US Official Warns a Cell Network Flaw Is Being Exploited for Spying

Laser warfare, among all the long-unfulfilled imaginings of science fiction writers, is right up there with flying cars. Now it’s finally becoming a reality. After decades of research, the US military is actively deploying laser defense systems in the Middle East to shoot down drones launched by adversaries like Yemen’s Houthi rebels, one of several recent deployments of laser tech in actual combat situations.

In less pewpew-oriented security news, the debate continues over the extension of Section 702 of the Foreign Intelligence Surveillance Act, signed by President Biden last month, as 20 civil liberties organizations sent a letter to the Justice Department demanding more clarity on when the NSA can demand US tech companies cooperate in its wiretaps. Elsewhere, WIRED obtained emails showing how New York City decided to deploy a gun-detection system called Evolv in subways despite false-positive rates as high as 85 percent.

At the Google I/O developer conference, meanwhile, the search giant debuted a new AI-based feature in Android that’s designed to detect if a phone has been stolen and automatically lock it down. And we dug into the stakes for financial privacy and surveillance posed by the $2.3 billion Tornado Cash money laundering case, whose cofounder was found guilty and sentenced to more than five years in prison on Tuesday.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The system known as SS7—which connects cellular networks run by different providers—and its more recent upgrade called Diameter have long been considered a serious security and privacy problem. Researchers have warned that hackers who can gain access to a mobile provider’s system or even create their own have the ability to reroute cellular data, allowing them to track individuals or eavesdrop on their communications. Now one US official is raising the alarm that this technique has been used numerous times against real victims in the US.

As first reported by 404 Media, CISA’s senior adviser for telecommunications, Kevin Briggs, responded to questions from the Federal Communications Commission in a public filing, confirming that he has seen multiple cases of Americans tracked via SS7 or Diameter, including one person whose location was tracked with the technique in March 2022 and three more the next month. He also warned that there were signs that many more people had been targeted, but that spies had used techniques to mask their exploitation of the system.

The revelation sounds a clear warning that telecoms—and their regulators—need to do more to lock down a known, critical vulnerability that leaves any of hundreds of millions of Americans open to espionage. “Much more could be said,” Briggs cryptically concluded his statement, “but this ends my public comments.”

The post-pandemic era of the virtual workplace has led to a strange new problem: North Korean tech workers secretly infiltrating US companies as remote workers to earn money for the world’s most authoritarian regime. This week the Justice Department announced three arrests, including one American woman in Arizona and a Ukrainian man in Poland, who allegedly helped to enable thousands of North Korean workers based in China and Russia to obtain jobs in Western companies, often with fraudulent job applications and stolen identities. A third man, a Vietnamese national, was arrested in Maryland for allegedly offering his own identity to the North Koreans as cover. In total, the North Korean workers got jobs at more than 300 companies—including a high-end retail chain and a major Silicon Valley tech firm—and cumulatively earned at least $6.8 million, the Justice Department said. Much of that money was funneled to the regime of Kim Jong-Un, including to its weapons programs.

Given that Teslas are massive collections of cameras on wheels, they’ve always held the potential to serve as powerful surveillance devices. But Tesla drivers probably weren’t expecting all that video surveillance to be turned on them. Reuters this week revealed that Tesla staff have collected and circulated videos recorded by cars’ cameras, which have included everything from mundane shots turned into memes, to a violent video of a child on a bicycle being struck by the car, to a fully naked man approaching his vehicle. (They also included a video that showed a submarine used in a James Bond movie in Elon Musk’s garage, filmed from cameras on the Tesla CEO’s own car.) Tesla assures customers in its privacy fine print that videos collected by Tesla’s staff remain anonymous and aren’t linked to any particular vehicle. But seven former staffers told Reuters that the videos are linked with location data that could likely be used to identify vehicle owners.

BreachForums has long been one of cybercriminals’ most well-known gathering places for selling hacking tools and stolen data. Now it’s been taken down—for the second time in two years—in an FBI operation that also seized the Telegram channel for the forum and that of its alleged operator, who goes by the name Baphomet. That bust follows the arrest of the site’s previous administrator, Conor Brian Fitzpatrick, last year, when the FBI seized a previous incarnation of the site. That earlier version of BreachForums itself replaced an older cybercriminal marketplace called RaidForums. Given that history, the latest BreachForums takedown is perhaps “the least surprising infosec news of the year,” writes security entrepreneur and HaveIBeenPwned creator Troy Hunt.