California Man Stole 620,000 iCloud Photos in Search of Nudes
There’s a lot to worry about in the world today, so apologies in advance for this additional level of existential stress: New research indicates that in the event of a solar superstorm—the kind that hit in 1859—the internet could go down entirely, and take even longer than the power grid to restore. The risk lies primarily in the undersea cables that connect continents, which are inconsistently grounded and rely on components that a geomagnetic surge could disrupt. While solar storms of that magnitude are rare, they do happen—and internet infrastructure has never been tested against it.
Cheery! Although it admittedly does not get much better from there. Medical devices have a shoddy cybersecurity record as it is, and researchers this week shared details about vulnerabilities in an infusion pump that could let hackers administer extra doses. It’s a complicated attack to pull off, but a less-sophisticated version of it could still enable a ransomware attack on a hospital’s network.
A privacy unfriendly default setting in Microsoft Power Apps—a feature intended to make building web apps a cinch—resulted in the exposure of 38 million records across thousands of organizations. The data included Covid-19 contact tracing information from the state of Indiana, as well as a payroll database from Microsoft itself.
Another iOS “zero-click” attack came to light this week in a report from the University of Toronto’s Citizen Lab. These hacks require no interaction from the victims: no attachments opened, no links clicked. It’s the latest in a string of nation state surveillance attacks against dissidents that takes advantage of holes in Apple’s iMessage security. There’s plenty that the company could do to make the messaging service safer for its most at-risk victims; the question is how far it’s willing to go.
While geofence warrants—which target anyone within a certain area at a certain time—have long been a concern of privacy advocates, new data released by Google recently shows just how broadly law enforcement has deployed them. The number of geofence warrant requests the company received since 2018 has gone up tenfold, and they now comprise 25 percent of incoming warrant requests overall.
And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
A Los Angeles-area man pleaded guilty this month to four felonies in connection to a scheme that resulted in the theft of over 620,000 iCloud photos and videos from over 300 victims. Rather than a vulnerability in iCloud itself, the perpetrator relied on phishing and social engineering, sending “customer support” emails from from Gmail addresses like “applebackupicloud” and “backupagenticloud.” He procured the private files both for his own purposes and by request—denoting photos and videos that contained nudity as “wins”—promoting an “icloudripper4you” service that offered to break into iCloud accounts. He now faces up to 20 years in prison.
The Wall Street Journal this week ran an interview with the purported hacker behind this month’s devastating T-Mobile data breach. In it, the 21-year-old American describes T-Mobile’s security as “awful,” but doesn’t confirm whether he actually sold any of the data he stole and advertised on the dark web. The story goes into detail about the hacker’s background and the state of breaches generally; it’s definitely worth setting aside some time to read through.
The good news is that there’s no sign that any hacker actually abused the latest Microsoft Azure bug. The bad news is that if they had, they would have gained a scary amount of access—read/write privileges that could have let them view, edit, or delete at whim—to every database on the platform. Microsoft has since patched the vulnerability, but it’s a big one to have let slip through in the first place.
Speaking of Microsoft and security! A Razer bug made it a cinch to get system-level privileges on a Windows 10 device through the simple act of plugging in a $20 mouse. Razer said it’s going to vix the vulnerability, but it speaks to broader concerns around similar software that relies on the Windows “plug-and-play” set-up.
More Great WIRED Stories