart Deadbolt

Photograph: Julian Chokkattu

Defiant Smart Deadbolt Powered by Hubspace for $100: The shoddy build quality is a huge turn-off on this smart lock from Defiant. The buttons are mushy, it’s very loud, and what is the point of Wi-Fi connectivity if it never connects to Wi-Fi? I finally got it paired with the Hubspace app, but the lock never stayed connected to my Wi-Fi, so I had none of the benefits. —Julian Chokkattu

Eufy FamiLock S3 Max for $400: This lock is cool because it includes a camera, letting the device double as a digital peephole (convenient for smaller family members!) and has a super interesting biometric option that uses the veins in your palm for authentication. Unfortunately, once installed, the lock didn’t work on my door, even though it was the correct size and placement.

A breach every month raises doubts about South Korea’s digital defenses

Posted on by faz_business


South Korea is world-famous for its blazing-fast internet, near-universal broadband coverage, and as a leader in digital innovation, hosting global tech brands like Hyundai, LG, and Samsung. But this very success has made the country a prime target for hackers and exposed how fragile its cybersecurity defenses remain.  

The country is reeling from a string of high-profile hacks, affecting credit card companies, telecoms, tech startups, and government agencies, impacting vast swathes of the South Korean population. In each case, ministries and regulators appeared to scramble in parallel, sometimes deferring to one another rather than moving in unison. 

Critics argue that South Korea’s cyber defenses are hindered by a fragmented system of government ministries and agencies, often resulting in slow and uncoordinated responses, per local media reports

With no clear government agency acting as “first responder” following a cyberattack, the country’s cyber defenses are struggling to keep pace with its digital ambitions. 

“The government’s approach to cybersecurity remains largely reactive, treating it as a crisis management issue rather than as critical national infrastructure,” Brian Pak, the chief executive of Seoul-based cybersecurity firm Theori, told TechCrunch.  

Pak, who also serves as an advisor to SK Telecom’s parent company’s special committee on cybersecurity innovations, told TechCrunch that because government agencies tasked with cybersecurity work in silos, developing digital defenses and training skilled workers often get overlooked. 

The country is also facing a severe shortage of skilled cybersecurity experts.  

“[That’s] mainly because the current approach has held back workforce development. This lack of talent creates a vicious cycle. Without enough expertise, it’s impossible to build and maintain the proactive defenses needed to stay ahead of threats,” Pak continued.  

Political deadlock has fostered a habit of seeking quick, obvious “quick fixes” after each crisis, said Pak, all the while the more challenging, long-term work of building digital resilience continues to be sidelined. 

This year alone, there has been a major cybersecurity incident in South Korea almost every month, further mounting concerns over the resilience of South Korea’s digital infrastructure.  

January 2025 

  • GS Retail, the operator of convenience stores and grocery markets across South Korea, confirmed a data breach that exposed the personal details of about 90,000 customers after its website was attacked between December 27 and January 4. The stolen information included names, birth dates, contact details, addresses, and email addresses. 

February 2025 

April and May 2025 

  • South Korea’s part-time job platform Albamon was hit by a hacking attack on April 30. The breach exposed the resumes of more than 20,000 users, including names, phone numbers, and email addresses.
  • In April, South Korea’s telecom giant SK Telecom was hit by a major cyberattack. Hackers stole the personal data of about 23 million customers — nearly half the country’s population. Much of the aftermath of the cyberattack lasted through May, in which millions of customers were offered a new SIM card following the breach. 

June 2025  

  • Yes24, South Korea’s online ticketing and retail platform, was hit by a ransomware attack on June 9, which knocked its services offline. The disruption lasted for about four days, with the company back online by mid-June. 

July 2025 

August 2025

  • Yes24 faced a second ransomware attack in August 2025, which took its website and services offline for a few hours. 
  • Hackers broke into South Korean financial services company Lotte Card, which issues credit and debit cards, between July 22 and August. The breach exposed around 200GB of data and is believed to have affected roughly 3 million customers. The breach remained unnoticed for approximately 17 days, until the company discovered it on August 31. 
  • Welcome Financial: In August 2025, Welrix F&I, a lending arm of Welcome Financial Group, was hit by a ransomware attack. A Russian-linked hacking group claimed it stole over a terabyte of internal files, including sensitive customer data, and even leaked samples on the dark web.
  • North Korea-linked hackers, believed to be the Kimsuky group, have been spying on foreign embassies in South Korea for months by disguising their attacks as routine diplomatic emails. According to Trellix, the campaign has been active since March and has targeted at least 19 embassies and foreign ministries in South Korea. 

September 2025  

  • KT, one of South Korea’s biggest telecom operators, has reported a cyber breach that exposed subscriber data from more than 5,500 customers. The attack was linked to illegal “fake base stations” that tapped into KT’s network, enabling hackers to intercept mobile traffic, steal information like IMSI, IMEI, and phone numbers, and even make unauthorized micro-payments. 

In light of the recent surge in hacking incidents, the South Korean Presidential Office’s National Security is stepping in to tighten defenses, pushing for a cross-ministerial effort that brings multiple agencies together in a coordinated, whole-of-government response.  

In September 2025, the National Security Office announced that it would implement “comprehensive” cyber measures through an interagency plan, led by the South Korean president’s office. Regulators also signaled a legal change giving the government power to launch probes at the first sign of hacking — even if companies haven’t filed a report. Both steps aim to address the lack of a first responder that has long hindered South Korea’s cyber defenses. 

But South Korea’s fragmented system leaves accountability weak, placing all authority in a presidential “control tower” could risk “politicization” and overreach, according to Pak.  

A better path may be balance: a central body to set strategy and coordinate crises, paired with independent oversight to keep power in check. In a hybrid model, expert agencies like KISA would still handle the technical work — just with more straightforward rules and accountability, Pak told TechCrunch.  

When reached for comment, a spokesperson for the South Korea’s Ministry of Science in ICT said the ministry, with KISA and other relevant agencies, is “committed to addressing increasingly sophisticated and advanced cyber threats.”  

“We continue to work diligently to minimize potential harm to Korean businesses and the general public,” the spokesperson added.

This article was originally published on September 30.

A 25-year-old police drone founder just raised $75M led by Index

Posted on by faz_business


If you ever call 911 from an area that’s hard to get to, you might hear the buzz of a drone well before a police cruiser pulls up. And there’s a good chance that it will be one made by Brinc Drones, a Seattle-based startup founded by 25-year-old Blake Resnick, who dropped out of college to run the company.

Brinc, which was founded in 2017 and counts OpenAI CEO Sam Altman as a seed-stage investor, just announced today that it has raised $75 million in new funding led by Index Ventures.

This brings the startup’s total funding to $157.2 million. While Brinc isn’t disclosing its exact valuation, Resnick told TechCrunch it’s an “up-round” compared to its most recent round, a $55 million Series B in 2022. Brinc was last valued at $300 million in 2023, Bloomberg reported.

Brinc sells a variety of drone systems to police and public safety agencies. It’s part of a broader trend of U.S. drone startups manufacturing domestically due to increasing restrictions against Chinese companies that dominate the commercial drone industry. (Resnick briefly interned at DJI, by far the biggest Chinese player, a few years before founding Brinc.)

With this funding, Brinc is launching a “strategic alliance” with Motorola Solutions, which also invested in the round. Motorola Solutions is a giant in the U.S. security industry whose software powers many 911 call centers. The partnership will integrate Brinc drones directly into those centers, allowing operators to dispatch drones for certain emergency calls if they’re cleared by an existing Motorola AI system.

Brinc is, however, in an increasingly competitive field with other U.S. startups like Flock Safety and Skydio. Each also offers drones for police, and have multibillion-dollar valuations. Flock stood at $7.5 billion in its latest round last month while Skydio was valued at $2.2 billion in 2023.

When it comes to the competition, Resnick tells TechCrunch that there’s plenty of room for growth in a market that is otherwise dominated by Chinese players. Beyond the Motorola partnership, he says Brinc offers its share of unique features, like the ability to break windows or deliver emergency medical devices.

Screenshot-reading malware cracks iPhone security for the first time

Posted on by faz_business


In the realm of smartphones, Apple’s ecosystem is deemed to be the safer one. Independent analysis by security experts has also proved that point repeatedly over the years. But Apple’s guardrails are not impenetrable. On the contrary, it seems bad actors have managed yet another worrying breakthrough.

As per an analysis by Kaspersky, malware with Optical Character Recognition (OCR) capabilities has been spotted on the App Store for the first time. Instead of stealing files stored on a phone, the malware scanned screenshots stored locally, analyzed the text content, and relayed the necessary information to servers.

The malware-seeding operation, codenamed “SparkCat,” targeted apps seeded from official repositories — Google’s Play Store and Apple’s App Store — and third-party sources. The infected apps amassed roughly a quarter million downloads across both platforms.

An app listed on the App Store infected by malware.
Kaspersky

Interestingly, the malware piggybacked atop Google’s ML Kit library, a toolkit that lets developers deploy machine learning capabilities for quick and offline data processing in apps. This ML Kit system is what ultimately allowed the Google OCR model to scan photos stored on an iPhone and recognize the text containing sensitive information.


Please enable Javascript to view this content

But it seems the malware was not just capable of stealing crypto-related recovery codes. “It must be noted that the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots,” says Kaspersky’s report.

Among the targeted iPhone apps was ComeCome, which appears to be a Chinese food delivery app on the surface, but came loaded with a screenshot-reading malware. “This is the first known case of an app infected with OCR spyware being found in Apple’s official app marketplace,” notes Kaspersky’s analysis.

One of the iPhone apps infected by OCR malware.
Kaspersky

It is, however, unclear whether the developers of these problematic apps were engaged in embedding the malware, or if it was a supply chain attack. Irrespective of the origin, the whole pipeline was quite inconspicuous as the apps seemed legitimate and catered to tasks such as messaging, AI learning, or food delivery. Notably, the cross-platform malware was also capable of obfuscating its presence, which made it harder to detect.

The primary objective of this campaign was extracting crypto wallet recovery phrases, which can allow a bad actor to take over a person’s crypto wallet and get away with their assets. The target zones appear to be Europe and Asia, but some of the hotlisted apps appear to be operating in Africa and other regions, as well.






US indicts five individuals in crackdown on North Korea’s illicit IT workforce

Posted on by faz_business


U.S. authorities have indicted five people over their alleged involvement in a multi-year scheme that saw them obtain remote IT employment with dozens of American companies.

The Department of Justice on Thursday announced the indictment of North Korean citizens Jin Sung-Il and Pak Jin-Song; Pedro Ernesto Alonso De Los Reyes of Mexico, and U.S. nationals Erick Ntekereze Prince and Emanuel Ashtor.

The DOJ said the FBI arrested Ntekereze and Ashtor, and a search of Ashtor’s home in North Carolina found evidence of a “laptop farm” that hosted company-provided laptops to deceive organizations into thinking they had hired workers based in the U.S.

Alonso was also arrested in the Netherlands after a U.S. warrant was issued.

According to the indictment, Ntekereze and Ashtor allegedly installed remote access software, including Anydesk and TeamViewer, on the company-provided devices, allowing the North Koreans to conceal their locations. The two Americans also provided Jin and Pak with forged identity documents, including U.S. passports and U.S. bank accounts.

The indictment alleges that the defendants gained employment from at least 64 American organizations over the course of the multi-year scheme, which ran from April 2018 through August 2024. These included a U.S. financial institution, a San Francisco-based technology company, and a Palo Alto-headquartered IT organization.

According to the Justice Department, payments from ten of those companies generated at least $866,255 in revenue, most of which was laundered through a Chinese bank account. 

“The Department of Justice remains committed to disrupting North Korea’s cyber-enabled sanctions-evading schemes, which seek to trick U.S. companies into funding the North Korean regime’s priorities, including its weapons programs,” Devin DeBacker, supervisory official with the Justice Department’s National Security Division, said in a statement. 

Alongside Thursday’s indictments, which come just days after the Treasury Department sanctioned two individuals and four entities for allegedly engaging in similar behavior, the FBI released an advisory warning that North Korean IT workers are increasingly engaging in malicious activity, including data extortion.

The agency said it has observed North Korean IT workers leveraging unlawful access to company networks to “exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”

A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More

Posted on by faz_business


Four days before he leaves office, US president Joe Biden has issued a sweeping cybersecurity directive ordering improvements to the way the government monitors its networks, buys software, uses artificial intelligence, and punishes foreign hackers.

The 40-page executive order unveiled on Thursday is the Biden White House’s final attempt to kickstart efforts to harness the security benefits of AI, roll out digital identities for US citizens, and close gaps that have helped China, Russia, and other adversaries repeatedly penetrate US government systems.

The order “is designed to strengthen America’s digital foundations and also put the new administration and the country on a path to continued success,” Anne Neuberger, Biden’s deputy national security adviser for cyber and emerging technology, told reporters on Wednesday.

Looming over Biden’s directive is the question of whether president-elect Donald Trump will continue any of these initiatives after he takes the oath of office on Monday. None of the highly technical projects decreed in the order are partisan, but Trump’s advisers may prefer different approaches (or timetables) to solving the problems that the order identifies.

Trump hasn’t named any of his top cyber officials, and Neuberger said the White House didn’t discuss the order with his transition staff, “but we are very happy to, as soon as the incoming cyber team is named, have any discussions during this final transition period.”

The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents—namely, the security failures of federal contractors.

The order requires software vendors to submit proof that they follow secure development practices, building on a mandate that debuted in 2022 in response to Biden’s first cyber executive order. The Cybersecurity and Infrastructure Security Agency would be tasked with double-checking these security attestations and working with vendors to fix any problems. To put some teeth behind the requirement, the White House’s Office of the National Cyber Director is “encouraged to refer attestations that fail validation to the Attorney General” for potential investigation and prosecution.

The order gives the Department of Commerce eight months to assess the most commonly used cyber practices in the business community and issue guidance based on them. Shortly thereafter, those practices would become mandatory for companies seeking to do business with the government. The directive also kicks off updates to the National Institute of Standards and Technology’s secure software development guidance.

Another part of the directive focuses on the protection of cloud platforms’ authentication keys, the compromise of which opened the door for China’s theft of government emails from Microsoft’s servers and its recent supply-chain hack of the Treasury Department. Commerce and the General Services Administration have 270 days to develop guidelines for key protection, which would then have to become requirements for cloud vendors within 60 days.

To protect federal agencies from attacks that rely on flaws in internet-of-things gadgets, the order sets a January 4, 2027, deadline for agencies to purchase only consumer IoT devices that carry the newly launched US Cyber Trust Mark label.

Police operation claims takedown of prolific Redline and Meta password stealers

Posted on by faz_business


A coalition of international law enforcement agencies say they have disrupted the operations of two prolific infostealers that stole the sensitive data of millions of people. 

The Dutch National Police, who led the so-called “Operation Magnus” takedown, reports it gained “full access” to the servers used by the Redline and Meta infostealers. 

Infostealers are a type of malware specifically designed to extract sensitive information, such as passwords, credit card data, search histories, and the contents of cryptocurrency wallets, from an infected system. 

Redline is considered one of the most prolific strains of infostealer malware. Criminals have been using Redline, which has been active since 2020, to steal the sensitive data of hundreds of millions of people, according to a recent report. The malware has been attributed to a 2022 hack at Uber, the theft of login details from Worldcoin Orb operators, and the breach of a senior official at Israel’s National Cybersecurity Directorate

Meta is a relatively new infostealer, though Operation Magnus notes: “We gained full access to all Redline and Meta servers. Did you know they were actually pretty much the same?”  

In a video posted to the website on Monday, the agencies say they were able to access the usernames, passwords, IP addresses, timestamps and registration dates, along with the source code for both infostealers, and the Telegram bots used by the operators of the malware.

The agencies also teased a list of usernames belonging to “VIP” — or “very important to the police” — users of the Redline and Meta infostealers. It’s not yet clear if any arrests have been made as part of the operation, but the website claims that “legal actions are underway.”

Operation Magnus, which was supported by the U.S. Federal Bureau of Investigation and the U.K.’s National Crime Agency, was announced on a newly created website outing the Redline and Meta operations. Simone van Wordragen, a spokesperson for the Dutch National Police, told TechCrunch that it will release more information about the takedown on Tuesday.

A similar takedown approach was taken during the recent operation targeting LockBit, which saw police take control of the ransomware gang’s dark web leak site to post details of the operation. 

Hackers Threaten to Leak Planned Parenthood Data

Posted on by faz_business


Even those of you who do everything you can to secure those secrets can find yourself vulnerable—especially if you’re using a YubiKey 5 authentication token. The multifactor authentication devices can be cloned thanks to a cryptographic flaw that can’t be patched. The company has rolled out some mitigation measures—and the attack itself is relatively difficult to pull off. But it may be time to invest in a new dongle.

That’s not all, folks. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

At the end of August, cybercriminals from the ransomware group RansomHub appear to have hacked into the systems of Planned Parenthood’s Montana branch. The organization this week confirmed it had suffered from a “cybersecurity incident” on August 28 and said its staff immediately took parts of its network offline, reporting the incident to law enforcement.

Days after the incident took place, RansomHub claimed to be behind the attack, posting Planned Parenthood on its leak website. The criminal group said it would publish 93 GB of data. It is unclear what, if anything, the ransomware group has obtained, but Planned Parenthood clinics can hold a huge array of highly sensitive data about patients, including information on abortion appointments. (Around 400,000 Planned Parenthood patients in Los Angeles were impacted following a similar ransomware incident in 2021.)

In recent months, RansomHub has emerged as one of the most active ransomware-as-a-service groups, following the law enforcement disruption of LockBit. According to an FBI and Cybersecurity and Infrastructure Security Agency alert at the end of August, the group is “efficient and successful” and has stolen data from at least 210 victims since it formed in February. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the alert said.

The Nigeria-based scammers known as the Yahoo Boys run almost every scam in the playbook—from romance scams to pretending to be FBI agents. Yet there’s little-more devious than the increase in sextortion cases linked to the West African scammers. This week, Nigerian brothers Samuel Ogoshi and Samson Ogoshi were sentenced to more than 17 years in US jail for running sextortion scams, following their extradition earlier this year. It is the first time Nigerian scammers have been prosecuted for sextortion in the US, the BBC reported.

The Ogoshi brothers, who pleaded guilty in April, have been linked to the death of 17-year-old Jordan DeMay, who took his life six hours after he started talking to the scammers, who posed as a girl, on Instagram. The teenager had been duped into sending the brothers explicit images, and after he had done so, they threatened to post the images online unless he paid them hundreds of dollars. US prosecutors said the brothers sexually exploited and extorted more than 100 victims, with at least 11 of them being minors. There has been a huge spike in sextortion cases in recent years.

In June, the US Commerce Department banned the sale of Kaspersky’s antivirus tools over national security concerns about its links to the Russian government. (Kaspersky has, for years, denied connections). The firm later fired its workers and said it was closing its US business. This week, cybersecurity company Pango Group announced it is purchasing Kaspersky Lab’s US antivirus customers, according to Axios. This equates to around 1 million customers, who will be transitioned to Pango’s antivirus software Ultra AV. Ahead of the Kaspersky deal, parent company Aura also announced it was spinning out Pango Group into its own business. Pango’s president said customers would not need to take any action and that it would allow subscribers to continue to receive updates after September 29, when Kaspersky updates will stop.

For years, the EU has been trying to introduce new child protection laws that would require private chats to be scanned for child sexual abuse material—something that would potentially undermine encrypted messaging apps that provide everyday privacy to billions of people. The plans have been highly controversial and were shelved earlier this year. However, the proposed law, which has been dubbed “chat control,” reappeared in legislators’ in-trays this week. The Council of the EU, which is currently chaired by Hungary, wants to pass legislation by October, but reports say strong resistance to the plans still remain.

Your Gym Locker May Be Hackable

Posted on by faz_business


Thousands of electronic lockers found in gyms, offices, and schools could be vulnerable to attacks by criminals using cheap hacking tools to access administrator keys, according to new research.

At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how digital management keys could be extracted from lockers, copied, and then used to open other lockers in the same location. The researchers focused on various models of electronic locks from two of the world’s biggest manufacturers, Digilock and Schulte-Schlagbaum.

Over the past few years, the researchers, who both have backgrounds in lock picking, have been examining various electronic locks that use numerical keypads, allowing people to set and open them with a PIN. The work comes on the back of various examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes being alleged to have backdoors.

For the research, Giese and braelynn purchased electronic locks on eBay, snapping up those sold after some gyms closed during the Covid-19 pandemic and from other failed projects. Giese focused on Digilock, while braelynn looked at Schulte-Schlagbaum. Over the course of the research, they looked at legacy models from Digilock dating from 2015 to 2022 and models from Schulte-Schlagbaum from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)

Showing how security flaws could be abused by a prepared hacker, the researchers say they can take the electronic lock apart, then extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The manager key ID can be copied to a Flipper Zero or cheap Arduino circuit board and used to open other lockers, Giese says.

“If you access one lock, we can open all of them in whatever the unit is—the whole university, the whole company,” Giese says. “We can clone and emulate keys very easily, and the tools aren’t that complicated.” Whoever owns the lockers manages them, Giese says.

Ahead of developing this proof-of-concept attack, Giese says, it took some time and effort to understand how the locker systems function. They took the locks apart and used cheap debugging tools to access the devices’ erasable, programmable read-only memory, known as EEPROM. Often, in the locks they tested, this was not secured, allowing data to be pulled from the system.

“From the EEPROM, we can pull out the programming key ID, all manager key IDs, and the user PIN/ User RFID UID,” Giese says. “Newer locks erase the set user PIN when the locker is unlocked. But the PIN remains if the locker was opened with a manager key/programming key.”

The researchers say they reported the findings to both impacted companies, adding they had spoken to Digilock about the findings. Digilock tells WIRED it has issued a fix for vulnerabilities found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED’s request for comment.