The US Director of National Intelligence is reporting that the UK government is dropping its backdoor mandate against the Apple iPhone. For now, at least, assuming that Tulsi Gabbard is reporting this accurately.

I wrote about this in 2023. Here’s the story: > Three Dutch security analysts discovered the vulnerabilities­—five in > total—­in a European radio standard called TETRA (Terrestrial Trunked Radio), > which is used in radios made by Motorola, Damm, Hytera, and others. The > standard has been used in radios since the ’90s, but the flaws remained > unknown because encryption algorithms used in TETRA were kept secret until > now. There’s new news: > In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm > Midnight Blue, based in the Netherlands, discovered vulnerabilities in > encryption algorithms that are part of a European radio standard created by > ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio > systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws > remained unknown publicly until their disclosure, because ETSI refused for > decades to let anyone examine the proprietary algorithms...

This is a weird story: > U.S. energy officials are reassessing the risk posed by Chinese-made devices > that play a critical role in renewable energy infrastructure after unexplained > communication equipment was found inside some of them, two people familiar > with the matter said. > > […] > > Over the past nine months, undocumented communication devices, including > cellular radios, have also been found in some batteries from multiple Chinese > suppliers, one of them said. > > Reuters was unable to determine how many solar power inverters and batteries > they have looked at...

A Florida bill requiring encryption backdoors failed to pass.

The malware includes four separate backdoors: > Creating four backdoors facilitates the attackers having multiple points of > re-entry should one be detected and removed. A unique case we haven’t seen > before. Which introduces another type of attack made possibly by abusing > websites that don’t monitor 3rd party dependencies in the browser of their > users. The four backdoors: > The functions of the four backdoors are explained below: > > * Backdoor 1, which uploads and installs a fake plugin named “Ultra SEO > Processor,” which is then used to execute attacker-issued commands ...

Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. If the government demands Apple weaken its security worldwide, it would increase everyone’s cyber-risk in an already dangerous world. If you’re an iCloud user, you have the option of turning on something called “advanced data protection,” or ADP. In that mode, a majority of your data is end-to-end encrypted. This means that no one, not even anyone at Apple, can read that data. It’s a restriction enforced by mathematics—cryptography—and not policy. Even if someone successfully hacks iCloud, they can’t read ADP-protected data...

Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.”

A newly discovered VPN backdoor uses some interesting tactics to avoid detection: > When threat actors use backdoor malware to gain access to a network, they want > to make sure all their hard work can’t be leveraged by competing groups or > detected by defenders. One countermeasure is to equip the backdoor with a > passive agent that remains dormant until it receives what’s known in the > business as a “magic packet.” On Thursday, researchers revealed that a > never-before-seen backdoor that quietly took hold of dozens of enterprise VPNs > running Juniper Network’s Junos OS has been doing just that...

I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too. Turns out the same thing is true for non-technical backdoors: > The advisory said that the cybercriminals were successful in masquerading as > law enforcement by using compromised police accounts to send emails to > companies requesting user data. In some cases, the requests cited false > threats, like claims of human trafficking and, in one case, that an individual > would “suffer greatly or die” unless the company in question returns the > requested information...

Really interesting research: “An LLM-Assisted Easy-to-Trigger Backdoor Attack on Code Completion Models: Injecting Disguised Vulnerabilities against Strong Detection“: > Abstract: Large Language Models (LLMs) have transformed code com- > pletion tasks, providing context-based suggestions to boost developer > productivity in software engineering. As users often fine-tune these models > for specific applications, poisoning and backdoor attacks can covertly alter > the model outputs. To address this critical security challenge, we introduce > CODEBREAKER, a pioneering LLM-assisted backdoor attack framework on code > completion models. Unlike recent attacks that embed malicious payloads in > detectable or irrelevant sections of the code (e.g., comments), CODEBREAKER > leverages LLMs (e.g., GPT-4) for sophisticated payload transformation (without > affecting functionalities), ensuring that both the poisoned data for > fine-tuning and generated code can evade strong vulnerability detection. > CODEBREAKER stands out with its comprehensive coverage of vulnerabilities, > making it the first to provide such an extensive set for evaluation. Our > extensive experimental evaluations and user studies underline the strong > attack performance of CODEBREAKER across various settings, validating its > superiority over existing approaches. By integrating malicious payloads > directly into the source code with minimal transformation, CODEBREAKER > challenges current security measures, underscoring the critical need for more > robust defenses for code completion...