A Teen Took Control of Teslas by Hacking a Third-Party App

On Friday, Russia did the previously unimaginable: It actually arrested a bunch of ransomware operators. Not only that, but members of the notorious group REvil, which has been behind some of the biggest attacks of the past several years, including the ones on IT management firm Kaseya and meat giant JBS. Russian president Vladimir Putin had previously given ransomware hackers a free pass. It’s not clear yet whether this was a calculated political move, a sign of a broader crackdown, or both, but it’s certainly a watershed moment.

As everyone scrambles to find Log4j in their systems—no easy task for even well-resourced companies—the FTC has set strict deadlines for patching the very bad, no good vulnerability in the ubiquitous logging library. It’ll be unlikely if not impossible for everyone to find it in time, which speaks more to the fragile and opaque nature of the open source software world than the FTC’s aggressive timeline.

Telecoms around the world have pushed back against Apple’s Private Relay, a not-quite-VPN that bounces your traffic through a couple of servers to give you extra anonymity. T-Mobile in the US recently blocked it for customers who had parental control filters. It’s unclear why they’ve taken those measures against Apple and not the many, many VPNs that work unfettered, but it may have to do with the potential scale of Apple customers who could sign up for the service.

In other Apple privacy news, iOS 15 brought with it a new report that shows you what sensors your apps are accessing and what domains they’re contacting. It’s a lot of information all at once; we helped break down how to read it. 

North Korean hackers had a “banner year” in 2021, stealing nearly $400 million of cryptocurrency. And while Israeli spyware vendor NSO Group insists that it has controls in place to prevent abuses of its product, dozens of journalists and activists in El Salvador had their devices infected with Pegasus, NSO’s signature product, as recently as November.  

And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

A 19-year-old security researcher named David Colombo detailed this week how he was able to remotely unlock the doors, open the windows, blast music, and start keyless driving for dozens of Teslas. The vulnerabilities he exploited to do so aren’t in Tesla software itself, but in a third-party app. There are some limits to what Colombo could accomplish; he couldn’t do anything in the way of steering or speeding up or slowing down. But he was able to garner lots of sensitive data about the affected vehicles. Cars are computers now, perhaps none more so than Teslas, which means they come with computer problems like third-party software causing major problems.

As tensions mount along the border between Russia and Ukraine, someone defaced over 70 official Ukrainian government websites this week, placing a notice that people should “prepare for the worst.” While it’s tempting to assume that it was the work of the Russian government, this isn’t a particularly sophisticated hack, despite the widespread impact and visibility. (That’s also not to say it wasn’t Russia; it’s just impossible to know right now.) The White House also warned this week that Russia was planning a “false flag” to justify an invasion, so presumably more to come on this.

The US hasn’t embraced Covid-19 contact-tracing apps, despite the core functionality being built into every iOS and Android phone. Other countries, though, have seen much wider adoption. That includes Germany, where police recently used data from the Luca contact-tracing app to figure out who had been at a specific restaurant on a specific night in November, and used that information to identify 21 potential witnesses. Law enforcement has said they won’t use that data any further after a public outcry. But the incident represents exactly the kind of worst-case scenario privacy advocates had warned about, at a time when public confidence in contact tracing is more important than ever.

The developer behind two widely used open source libraries effectively broke his own code this week, disrupting thousands of projects in the process. The changes caused applications to print nonsense messages in an infinite loop. The developer appeared motivated to make a statement about large companies profiting off of his work for free, but in the process made life pretty miserable for users of all stripes. 

More Great WIRED Stories