BrakTooth Flaws Affect Billions of Bluetooth Devices – WIRED

When Apple announced in August that it would check for child sexual abuse materials on its customers’ devices, privacy advocates and cryptographers immediately and loudly rejected the idea. In the face of that sustained backlash, the company said Friday that it would stand down, at least for now. While Apple hasn’t reversed course completely, many of its critics were at least relieved that it’s taking more time to hear out their concerns before pushing the system live.

In Louisiana, hundreds of thousands of people remain without power several days after Hurricane Ida tore through. We took a look at what it takes to get lights back on in New Orleans and the surrounding parishes, and why it could be weeks still until everyone’s back up and running.

Happy Labor Day weekend to those who celebrate! Well, except for ransomware gangs and other hackers, who use long weekends and holidays to inflict maximum pain on targets who are likely to be short-staffed or distracted. The biggest ransomware hacks of the year have taken place before Mother’s Day, Memorial Day, and the Fourth of July. Like clockwork, not long after we published this story US Cyber Command warned of a “mass exploitation” of a flaw in remote management software from Atlassian. Hope you got your patches done! On a more individual level, here’s a guide from our friends at WIRED UK to help prevent getting hacked yourself.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.

We’ve written about big Bluetooth flaws so many times, not to mention why they keep happening and why you might want to turn Bluetooth off when you’re not using it as a result. Which is to say that the existence of a new set of flaws, known collectively as BrakTooth, should not be surprising. But it also shouldn’t be ignored; the vulnerabilities can lead to a range of outcomes, up to and including the ability to execute malware on a device. On a less destructive but still annoying level, an attacker could us the flaws to crash a nearby Bluetooth device. Given the huge number of affected companies, it’s impossible to know how many potential targets are patched or ever will be. Add BrakTooth to the increasingly alarming pile.

The FTC this week banned a company called SpyFone from selling surveillance software, a first for the agency. It took the additional step of ordering SpyFone to notify anyone who had the spyware installed on their device. The app and others like it can give stalkers an abusers a way to monitor a victim’s photos, texts, emails, location, and more. The FTC ordered the company to delete any of that information it may still have on its servers. Spyware remains a bustling industry in general, so the FTC should have no shortage of opportunities for further enforcement.

Speaking of enforcement! Ireland’s Data Protection Commission fined WhatsApp the equivalent of close to $270 million for not properly informing European Union residents what it does with their data. The ruling relates to WhatsApp’s longstanding practice of sharing user data with parent company Facebook, which many people were surprised to discover when the secure messaging company finally got around to updating its privacy policy earlier this year. The ruling gives WhatsApp three months to come into compliance with the EU’s General Data Protection Regulation; WhatsApp has said it will appeal the decision.

The OMG cable, first introduced in 2019, is something of a hacker’s delight. While it looks like a normal Lightning cable, it creates its own hotspot, allowing hackers connect to any device that it plugs into. From there, they can implant malware, steal data, or record keystrokes. The latest version, demonstrated this week, comes in new formats like Lightning to USB-C and USB-C to USB-C, has a wider range, and introduces geofencing features. You should only be using cables from trusted sources anyway, but let this be a reminder.


More Great WIRED Stories