Security News This Week: This $350 ‘Anti-5G’ Device Is Apparently Just a USB Stick

Plus: A LiveJournal hack, Qatar's contact-tracing privacy failure, and more of the week's top security news. 
usb drives
Photograph: Getty Images

As the Covid-19 pandemic rages on, states around the US are starting to debut contact-tracing apps built on a Bluetooth-based system engineered by Apple and Google. But a coordinated national effort is noticeably missing, creating the potential for an opaque patchwork of state-specific apps that don't work well together.

At the same time, states are also rolling out manual contact-tracing programs using trained volunteers, but scammers are piggybacking on these urgent public health efforts to send bogus SMS text messages that claim to be related to contact tracing and lure victims to click malicious links. If you don't already use a password manager, now is an excellent time to start in many ways.

On Thursday, the National Security Agency put out a warning that the notorious Russian hacking group Sandworm has been exploiting a known vulnerability in certain popular mail servers. Meanwhile, the confirmation of John Ratcliffe as director of national intelligence is problematic, given his lack of relevant experience and Trump sycophancy. And a jailbreak for the current version of iOS came out this week, delighting security researchers and hobbyists. It's one of the first of its kind in years, raising questions about whether iOS is entering a new era of jailbreaking thanks to more plentiful vulnerabilities.

In good news, the beleaguered internet security guardian Shadowserver is no longer on the brink of collapse after raising enough money to establish a new data center and sustain itself in the near term.

But wait, there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

As 5G wireless data networks roll out around the world, conspiracy theories have exploded about their alleged deleterious health effects. One product that has emerged from the paranoia is the "5GBioShield USB Key," which claims to be a "quantum holographic catalyzer technology for the balance and harmonisation of the harmful effects of imbalanced electric radiation." The pitch is that the device creates a protective bubble around its owners at all times; you can purportedly boost the range by plugging it into a laptop or other device. The 5GBioShield claims not to block Wi-Fi, though, only 5G. One shield sells for about $350. Researchers who analyzed the device, though, say that it appears to be a simple flash drive, with no extra components and only 128MB of storage. UK Trading Standards officers are investigating the product after the Glastonbury town council's 5G advisory committee recommended it.

Years-old rumors that the social blogging platform LiveJournal had at some point suffered a breach seemed to be confirmed this week. A trove of 26 million usernames, email addresses, and plaintext passwords for the site leaked on the dark web after apparently being traded privately among hackers for years. A ZDNet analysis of the data seems to indicate that it was stolen from LiveJournal in 2014.

Amidst the Covid-19 pandemic, the Qatari government has mandated that all residents download its EHTERAZ contact-tracing app or face extremely steep fines. But researchers from Amnesty International found that the app had a major configuration flaw that exposed data of more than a million users who have downloaded the app. Amnesty reported the vulnerability and Qatari officials quickly patched it, but the bug exposed sensitive details like names, national ID numbers, location data, and information about users' health. Amnesty researchers also point out that while it's positive that the issue was fixed quickly, the app still has problematic, privacy-infringing features like GPS and Bluetooth location trackers. It is also set up to store all user data in a central repository.

A botnet for distributing malware has become so large within China that the antivirus firm Qihoo 360 and search giant Baidu have banded together to attempt to take it down. Known as DoubleGuns, the botnet has been around for more than three years and is thought to currently be infecting hundreds of thousands of victim devices. The botnet targets victims with a Windows trojan and is used for spam campaigns and to distribute malicious apps and adware. Qihoo 360 and Baidu have succeeded at temporarily disrupting the botnet, an important step in itself, but are still working to more permanently dismantle its infrastructure.


More Great WIRED Stories