A new jailbreak for John Deere tractors, demonstrated at the Defcon security conference in Las Vegas last Saturday, put a spotlight on the strength of the right-to-repair movement as it continues to gain momentum in the United States. Meanwhile, researchers are developing expanded tools for detecting spyware on Windows, Mac, and Linux computers as the malware continues to proliferate.
WIRED took a deep look this week at the Posey family that wielded the Freedom of Information Act to learn more about the US Department of Defense and promote transparency—and make millions in the process. And researchers found a potentially crucial flaw in the Veterans Affairs department’s VistA electronic medical record system that has no easy fix.
If you need some digital security and privacy projects this weekend for your own protection, we’ve got tips on how to create a secure folder on your phone, how to set up and most safely use the Signal encrypted messaging app, and Android 13 privacy setting tips to keep your data exactly where you want it and nowhere you don’t.
And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.
The Janet Jackson classic “Rhythm Nation” may be from 1989, but it’s still blowing up the charts—and some hard drives. This week, Microsoft shared details of a vulnerability in a widely used 5400-RPM laptop hard drive sold around 2005. Just by playing “Rhythm Nation” on or near a vulnerable laptop, the disk can crash and take its laptop down with it. Spinning disk hard drives have been increasingly phased out in favor of solid-state drives, but they still persist in a host of devices around the world. The flaw, which has its own CVE vulnerability tracking number, is due to the fact that “Rhythm Nation” inadvertently produces one of the natural resonant frequencies created by the movement in the hard drive. Who wouldn’t vibe hard with such a classic jam? Microsoft says the manufacturer that made the drives developed a special filter for the audio processing system to detect and quash the frequency when the song was playing. Audio hacks that manipulate speakers, grab information leaked in vibrations, or exploit resonant frequency vulnerabilities aren’t discovered often in research but are an intriguing area.
When the cloud services company Twilio announced last week that it had been breached, one of its customers that suffered knock-on effects was the secure messaging service Signal. Twilio underpins Signal’s device verification service. When a Signal user registers a new device, Twilio is the provider that sends the SMS text with a code for the user to put into Signal. Once they had compromised Twilio, attackers could initiate a Signal device swap, read the code from the SMS sent to the real account owner, and then take control of the Signal account. The secure messaging service said that the hackers targeted 1,900 of its users and explicitly searched for three. Among that tiny subset was the Signal account of Motherboard security reporter Lorenzo Franceschi-Bicchierai. Signal is built so the attackers could not have seen Franceschi-Bicchierai’s message history or contacts by compromising his account, but they may have impersonated him and sent new messages from his account.
TechCrunch published an investigation in February into a group of spyware apps that all share backend infrastructure and expose targets’ data because of a shared vulnerability. The apps, which include TheTruthSpy, are invasive to begin with. But they’re also inadvertently exposing the phone data of hundreds of thousands of Android users, TechCrunch reported, because of an infrastructure vulnerability. This week, though, TechCrunch published a tool victims can use to check whether their devices have been compromised with the spyware and take back control. “In June, a source provided TechCrunch with a cache of files dumped from the servers of TheTruthSpy’s internal network,” TechCrunch’s Zack Whittaker wrote. “That cache of files included a list of every Android device that was compromised by any of the spyware apps in TheTruthSpy’s network up to April 2022, which is presumably when the data was dumped. The leaked list does not contain enough information for TechCrunch to identify or notify owners of compromised devices. That’s why TechCrunch built this spyware lookup tool.”
Domain Logistics, a distribution company that works with the Ontario Cannabis Store (OCS) in Canada, was hacked on August 5, limiting OCS’s ability to process orders and deliver weed products to stores and customers around Ontario. OCS said there was no evidence that customer data had been compromised in the attack on Domain Logistics. OCS also says that cybersecurity consultants are investigating the incident. Customers in Ontario can order online from OCS, which is government-backed. The company also distributes to the roughly 1,330 licensed cannabis stores in the province. “Out of an abundance of caution to protect OCS and its customers, the decision was made to shut down Domain Logistics’ operations until a full forensic investigation could be completed,” OCS said in a statement.