Select Page
Autonomous Vehicles Join the List of US National Security Threats

Autonomous Vehicles Join the List of US National Security Threats

Amid rising concerns about China’s growing international data collection apparatus, a newly divided US Congress is applying fresh scrutiny to the possibility that imported Chinese technology could be a Trojan horse.

In a letter to the US National Highway Traffic Safety Administration, shared exclusively with WIRED, Representative August Pfluger asks some tough questions as to whether Washington is really prepared for the security threat posed by the coming influx of Chinese-made smart and autonomous vehicles (AVs) to the United States.

 “I remain concerned that a lack of US oversight in AV technology has opened the door for a foreign nation to spy on American soil, as Chinese companies potentially transfer critical data to the People’s Republic of China,” Pfluger writes.

While AV technology may be some years away from widespread commercial use, pilot projects are already on the roads around the world. As of earlier this year, more than 1,000 AutoX autonomous taxis were on the roads in California. AutoX, a Chinese startup backed by one of the largest state-owned car companies in the communist country, was granted approval by California in 2020.

As American regulators have green-lit those test projects, Pfluger writes, “there remains a serious lack of oversight regarding their data governance.”

Earlier this year, WIRED reported on the mounting national security issues posed by Chinese-made vehicles. The massive trove of data being collected by these cars could give adversarial states an unprecedented vantage point into the United States and other Western nations. Beijing has already pioneered the use of big-data analytics to identify dissidents at home, and concerns have mounted that those tactics could be deployed abroad.

Pfluger submitted a detailed list of questions to the National Highway Traffic Safety Administration (NHTSA), which regulates the use of AVs, and asked the regulator to explain how it has vetted the national security risk posed by these Chinese companies.

“Has NHTSA worked independently, or in collaboration with cities or other local governments to limit or prevent Chinese-owned companies from collecting sensitive information from American infrastructure, including information about sensitive government or military facilities, and subsequently sharing such information abroad?” Pfluger writes.

China has certainly had that anxiety about American-made smart and electric vehicles. Earlier this year, for example, Beijing placed firm restrictions on where Teslas could drive, particularly around military installations, amid high-level Communist Party meetings.

Pfluger highlights in his letter that China could use “autonomous and connected vehicles as a pathway to incorporate their systems and technology into our country’s infrastructure.” The United States, like most of its allies, has already banned Chinese corporate giant Huawei from building 5G infrastructure, but these next-generation vehicles would have access to an unprecedented number of emails, messages, and phone calls, and would effectively be moving cameras, capable of photographing an array of critical infrastructure.

As Homeland Security secretary Alejandro Mayorkas told a House committee last week, there are “perils of having communications infrastructure in the hands of nation-states that don’t protect freedoms and rights as we do.” FBI director Christopher Wray warned that China has stolen more data from the United States than all other nations combined, through “increasingly sophisticated, large-scale cyber espionage operations against a range of industries, organizations, and dissidents in the United States.”

China Operates Secret ‘Police Stations’ in Other Countries

China Operates Secret ‘Police Stations’ in Other Countries

For years, AlphaBay ruled the dark web. If you were in the market to buy drugs or stolen credit cards, the digital bazaar was the place to turn. At its peak, more than 350,000 products were listed for sale—an estimated 10 times the size of the notorious Silk Road market—and the website proved to be the ire of law enforcement the world round. That was until cops took AlphaBay offline in 2017.

This week, WIRED published the first in a six-part series detailing the hunt for Alpha02, the mastermind believed to be behind AlphaBay, and the huge international takedown operation that wiped the marketplace from the web. Each week, we’ll publish a new part of the series, excerpted from WIRED reporter Andy Greenberg’s new book, Tracers in the Dark.

Schools across the US have faced dozens of hoax calls about mass shootings in recent months. After a call is made, police scramble to the scene fearing the worst, only to find out there is no shooter. Now hoax phone call recordings obtained by WIRED and conversations with law enforcement officials reveal how the calls have been made and show that law enforcement officials are closing in on the alleged hoaxer. Police are looking for a male “with a heavy accent described as Middle Eastern or African” and have linked the phone calls to Ethiopia.

Elsewhere, a bug in Apple’s new macOS 13 Ventura operating system is causing problems for malware scanners and security monitoring tools. With the new software update, Apple accidentally crippled third-party security products in a way users may not notice. The company is planning to fix the bug in an upcoming software release.

We also looked at a newly discovered Chinese influence operation that is targeting US elections—although it is not having much success. And now that Elon Musk owns Twitter, here’s how you should think about your privacy and security on the bird website.

But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Officials in Canada and the Netherlands are investigating allegations that Chinese police forces have operated a network of illegal police stations within their countries. According to reports that emerged this week, Chinese police forces have been operating out of clandestine bases and using their presence to track and threaten dissidents. The Dutch government has called such sites “illegal” and said it is “investigating exactly what they are doing here,” while officials in Canada said they are investigating “so-called ‘police’ stations.”

However, it is just the tip of the iceberg. Spanish civil rights group Safeguard Defenders first claimed that Chinese police forces from the cities of Fuzhou and Qingtian were running “overseas police service stations” across the West in a report published in September. Since 2018, the group claims, more than 38 police service stations have appeared in “dozens of countries” spread across five different continents. “Such overseas police ‘service stations’ have been used by police back in China to carry out such ‘persuasion to return’ operations on foreign soil, including in Europe,” the report states. Lawmakers in both England and Scotland are also planning on investigating the stations, reports say.

The Challenge of Cracking Iran’s Internet Blockade

The Challenge of Cracking Iran’s Internet Blockade

Some communication services have systems in place for attempting to skirt digital blockades. The secure messaging app Signal, for example, offers tools so people around the world can set up proxy servers that securely relay Signal traffic to bypass government filters. Proxy service has previously only been available for Signal on Android, but the platform added iOS support on Wednesday. 

Still, if people in Iran don’t already have the Signal app installed on their phones or haven’t registered their phone numbers, the connectivity outages make it difficult to download the app or receive the SMS code used for account setup. Android users who can’t connect to Google Play can also download the app directly from Signal’s website, but this creates the possibility that malicious versions of the Signal app could circulate on other forums and trick people into downloading them. In an attempt to address this, the Signal Foundation created the email address “getsignal@signal.org” that people can message to request a safe copy of the app. 

The anonymity service Tor is largely inaccessible in Iran, but some activists are working to establish Tor bridges within Iran to connect internal country networks to the global platform. The work is difficult without infrastructure and resources, though, and is extremely dangerous if the regime detects the activity. Similarly, other efforts to establish clandestine infrastructure within the country are fraught because they often require too much technical expertise for a layperson to carry out safely. Echoing the issue with safely downloading apps like Signal, it can also be difficult for people to determine whether circumvention measures they learn about are legitimate or tainted.

Users in Iran have also been leaning on other services that have proxies built in. For example, Firuzeh Mahmoudi, executive director of the US-based nonprofit United for Iran, says that the law enforcement-tracking app Gershad has been in heavy use during the connectivity blackouts. The app, which has been circulating in Iran since 2016 and is now developed by United for Iran, lets users crowdsource information about the movements of the regime’s “morality police” and is now also being used to track other security forces and checkpoints.

The basic issue of connectivity access is still a fundamental challenge. Efforts to provide satellite service as an alternative could theoretically be very fruitful and threaten the totality of internet blackouts. SpaceX CEO Elon Musk tweeted last week that he was “activating” the company’s Starlink satellite internet service for people in Iran. In practice, though, the option isn’t a panacea. To use Starlink or any satellite internet, you need hardware that includes base stations to pick up and translate the signal. Procuring and setting up this infrastructure takes resources and is especially infeasible in a place like Iran, where sanctions and trade blockades drastically limit access to equipment and the ability to pay for subscription services or other connectivity fees. And even if users can overcome these hurdles, jamming is also a potential issue. The French satellite operator Eutelsat said yesterday, for example, that two of its satellites were being jammed from Iran. In addition to providing internet services, the satellites also broadcast two prominent Iranian dissident television channels.

“There are just so many challenges of installing this in Iran,” Miaan Group’s Rashidi says. “If you have a terminal, my understanding is that Starlink is working, but getting those terminals into the country is a challenge. And then they are a security risk because the government can locate those terminals. And then, who is going to pay for all of it and how, given the sanctions? But even if you ignore all those issues, satellite base stations don’t solve the problem that mobile data is part of the shutdown. You can’t put a Starlink terminal in your backpack to go to a protest. So satellite connectivity would be helpful, but it doesn’t solve the issues.”

Though the problem is nuanced, human rights advocates and Iranian activists emphasize that the global community can make a difference by raising awareness and continuing to work on creative solutions to the problem. With digital censorship and connectivity blackouts being used as levers for authoritarian control, developing circumvention tools is increasingly vital. As United for Iran’s Mahmoudi puts it, “We all need to keep the lights on.”

The Race to Find the Nord Stream Saboteurs

The Race to Find the Nord Stream Saboteurs

Investigators across Europe, including intelligence agencies, will now be trying to piece together exactly who and what caused the apparent explosions. This is likely to involve multiple steps, such as examining what data is held about the area, including seismic data and other sensors, checking whether any communications around the incident have been intercepted, and examining the pipelines to see if there are any signs of intentional destruction.

Neither of the pipes is operational—Nord Stream 1 was paused for repairs in August and Nord Stream 2 has not officially opened after Germany pulled support for it ahead of Russia’s full-scale invasion of Ukraine in late February—but both pipes are holding gas. All three leaks happened relatively close to each other, near the Danish island of Bornholm, in the Baltic sea. The island is surrounded by Denmark to the west, Sweden to the north, and both Germany and Poland to the south. The leaks are in international waters, but also sit in both Denmark and Sweden’s exclusive economic zones. “It’s quite shallow, around 50 meters on average in this region,” says Julian Pawlak, a research associate at the Helmut Schmidt University and the German Institute for Defence and Strategic Studies.

Security sources have speculated if the attacks were deliberate, they could have been conducted by unmanned underwater drones, involve mines being dropped or planted by boats, been carried out by divers, or even from within the pipes themselves. “We still don’t know what the origin is of those explosions or where they came from—if they originated from the outside or if they originated from the inside of the pipelines,” Pawlak says. In a process called “pigging,” cleaning and inspection machines can be sent down the pipes from Russia in the direction of Germany. It’s possible pigging was repurposed to carry out an attack.

Back in 2007, before the first Nord Stream pipeline was constructed, a review of the project by the Swedish Defence Research Agency (FOI) warned about potential explosions around the pipe, in the context of terrorism. “Despite its concrete coating, a pipeline is rather vulnerable, and one diver would be enough to set an explosive device,” its report said. “However, the impact of such an assault would probably be rather modest and most likely a minor incident of this type would not result in a large explosion.”

“They [Russia] have the capability for subsea warfare, with the divers, but also with mini-submarines and drones,” Hansen says. However, confirming any responsibility isn’t necessarily straightforward. The relatively shallow depth of the area around the Nord Stream pipes means it is unlikely that any large submarines would have been operating nearby, as they would be easy to detect.

Pawlak says any vessels in the area could potentially detect others that may have caused the damage. Undersea sensors could equally spot something in the area moving, but it is unclear where any of these systems are. “It’s still not the case that all of the Baltic Sea is filled up with sensors and that NATO knows every movement,” Pawlak says. “On the surface, but especially on the seabed, it’s still not possible to know, at every time, at every place, what’s moving, what’s going on.”

The Uber Hack’s Devastation Is Just Starting to Reveal Itself

The Uber Hack’s Devastation Is Just Starting to Reveal Itself

On Thursday evening, ride-share giant Uber confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity that claims to be an individual 18-year-old hacker took responsibility for the attack, bragging to multiple security researchers about the steps they took to breach the company. The attacker reportedly posted, “Hi @here I announce I am a hacker and Uber has suffered a data breach,” in a channel on Uber’s Slack on Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off, “uberunderpaisdrives.”

The company temporarily took down access on Thursday evening to Slack and some other internal services, according to The New York Times, which first reported the breach. In a midday update on Friday, the company said that “internal software tools that we took down as a precaution yesterday are coming back online.” Invoking time-honored breach notification language, Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).” Screenshots leaked by the attacker, though, indicate that Uber’s systems may have been deeply and thoroughly compromised and that anything the attacker didn’t access may have been the result of limited time rather than limited opportunity.

“It’s disheartening and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.”

The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multi-factor authentication login notifications. After more than an hour, the attacker claims to have also contacted the target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. 

Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. MFA prompt phishes have become more and more popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies deploy it. The recent Twilio breach, for example, illustrated how dire the consequences can be when a company that provides multi-factor authentication services is itself compromised. Organizations that require physical authentication keys for logins have had success defending themselves against such remote social engineering attacks.

 The phrase “zero trust” has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to show an example of at least what zero trust is not. Once the attacker had initial access inside the company, they claim they were able to access resources shared on the network that included scripts for Microsoft’s automation and management program PowerShell. The attackers said that one of the scripts contained hard-coded credentials for an administrator account of the access management system Thycotic. With control of this account, the attacker claimed, they were able to gain access tokens for Uber’s cloud infrastructure, including Amazon Web Services, Google’s GSuite, VMware’s vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.