Latest news with #LilyHayNewman
WIRED
8 hours ago
- Entertainment
- WIRED
Age Verification Laws Send VPN Use Soaring—and Threaten the Open Internet
Lily Hay Newman Matt Burgess Jul 29, 2025 6:30 AM A law requiring UK internet users to verify their age to access adult content has led to a huge surge in VPN downloads—and has experts worried about the future of free expression online. Illustration: Getty Images After the United Kingdom's Online Safety Act went into effect on Friday, requiring porn platforms and other adult content sites to implement user age verification mechanisms, use of virtual private networks (VPNs) and other circumvention tools spiked in the UK over the weekend. Experts had expected the surge, given that similar trends have been visible in other countries that have implemented age check laws. But as a new wave of age check regulations debuts, open internet advocates warn that the uptick in use of circumvention tools in the UK is the latest example of how an escalating cat-and-mouse game can develop between people looking to anonymously access services online and governments seeking to enforce content restrictions. The Online Safety Act requires that websites hosting porn, self-harm, suicide, and eating disorder content implement 'highly effective' age checks for visitors from the UK. These checks can include uploading an ID document and selfie for validation and analysis. And along with increased demand for services like VPNs—which allow users to mask basic indicators of their physical location online—people have also been playing around with other creative workarounds. In some cases, reportedly, you can even use the video game Death Stranding 's photo mode to take a selfie of character Sam Porter Bridges and submit it to access age-gated forum content. For proponents of the law, there is progress to point to as well. The UK's communications regulator Ofcom says that more than 6,600 porn websites have introduced age checks so far. And major social platforms like Reddit, X, and Bluesky have also added age verification for content that is now restricted in the UK or are in the process of doing so. Microsoft has even started rolling out voluntary age checks for Xbox users in the UK. But even if this movement is satisfactory for now, digital rights advocates point out that normalizing such mechanisms creates the possibility that they will be enforced more aggressively in the future. 'I think people just want to show that we can make some progress on this without thinking about what the consequences of the progress will be,' says Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union. 'We do know that there are some things that you can do to help kids have a better relationship with digital tools. And that involves having an adequate social support network; it involves listening when kids run into problems and making sure that they have functioning emotional relationships with adults who can respond to them. But instead what we're looking for is a quick technological fix, and those technological fixes have consequences.' Seema Shah, VP of research and insights at the market intelligence firm Sensor Tower, says five VPN apps have experienced particularly 'explosive growth' and reached the top 10 free apps on Apple's UK App Store by Monday. 'According to Sensor Tower estimates, iOS devices have seen a greater spike in VPN downloads in the UK, as downloads across the selected VPN apps are up an average of 100 percent day-over-day over the past four days on iOS versus a 5 percent day-over-day increase for Android devices,' Shah says. Multiple VPN makers have also reported spikes in visitors and sign-ups in recent days. In a post on X on Friday, Proton VPN claimed that 'just a few minutes after the Online Safety Act went into effect last night, Proton VPN sign-ups originating in the UK surged by more than 1,400%.' David Peterson, general manager of Proton VPN, told WIRED that since then there has been a sustained 1,800 percent increase in daily sign-ups. Also on Friday, the Windscribe VPN service posted a screenshot on X claiming to show a spike in new subscribers. The makers of the AdGuard VPN claimed that they have seen a 2.5X increase in install rates from the UK since Friday. Nord Security, the company behind the NordVPN app, says it has seen a '1,000 percent increase in purchases' of subscriptions from the UK since the day before the new laws went into effect. 'Such spikes in demand for VPNs are not unusual,' Laura Tyrylyte, Nord Security's head of public relations, tells WIRED. She adds in a statement that 'whenever a government announces an increase in surveillance, internet restrictions, or other types of constraints, people turn to privacy tools.' People living under repressive governments that impose extensive internet censorship—like China, Russia, and Iran—have long relied on circumvention tools like VPNs and other technologies to maintain anonymity and access blocked content. But as countries that have long claimed to champion the open internet and access to information, like the United States, begin considering or adopting age verification laws meant to protect children, the boundaries for protecting digital rights online quickly become extremely murky. 'There will be a large number of people who are using circumvention tech for a range of reasons' to get around age verification laws, the ACLU's Kahn Gillmor says. 'So then as a government you're in a situation where either you're obliging the websites to do this on everyone globally, that way legal jurisdiction isn't what matters, or you're encouraging people to use workarounds—which then ultimately puts you in the position of being opposed to censorship-circumvention tools.'
WIRED
5 days ago
- Politics
- WIRED
The Age-Checked Internet Has Arrived
Matt Burgess Lily Hay Newman Jul 25, 2025 2:00 AM Starting today, UK adults will have to prove their age to access porn online. Experts warn that a global wave of age-check laws threatens to chill speech and ultimately harm children and adults alike. Beginning today, millions of adults trying to access pornography in the United Kingdom will be required to prove that they are over the age of 18. Under sweeping new online child safety laws coming into force, self-reporting checkboxes that allow anyone to claim adulthood on porn websites will be replaced by age-estimating face scans, ID document uploads, credit card checks, and more. Some of the biggest porn websites—including Pornhub and YouPorn—have said that they will comply with the new rules. And social media sites like BlueSky, Reddit, Discord, Grindr, and X are introducing UK age checks to block children from seeing harmful content. Ultimately, though, it's not just Brits who will see such changes. Around the world, a new wave of child protection laws are forcing a profound shift that could normalize rigorous age checks broadly across the web. Some of the measures are designed to specifically block minors from accessing adult material, while others are meant to stop children from using social media platforms or accessing harmful content. In the UK, age checks are now required by websites and apps that host porn, self-harm, suicide, and eating disorder content. Protecting children online is a consequential and urgent issue, but privacy and human rights advocates have long warned that, while they may be well-intentioned, age checks introduce a range of speech and surveillance issues that could ultimately snowball online. 'Age verification impedes people's ability to anonymously access information online,' says Riana Pfefferkorn, a policy researcher at Stanford University. 'That includes information that adults have every right to access but might not want anyone else knowing they're consuming—such as pornography—as well as information that kids want to access but that for political reasons gets deemed inappropriate for them, such as accurate information about sex, reproductive health information, and LGBTQ content.' Efforts that have been mounting over the past decade to introduce strong age checks online have recently gained traction. Last month, the United States Supreme Court paved the way for states to require porn websites to check that visitors are at least 18 using age-verification technologies. Pornhub, for example, has already blocked access to visitors in at least 20 states as laws have been passed. Meanwhile, courts in France ruled last week that porn sites can check users' ages. Ireland implemented age checking laws for video websites this week. The European Commission is testing an age-verification app. And in December, Australia's strict social media ban for children under 16 will take effect, introducing checks for social media and people logged in to search engines. 'If people choose not to log on [to search engines] to avoid age assurance checks, this could have a wide-reaching impact on the streamlined, integrated ways people search for online information,' says Lisa Given, a professor of information sciences at RMIT University in Australia who has been closely following the country's age-checking policies. 'It will also affect the level of privacy people have come to expect from being able to search freely online, which may change how and where they search for information.' Coming of Age Though the recent wave of court decisions and legislation around age verification is new, multiple online platforms and services have required some form of age checking for years. The British age-verification company Yoti, which works on multiple digital identity technologies including face scanning to estimate ages, says it has done more than 850 million age checks and completes more than 1 million per day. 'Brands around the world in different sectors are using this technology, including social media, gaming, adult, dating, retail, and vaping,' a Yoti spokesperson told WIRED in an email. Age-verification mechanisms come in multiple forms. The UK's Online Safety Act, which is being overseen by communications regulator Ofcom, lists seven 'highly effective' approaches that websites can use. Typically websites will employ third-party companies from the growing age-assurance industry rather than checking ages directly themselves. Standard age verification is done by uploading a form of government identification and a selfie, using a digital identity service, or submitting credit records or other financial documentation. There are also age estimation services. For example, 'email-based' age estimation, according to the UK's Ofcom, will analyze data on where your email address has been used and for how long as part of a calculation of how old you are. Age estimation services that try to predict someone's age from a selfie or a video are also increasingly common. Their performance varies, though, depending on how accurate the underlying algorithms are. Many systems offer accuracy of 'plus or minus 18 months.' Some physical stores in France that sell tobacco already use facial estimation systems as well. There are potential privacy and security risks that come with all the approaches, though, such as excessive data gathering, government surveillance, and the threat of data breaches. And opponents of age verification argue that the technologies are not reliable and can be circumvented. Last year, for example, an Israeli ID-verification company exposed driver's licenses and other sensitive data because of a technical oversight. A study commissioned by Green politicians in Europe last year concluded that, while there were some 'promising' privacy-preserving methods for age checks, there is ultimately 'misalignment between the urgency with which governments are pushing for age assurance and the time needed to develop robust, safe, and trustworthy age assurance technology.' Preliminary results released in June from a study in Australia found multiple problems with age-checking systems. 'The question isn't whether there will be a data breach connected to age verification, it's when,' says Alison Boden, executive director of Free Speech Coalition, a US-based adult entertainment industry trade association. 'So, people circumvent the laws. In the best case, they use VPNs to protect their identities. And in the worst case, they turn to websites that flout the law, and then risk being exposed to illegal content like child sexual abuse material and nonconsensual intimate imagery. And this is all in service of policies that have clearly been shown to be ineffective.' In general, many porn sites and other adult content platforms say that they are in favor of age checks but don't agree with current approaches. Proponents of age verification say that it is possible to minimize data collection. Third-party providers can limit the personal information that is shared with individual sites conducting age verification. And, particularly, these third parties can use what are known as authentication tokens, so people can confirm their age once and then produce this credential across multiple sites and providers as verification. 'Our members do over a billion anonymized age checks a year, so our best argument is our track record—and we know that will just continue to improve because of the strict application of data minimization principles,' says Iain Corby, the executive director of the industry group Age Verification Providers Association. 'There is no need to retain any personal data after an age check is completed, and if you don't keep data, it can't be lost or stolen.' Aging Out The practical realities of widespread age verification are messy, though. For one thing, sites and services may not comply with regulations. Ofcom, the UK regulator, says that it may issue fines to websites that do not put age checks in place. It already has 11 investigations open. Additionally, not all people have the proper ID or other documents to prove their age when signing up for sites. 'No solution to this is perfect,' says Rachel Coldicutt, the executive director of Careful Industries and a former Ofcom nonexecutive director. 'Age verification assumes that all services and platforms that host harmful content are good and lawful actors and that devices don't get shared. In lots of families, someone aged under 16 or 18 would easily be able to log in to a device that belongs to one of their parents, so unless age verification is required on every login to a site or app it would be quite easy to get access to age-restricted content by using an adult's device.' In general, too, many experts note that age verification is broadly unpopular. People feel uncomfortable scanning their face or handing over personal details to view content or participate in online discourse, especially when they are trying to use a service or view content that is intimate or otherwise personal in nature. As a result, age verification can have a chilling effect on speech and the free flow of information online. And since people can use circumvention tools like VPNs to skirt national laws, there are limits to how effective these policies can be in isolation, which has the potential to tip off a sort of validation and surveillance arms race. There is often a spike in VPN interest when a country introduces new age-check laws. 'A critical point is that while these measures are intended to keep children safe from harmful content, my concern is that these measures will give parents and other members of the public a false sense of security,' says Given, the Australian academic. She adds that there should be greater government investment in education for young people, parents, and teachers about potential online harms, plus more support for people who use social media to access critical information. As Stanford's Pfefferkorn puts it, 'Ultimately, age verification tech actually poses a risk to the kids it is supposed to protect. It chills their ability to access information, and it can put them at risk of privacy violations, identity theft, and other security issues.'
WIRED
02-07-2025
- Business
- WIRED
A Group of Young Cybercriminals Poses the ‘Most Imminent Threat' of Cyberattacks Right Now
Matt Burgess Lily Hay Newman Jul 2, 2025 1:56 PM The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense. Photo-Illustration: Wired Staff;Empty grocery store shelves and grounded planes tend to signal a crisis, whether it's an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens. A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims. Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group's escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again. 'There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they're successfully taking advantage of,' says John Hultquist, chief analyst in Google's threat intelligence group. 'This group is carrying out serious attacks on our critical infrastructure, and I hope that we're not missing the opportunity to address the most imminent threat.' Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK's National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed 'the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.' The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group's campaign. 'They slowed down, and we saw them dissipate for a while throughout 2024,' says Adam Meyers, a senior vice president for counter-adversary operations at the security company CrowdStrike. 'Then they've roared back in the last couple of months, first hitting retail and then hitting insurance companies and most recently targeting airlines.' Scattered Spider first emerged as a high-profile group toward the end of 2023 as its members moved from SIM swapping attacks to launching crippling ransomware attacks on Caesar's Entertainment and MGM Resorts. The latter cost MGM around $100 million to recover from. Researchers emphasize that the collective is financially motivated, made up of mostly English-speaking teenagers and young men who are often based in the US or UK. The Scattered Spider hackers are considered an offshoot of the Com, an amorphous network of potentially thousands of trolls and criminals, many of whom engage in harassment, extortion, and child exploitation. Scattered Spider members have increasingly coalesced around a tactic of using targeted social engineering to get a foothold inside company networks. Attackers may impersonate a staff member who is locked out of their company email account and contact the firm's IT help desk to get access, before resetting multifactor authentication credentials. Researchers say that the group has also used a tactic of creating convincing phishing websites where the URLs often include the name of the target organization along with words like 'okta,' 'vpn' or 'helpdesk.' Once inside networks, the hackers deploy various types of ransomware or steal data that is used to extort companies. Meyers says Crowdstrike believes that Scattered Spider has roughly four core members, which drive the targeting of potential victims and 'leverage' resources from the wider Com ecosystem as needed. The exact structure and size of Scattered Spider is unclear, but researchers agree that the group relies on an array of third-party services to carry out its attacks. 'Deterrence is extremely difficult because we're essentially fighting a marketplace where a lot of the actors are replaceable,' Google's Hultquist says. 'For instance, Scattered Spider has worked with multiple ransomware services, so if one goes down there's always someone to replace them.' Aiden Sinnott, a senior threat researcher at cybersecurity company Sophos' Counter Threat Unit, says that Scattered Spider and the Com more broadly are connected through relationships and communities on Discord servers or Telegram groups. 'It's this kind of evolving group where maybe new younger threat actors are coming in,' Sinnott says. 'You can see this natural escalation progression as they learn skills of each other, and they're very big on sharing their wins as well.' Some Scattered Spider members may target big-name companies, while others are involved in less high-profile activity. 'There are groups, or individuals, who are really focused on hacking Coinbase accounts and stealing crypto and things like that,' Sinnott says. 'So they're not even focused on these big corporate organizations.' As Hultquist puts it, "the activity is extremely resilient, because instead of fighting a single actor, we're really fighting a marketplace.'
WIRED
03-05-2025
- Business
- WIRED
Hacking Spree Hits UK Retail Giants
Matt Burgess Lily Hay Newman Dhruv Mehrotra May 3, 2025 6:30 AM Plus: France blames Russia for a series of cyberattacks, the US is taking steps to crack down on a gray market allegedly used by scammers, and Microsoft pushes the password one step closer to death. Researchers unveiled a cluster of vulnerabilities in Apple's wireless media streaming platform AirPlay this week that leave millions of third-party devices like speakers and TVs vulnerable to takeover if an attacker is on the same Wi-Fi network as the victim gadget. These 'AirBorne' vulnerabilities have all been patched—including some that potentially impacted Apple's Mac computers—but, in practice, third-party devices may not all get fixes, and even if they do, patch adoption could be low. Records reviewed by WIRED show that utilizing car subscription features can substantially raise your risk of being subjected to government surveillance, because such services generate troves of data that are valuable to law enforcement. WIRED also did a deep dive on North Korea's yearslong campaign to place IT workers inside companies in North American, the United Kingdom, and Europe. The schemes are more effective than ever as scammers incorporate AI into their workflows. WhatsApp designed a special cloud processing platform called Private Processing to allow new AI tools to work in the secure messenger without compromising its end-to-end encryption. Experts warn, though, that it could create enticing targets for hackers. And we have a guide for navigating the privacy risks of using ChatGPT's new image generator to do seemingly fun and innocuous projects like making an action figure version of yourself. But wait, there's more! Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. Three British Retailers Hacked in Spate of Cyberattacks Three separate retailers in the UK—including the supermarket Co-op and thedepartment stores Marks & Spencer and Harrods—have all revealed they have recently been subject to cyberattacks, with the intrusions and widespread impact seemingly ongoing. Toward the end of April, Marks & Spencer revealed it had been the victim of a 'cyber incident.' Over the following two weeks, it has been forced to pause online orders within its apps, some food has been missing from its shelves, and it has paused recruitment and other 'normal processes.' Staff at Co-op have been told to keep webcams turned on during remote meetings and check who is attending calls, after shutting down parts of its IT systems in response to its own hack. Harrods, meanwhile, told customers to 'not do anything differently at this point.' At the time of writing, none of the retailers have detailed the specific nature of the cyberattacks or the full scale of the impacts. It is also unclear if the attacks are linked. Bloomberg has reported a ransomware cartel dubbed DragonForce has claimed it and its partners were behind the attacks. The so-called cartel provides 'infrastructure and tools' to hackers but 'doesn't require affiliates to deploy its ransomware,' according to research from security firm Secureworks. The hacked companies did not respond to Bloomberg about the claims. Bleeping Computer originally reported that the threat actors known as Scattered Spider were allegedly behind the attack on Marks & Spencer. The publication reported that the company's servers were encrypted by ransomware, with the intrusion beginning as early as February. The attribution to Scattered Spider has not been confirmed by Marks & Spencer. Over the past two years, Scattered Spider has emerged as one of the most prolific and dangerous sets of hackers currently operating. The threat actors are not a well-defined group of hackers. Instead, they're more a loose collective that uses social engineering—such as phishing and voice calls—to gain initial access into company networks. Scattered Spider members are often English-speaking, teenaged, and can be members of the heinous criminal group the Com. The hackers have been active since June 2022 and have targeted more than 100 companies—including the high-profile hacks on Caesar's Entertainment and MGM Resorts in 2023. France (Finally) Names Russian Hackers for the First Time French authorities have condemned Russia's military intelligence agency, accusing it of orchestrating a series of high-profile cyberattacks—including the hacking of Emmanuel Macron's 2017 presidential campaign, a brazen 2015 assault on the TV channel TV5 Monde, and recent intrusion attempts targeting organizations involved in preparing the 2024 Paris Olympic Games. French authorities have also disclosed the name and location of a GRU unit tied to the notorious hacking group APT28—information that had never before been officially released. Unit 20728 is based in the southern Russian city of Rostov-on-Don and operates out of the "166th Information Research Center." This marks the first time French officials have publicly assigned blame to a foreign intelligence service following an internal attribution process. The timing is significant, coming as Paris positions itself at the forefront of Europe's support for Ukraine. US Moves to Crack Down on 'Largest Illicit Marketplace' The Trump administration has taken the first step toward blacklisting a Cambodian financial conglomerate at the center of a global money laundering network. On Thursday, the Treasury Department designated Huione Group as a money-laundering operation, alleging that the company and its affiliates have laundered more than $4 billion for criminals, including North Korean hackers and online scammers. These scammers—who defraud victims through bogus investments and other schemes—rely on Huione and its affiliates to move funds abroad to evade both law enforcement and anti-money-laundering systems. The proposed action represents the most significant effort yet to crack down on Huione, which is tied to what experts believe to be the 'largest illicit marketplace': Huione Guarantee. According to WIRED's January report, the marketplace has likely facilitated over $24 billion in gray-market transactions. Experts believe the platform operates as a one-stop shop for scammers, offering everything from victim contact lists and deepfake tools to fake investment websites and other illicit services. New Microsoft Accounts Won't Need Passwords Anymore Slowly but surely, the password is dying. Over the past two years, passkeys—a stronger method of authentication that doesn't require you to remember or use a password—have become more common. The rollout of the technology has been piecemeal, but big tech companies have worked for years to create the alternative, which is more secure than passwords. This week, Microsoft announced that people setting up new accounts with the company won't have to create passwords at all. 'New Microsoft accounts will now be 'passwordless by default,'' the company wrote in a blog post. Microsoft is also pushing people further away from passwords and will 'detect' the best way for people to lo in to their accounts if they have set up alternatives to passwords.
WIRED
29-04-2025
- WIRED
Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
Lily Hay Newman Andy Greenberg Apr 29, 2025 8:30 AM Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party AirPlay-enabled device to surreptitiously run their own code on it. Illustration:Apple's AirPlay feature enables iPhones and Macbooks to seamlessly play music or show photos and videos on other Apple devices or third-party speakers and TVs that integrate the protocol. Now newly uncovered security flaws in AirPlay mean that those same wireless connections could allow hackers to move within a network just as easily, spreading malicious code from one infected device to another. Apple products are known for regularly receiving fixes, but given how rarely some smart-home devices are patched, it's likely that these wirelessly enabled footholds for malware, across many of the hundreds of models of AirPlay-enabled devices, will persist for years to come. On Tuesday, researchers from the cybersecurity firm Oligo revealed what they're calling AirBorne, a collection of vulnerabilities affecting AirPlay, Apple's proprietary radio-based protocol for local wireless communication. Bugs in Apple's AirPlay software development kit (SDK) for third-party devices would allow hackers to hijack gadgets like speakers, receivers, set-top boxes, or smart TVs if they're on the same Wi-Fi network as the hacker's machine. Another set of AirBorne vulnerabilities would have allowed hackers to exploit AirPlay-enabled Apple devices too, Apple told Oligo, though these bugs have been patched in updates over the last several months, and Apple tells WIRED that those bugs could have only been exploited when users changed default AirPlay settings. Those Apple devices aside, Oligo's chief technology officer and cofounder, Gal Elbaz, estimates that potentially vulnerable third-party AirPlay-enabled devices number in the tens of millions. 'Because AirPlay is supported in such a wide variety of devices, there are a lot that will take years to patch—or they will never be patched,' Elbaz says. 'And it's all because of vulnerabilities in one piece of software that affects everything.' Despite Oligo working with Apple for months to patch the AirBorne bugs in all affected devices, the Tel-Aviv-based security firm warns that the AirBorne vulnerabilities in many third-party gadgets are likely to remain hackable unless users act to update them. If a hacker can get onto the same Wi-Fi network as those vulnerable devices—whether by hacking into another computer on a home or corporate network or by simply connecting to the same coffeeshop or airport Wi-Fi—they can surreptitiously take over these gadgets. From there, they could use this control to maintain a stealthy point of access, hack other targets on the network, or add the machines to a botnet of infected, coordinated machines under the hacker's control. Oligo also notes that many of the vulnerable devices have microphones and could be turned into listening devices for espionage. The researchers did not go so far as to create proof-of-concept malware for any particular target that would demonstrate that trick. Oligo says it warned Apple about its AirBorne findings in the late fall and winter of last year, and Apple responded in the months since then by pushing out security updates. The researchers collaborated with Apple to test and validate the fixes for Macs and other Apple products. Apple tells WIRED that it has also created patches that are available for impacted third-party devices. The company emphasizes, though, that there are limitations to the attacks that would be possible on AirPlay-enabled devices as a result of the bugs, because an attacker must be on the same Wi-Fi network as a target to exploit them. Apple adds that while there is potentially some user data on devices like TVs and speakers, it is typically very limited. Below is a video of the Oligo researchers demonstrating their AirBorne hacking technique to take over an AirPlay-enabled Bose speaker to show their company's logo. (The researchers say they didn't intend to single out Bose, but just happened to have one of the company's speakers on hand for testing.) Bose did not immediately respond to WIRED's request for comment. The AirBorne vulnerabilities Oligo found also affect CarPlay, the radio protocol used to connect to vehicles' dashboard interfaces. Oligo warns that this means hackers could hijack a car's automotive computer, known as its head unit, in any of more than 800 CarPlay-enabled car and truck models. In those car-specific cases, though, the AirBorne vulnerabilities could only be exploited if the hacker is able to pair their own device with the head unit via Bluetooth or a USB connection, which drastically restricts the threat of CarPlay-based vehicle hacking. The AirPlay SDK flaws in home media devices, by contrast, may present a more practical vulnerability for hackers seeking to hide on a network, whether to install ransomware or carry out stealthy espionage, all while hiding on devices that are often forgotten by both consumers and corporate or government network defenders. 'The amount of devices that were vulnerable to these issues, that's what alarms me,' says Oligo researcher Uri Katz. 'When was the last time you updated your speaker?' The researchers originally started thinking about this property of AirPlay, and ultimately discovered the AirBorne vulnerabilities, while working on a different project analyzing vulnerabilities that could allow an attacker to access internal services running on a target's local network from a malicious website. In that earlier research, Oligo's hackers found they could defeat the fundamental protections baked into every web browser that are meant to prevent websites from having this type of invasive access on other people's internal networks. While playing around with their discovery, the researchers realized that one of the services they could access by exploiting the bugs without authorization on a target's systems was AirPlay. The crop of AirBorne vulnerabilities revealed today is unconnected to the previous work, but was inspired by AirPlay's properties as a service built to sit open and at the ready for new connections. And the fact that the researchers found flaws in the AirPlay SDK means that vulnerabilities are lurking in hundreds of models of devices—and possibly more, given that some manufacturers incorporate the AirPlay SDK without notifying Apple and becoming 'certified' AirPlay devices. 'When third-party manufacturers integrate Apple technologies like AirPlay via an SDK, obviously Apple no longer has direct control over the hardware or the patching process,' says Patrick Wardle, CEO of the Apple device-focused security firm DoubleYou. 'As a result, when vulnerabilities arise and third-party vendors fail to update their products promptly—or at all—it not only puts users at risk but could also erode trust in the broader Apple ecosystem."
