Plus: App Store scams, an anti-surveillance bill, and more of the week’s top security news.

This week, Apple’s spring product launch event was marred by a ransomware attack against one of its suppliers, Quanta Computer. The incident is notable because it involves Apple—and the release of confidential schematics—but also because it represents an intersection of multiple disturbing trends in digital extortion.

In other Apple-adjacent hacking news, Facebook researchers found that a Palestine-linked group had built custom malware to attack iOS, hidden inside a functional messaging app. Victims had to visit a third-party app store to install the malicious software, but the hackers used social engineering techniques to trick them into doing so. And speaking of Facebook, the social media giant has been implicated in yet another data exposure, this time the email addresses of millions of users who had set that information as “private” in their settings. This comes on the heels of a flaw that allowed the scraping of 500 million Facebook user phone numbers that came to light earlier this month.

We also took a look at a since-fixed bug in Clubhouse that would have allowed people to linger invisibly in rooms like ghosts and even to cause a racket, with the moderator unable to mute them or kick them out. 

And there’s more! Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

In December, forensics company Cellebrite—which helps authorities break into and extract data from iPhones and Android devices—claimed it could access Signal app data. This was a little bit of misdirection; it hadn’t undermined Signal’s famously sturdy encryption but rather added support for file types Signal uses to its Physical Analyzer tool. The distinction matters quite a bit. Cellebrite could basically access Signal messages once it already had your phone in hand and unlocked it, which is going to be a risk with any encrypted messaging app.

Fast forward to this week, when Signal founder Moxie Marlinspike published a blog post that details his apparently successful efforts to hack a Cellebrite’s phone-cracking device. What he found: lots of vulnerabilities, to the extent that an app could compromise a Cellebrite machine simply by including a specially formatted file on a scanned phone. Marlinspike suggests that by corrupting Cellebrite hardware, one could meddle with the data untraceably, casting a shadow on the company’s forensic reports going forward.

That was already the short version, but the even shorter version is that Signal figured out how to mess with one of the most widely used phone-cracking companies—and not so subtly suggested it might actually do so. Fun times!

The security of Apple’s iOS App Store has taken center stage in recent months, as video game developer Epic challenges the company’s business model and Congress continues to probe any antitrust implications. One thing it’s demonstrably not so good at? Identifying and stopping obvious scams. A developer named Kosta Eleftheriou has taken it upon himself to do that work, flagging multiple million-dollar schemes over the past few months. The Verge did some snooping on its own and found that unraveling scams was as simple as taking a scrolls through the App Store’s top-grossing apps. The rip-offs are hiding in plain sight.

It’s healthy to treat LinkedIn requests with suspicion in general, just on a personal level. But MI5 warned this week that UK nationals should also be on guard against foreign spies posing as friendly connections. They suggest 10,000 instances over the past several years in which fake profiles have targeted people across government and sensitive industries, using social engineering techniques to pump them for privileged information. The activity isn’t limited to the UK, either; the US, Canada, Australia, and New Zealand have all experienced some version of this surge. Expand your network, sure, but with all due caution.

The extent to which facial recognition technology like Clearview AI’s and location data churned out by apps on your smartphone have fueled law enforcement efforts in recent years has spiraled out of control. A new bill with broad bipartisan support introduced this week wants to fix that. The Fourth Amendment Is Not For Sale Act would address both, requiring a court order to obtain location data from brokers and banning agencies from contracting with companies that got their data illicitly. (Clearview AI, for instance, built its image database by scraping social media companies, a clear terms-of-service violation.) And yes, the most surprising part may be that these practices are not only currently legal but commonplace.


More Great WIRED Stories