A bipartisan group of senators is calling out the auto industry for its "hypocritical, profit-driven" opposition to national right-to-repair legislation, while also selling customer data to insurance companies and other third-party interests. From a report: In a letter sent to the CEOs of the top automakers, the trio of legislators -- Sens. Elizabeth Warren (D-MA), Jeff Merkley (D-OR), and Josh Hawley (R-MO) -- urge them to better protect customer privacy, while also dropping their opposition to state and national right-to-repair efforts.

"Right-to-repair laws support consumer choice and prevent automakers from using restrictive repair laws to their financial advantage," the senators write. "It is clear that the motivation behind automotive companies' avoidance of complying with right-to-repair laws is not due to a concern for consumer security or privacy, but instead a hypocritical, profit-driven reaction."

Teenagers using Meta's virtual reality headsets to cheat at the popular game Gorilla Tag are unknowingly selling access to their home internet connections to potential cybercriminals, cybersecurity researchers found. The players have been side-loading Big Mama VPN, a free Android app, onto their VR headsets to create lag that makes it easier to win the tag-based game. However, the app simultaneously operates as a residential proxy service, selling access to users' IP addresses on a marketplace frequented by cybercriminals.

Cybersecurity firm Trend Micro discovered VR headsets were the third most common devices using Big Mama VPN, after Samsung and Xiaomi devices. The company's proxy services have been promoted on cybercrime forums and were linked to at least one cyberattack, according to research from security firms Trend Micro and Kela.

An anonymous reader quotes a report from Gizmodo: Hackers aligned with the Chinese government have infiltrated U.S. telecommunications infrastructure so deeply that it allowed the interception of unencrypted communications on a number of people, according to reports that first emerged in October. The operation, dubbed Salt Typhoon, apparently allowed hackers to listen to phone calls and nab text messages, and the penetration has been so extensive they haven't even been booted from the telecom networks yet. The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on best practices for protecting "highly targeted individuals," which includes a new warning (PDF) about text messages.

"Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals," the guidance, which has been posted online, reads. Not every service even allows for multi-factor authentication and sometimes text messages are the only option. But when you have a choice, it's better to use phishing-resistant methods like passkeys or authenticator apps. CISA prefaces its guidance by insisting it's only really speaking about high-value targets. The telecommunications hack mentioned above has been called the "worst hack in our nation's history," according to Sen. Mark Warner (D-VA).

Microsoft has lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success. From a report: The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations -- sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a blog post. The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

The Federal Aviation Administration has issued a monthlong ban on drone flights over a large swath of New Jersey, the first broad prohibition of its kind since the authorities began investigating a spate of sightings last month that set off fear and speculation. From a report: The ban began late on Wednesday and will continue through Jan. 17, according to an F.A.A. alert. The notification cited "special security reasons" for prohibiting flights in airspace near 22 New Jersey communities, including three of the state's largest cities, Camden, Elizabeth and Jersey City. The F.A.A. said it had temporarily restricted drone flights over "critical New Jersey infrastructure" at the request of what it described as federal security partners.

The European Union has issued draft recommendations requiring Apple to make its iOS and iPadOS operating systems more compatible with competitors' devices, setting up a clash over privacy concerns. The proposals would allow third-party smartwatches and headsets to interact more seamlessly with iPhones.

Apple has responded [PDF] with warnings about security risks, particularly citing Meta's requests for access to Apple's technology. The Commission seeks industry feedback by January 2025, with final measures expected by March. Non-compliance could trigger EU fines up to 10% of Apple's global annual sales.

Congress approved $3 billion Wednesday for a long-languishing project to cull Chinese equipment from networks nationwide over fears they are vulnerable to cyberattacks, underscoring the risk Beijing-sponsored hackers pose to phone and internet networks. From a report: The new funding comes as the Commerce Department reviews whether to ban routers made by the Chinese-owned company TP-Link, which account for more than half of the U.S. retail router market.

The actions reflect the heightened attention among Washington policymakers to the threat posed by Chinese state-linked hackers. U.S. officials revealed the "Volt Typhoon" hack last year and in recent months have expressed alarm over the even bigger "Salt Typhoon" hack. In both cases, Chinese government hackers successfully penetrated major U.S. phone networks and critical infrastructure facilities, and U.S. officials said they still have not been able to expel the Salt Typhoon interlopers.

Longtime Slashdot reader sinij shares a report from Wired with the caption: "This story will be an on-going payday for traffic ticket lawyers. I am ordering one now." From the report: Digital license plates, already legal to buy in a growing number of states and to drive with nationwide, offer a few perks over their sheet metal predecessors. You can change their display on the fly to frame your plate number with novelty messages, for instance, or to flag that your car has been stolen. Now one security researcher has shown how they can also be hacked to enable a less benign feature: changing a car's license plate number at will to avoid traffic tickets and tolls -- or even pin them on someone else.

Josep Rodriguez, a researcher at security firm IOActive, has revealed a technique to "jailbreak" digital license plates sold by Reviver, the leading vendor of those plates in the US with 65,000 plates already sold. By removing a sticker on the back of the plate and attaching a cable to its internal connectors, he's able to rewrite a Reviver plate's firmware in a matter of minutes. Then, with that custom firmware installed, the jailbroken license plate can receive commands via Bluetooth from a smartphone app to instantly change its display to show any characters or image. That susceptibility to jailbreaking, Rodriguez points out, could let drivers with the license plates evade any system that depends on license plate numbers for enforcement or surveillance, from tolls to speeding and parking tickets to automatic license plate readers that police use to track criminal suspects. "You can put whatever you want on the screen, which users are not supposed to be able to do," says Rodriguez. "Imagine you are going through a speed camera or if you are a criminal and you don't want to get caught."

Worse still, Rodriguez points out that a jailbroken license plate can be changed not just to an arbitrary number but also to the number of another vehicle -- whose driver would then receive the malicious user's tickets and toll bills. "If you can change the license plate number whenever you want, you can cause some real problems," Rodriguez says. All traffic-related mischief aside, Rodriguez also notes that jailbreaking the plates could also allow drivers to use the plates' features without paying Reviver's $29.99 monthly subscription fee. Because the vulnerability that allowed him to rewrite the plates' firmware exists at the hardware level -- in Reviver's chips themselves -- Rodriguez says there's no way for Reviver to patch the issue with a mere software update. Instead, it would have to replace those chips in each display. That means the company's license plates are very likely to remain vulnerable despite Rodriguez's warning -- a fact, Rodriguez says, that transport policymakers and law enforcement should be aware of as digital license plates roll out across the country. "It's a big problem because now you have thousands of licensed plates with this issue, and you would need to change the hardware to fix it," he says.

An anonymous reader quotes a report from PCWorld: Smart home devices compatible with the Matter standard have garnered most of our attention lately, but the compelling features in the latest generation of Z-Wave chips convinced the IoT developer Shelly Group to build no fewer than 11 new products powered by Z-Wave technology. The new collection includes a smart plug, in-wall dimmers, relays, and various sensors aimed at DIYers, installers, and commercial builders. Citing the ability of Z-Wave 800 (aka Z-Wave Long Range or LR) chips to operate IoT devices over extremely long range -- up to 1 mile, line of sight -- while running on battery power for up to 10 years, Shelly Group CTO Leon Kralj said "Shelly is helping break down smart home connectivity barriers, empowering homeowners, security installers, and commercial property owners and managers with unmatched range, scalability, and energy efficiency to redefine their automation experience."

[...] While most homeowners won't need to worry about the number of IoT devices their networks can support, commercial builders will appreciate the scalability of Z-Wave 800-powered devices -- namely, you can deploy as many as 4,000 nodes on a single mesh network. That's a 20x increase over what was possible with previous generations of the chip. And since Z-Wave LR is backward compatible with those previous generations, there should be no worries about integrating the new devices into existing networks. Shelly says all 11 of its new Z-Wave 800-powered IoT devices will be available in the first half of 2025. The new Shelly devices will be available in the U.S. in the first half of 2025.

Here's a list of the devices enhanced with the new long-range capabilities:
- Shelly Wave Plug US
- Shelly Wave Door/Window
- Shelly Wave H&T
- Shelly Wave Motion
- Shelly Wave Dimmer
- Shelly Wave Pro Dimmer 1 PM
- Shelly Wave Pro Dimmer 2 PM
- Shelly Wave 1
- Shelly Wave 1 PM
- Shelly Wave 2 PM
- Shelly Wave Shutter

An anonymous reader quotes a report from TechCrunch: GPS tracking firm Hapn is exposing the names of thousands of its customers due to a website bug, TechCrunch has learned. A security researcher alerted TechCrunch in late November to customer names and affiliations -- such as the name of their workplace -- spilling from one of Hapn's servers, which TechCrunch has seen.

Hapn, formerly known as Spytec, is a tracking company that allows users to remotely monitor the real-time location of internet-enabled tracking devices, which can be attached to vehicles or other equipment. The company also sells GPS trackers to consumers under its Spytec brand, which rely on the Hapn app for tracking. Spytec touts its GPS devices for tracking the locations of valuable possessions and "loved ones." According to its website, Hapn claims to track more than 460,000 devices and counts customers within the Fortune 500.

The bug allows anyone to log in with a Hapn account to view the exposed data using the developer tools in their web browser. The exposed data contains information on more than 8,600 GPS trackers, including the IMEI numbers for the SIM cards in each tracker, which uniquely identify each device. The exposed data does not include location data, but thousands of records contain the names and business affiliations of customers who own, or are tracked by, the GPS trackers.

The U.S. government is urging senior government officials and politicians to ditch phone calls and text messages following intrusions at major American telecommunications companies blamed on Chinese hackers. From a report: In written guidance, opens new tab released on Wednesday, the Cybersecurity and Infrastructure Security Agency said "individuals who are in senior government or senior political positions" should "immediately review and apply" a series of best practices around the use of mobile devices.

The first recommendation: "Use only end-to-end encrypted communications." End-to-end encryption -- a data protection technique which aims to make data unreadable by anyone except its sender and its recipient -- is baked into various chat apps, including Meta's WhatsApp, Apple's iMessage, and the privacy-focused app Signal. Neither regular phone calls nor text messages are end-to-end encrypted, which means they can be monitored, either by the telephone companies, law enforcement, or - potentially - hackers who've broken into the phone companies' infrastructure.

Nebraska's attorney general has sued Change Healthcare over a massive data breach that exposed sensitive medical information of more than 100 million Americans following a February ransomware attack. The lawsuit alleges the UnitedHealth-owned company failed to implement basic security measures, including multi-factor authentication, allowing hackers to breach its systems using credentials from a customer support employee that were posted on Telegram.

The Russian-speaking ALPHV ransomware group accessed personal health records, financial data and treatment information across Change Healthcare's poorly segmented network, according to the complaint filed by Attorney General Mike Hilgers.

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

U.S. authorities are investigating Chinese router manufacturer TP-Link over national security risks and considering banning its devices, WSJ reported Wednesday, citing sources familiar with the matter. The Commerce, Defense and Justice departments have launched separate probes into the company, which controls approximately 65% of the U.S. home and small business router market.

Microsoft reported in October that Chinese hackers had compromised thousands of TP-Link routers to launch cyberattacks against Western targets, including government organizations and Defense Department suppliers. The company's routers are widely used across federal agencies, including the Defense Department and NASA. The Justice Department is also examining whether TP-Link's significantly lower pricing violates federal anti-monopoly laws, the report said.

The Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the "primary" countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden. 404 Media: The news provides more context around use of SS7, the exploited network and protocol, against phones in the country. In May, 404 Media reported that an official inside DHS's Cybersecurity Insurance and Security Agency (CISA) broke with his department's official narrative and publicly warned about multiple SS7 attacks on U.S. persons in recent years. Now, the newly disclosed information provides more specifics on where at least some SS7 attacks are originating from.

The information is included in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017 DHS personnel gave a presentation on SS7 security threats at an event open to U.S. government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the "primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers," it continues.

An anonymous reader shares a report: A Chinese hacker indicted earlier this month and the PRC-based cybersecurity company he worked for are both sanctioned by the US government for compromising "tens of thousands of firewalls" -- some protecting US critical infrastructure, putting human lives at risk.

In a series of coordinated actions, the US Treasury Department's Office of Foreign Assets Control (OFAC), the Department of Justice (DoJ), and the FBI said the massive cyber espionage campaign, which compromised at least 36 firewalls protecting US critical infrastructure, posed significant risks to national security.

A federal court in Indiana earlier this month unsealed an indictment charging 30-year-old Guan Tianfeng (Guan) with conspiracy to commit computer and wire fraud by hacking into firewall devices worldwide, including one "used by an agency of the United States." Guan, employed by the Chinese cybersecurity firm Sichuan Silence -- a known contractor for Beijing intelligence -- was alleged to have discovered a zero-day vulnerability in firewall products manufactured by UK cybersecurity firm Sophos.

Meta has been fined around $263 million in the European Union for a Facebook security breach that affected millions of users which the company disclosed back in September 2018. From a report: The penalty, issued on Tuesday by Ireland's Data Protection Commission (DPC) -- enforcing the bloc's General Data Protection Regulation (GDPR) -- is far from being the largest GDPR fine Meta has been hit with since the regime came into force over five years ago but is notable for being a substantial sanction for a single security incident.

The breach it relates to dates back to July 2017 when Facebook, as the company was still known then, rolled out a video upload function that included a "View as" feature which let the user see their own Facebook page as it would be seen by another user. A bug in the design allowed users making use of the feature to invoke the video uploader in conjunction with Facebook's 'Happy Birthday Composer' facility to generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. They could then use the token to exploit the same combination of features on other accounts -- gaining unauthorized access to multiple users' profiles and data, per the DPC.

A cyberattack on Rhode Island's RIBridges system has exposed personal data of individuals involved in programs like Medicaid, SNAP, and others, with hackers demanding a ransom. The breach may include sensitive details like Social Security numbers and banking information. The Associated Press reports: Anyone who has been involved in Medicaid, the Supplemental Nutrition Assistance Program known as SNAP, Temporary Assistance for Needy Families, Childcare Assistance Program, Rhode Island Works, Long-term Services and Supports, the At HOME Cost Share Program and health insurance purchased through HealthSource RI may be impacted, McKee said Saturday.

The system known as RIBridges was taken offline on Friday, after the state was informed by its vendor, Deloitte, that there was a major security threat to the system. The vendor confirmed that "there is a high probability that a cybercriminal has obtained files with personally identifiable information from RIBridges," the state said. The state has contracted with Experian to run a toll-free hotline for Rhode Islanders to call to get information about the breach and how they can protect their data.

An anonymous reader quotes a report from TechCrunch: The European Union is forging ahead with plans for a constellation of internet satellites to rival Elon Musk-owned Starlink, after signing a $11.1 billion deal to launch nearly 300 satellites into low- and medium-Earth orbits by 2030. The bloc wants the space tech to boost its digital sovereignty by providing secure comms to governments.

First announced in 2022, Iris^2 (Infrastructure for Resilience, Interconnectivity and Security by Satellite) is a public-private partnership whose initial cost estimate (6 billion euros) leapt 76% through a fraught negotiation process. In the end, the program will be 61% funded from the public purse; an industry consortium called SpaceRise, selected in October, is making up the difference. This grouping includes French satellite giant Eutelsat, which merged with European rival OneWeb back in 2022.

An anonymous reader shared this report from Computerworld: Microsoft has announced Phi-4 — a new AI model with 14 billion parameters — designed for complex reasoning tasks, including mathematics. Phi-4 excels in areas such as STEM question-answering and advanced problem-solving, surpassing similar models in performance. Phi-4, part of the Phi small language models (SLMs), is currently available on Azure AI Foundry under the Microsoft Research License Agreement and will launch on Hugging Face [this] week, the company said in a blog post.

The company emphasized that Phi-4's design focuses on improving accuracy through enhanced training and data curation.... "Phi-4 outperforms comparable and even larger models on tasks like mathematical reasoning, thanks to a training process that combines synthetic datasets, curated organic data, and innovative post-training techniques," Microsoft said in its announcement. The model leverages a new training approach that integrates multi-agent prompting workflows and data-driven innovations to enhance its reasoning efficiency. The accompanying report highlights that Phi-4 balances size and performance, challenging the industry norm of prioritizing larger models... Phi-4 achieved a score of 80.4 on the MATH benchmark and has surpassed other systems in problem-solving and reasoning evaluations, according to the technical report accompanying the release. This makes it particularly appealing for domain-specific applications requiring precision, like scientific computation or advanced STEM problem-solving.

Microsoft emphasized its commitment to ethical AI development, integrating advanced safety measures into Phi-4. The model benefits from Azure AI Content Safety features such as prompt shields, protected material detection, and real-time application monitoring. These features, Microsoft explained, help users address risks like adversarial prompts and data security threats during AI deployment. The company also reiterated that Azure AI Foundry, the platform hosting Phi-4, offers tools to measure and mitigate AI risks. Developers using the platform can evaluate and improve their models through built-in metrics and custom safety evaluations, Microsoft added... With Phi-4, Microsoft continues to evolve its AI offerings while promoting responsible use through robust safeguards. Industry watchers will observe how this approach shapes adoption in critical fields where reasoning and security are paramount.