Security News This Week: The NSA's Tips to Keep Your Phone From Tracking You

Plus: A Canon ransomware hack, a nasty Twitter bug, and more of the week's top security news.
person using phone
Photograph: Gary Hershorn/Getty Images

This week marked the first-ever online-only Black Hat and Defcon security conferences, both of which still produced impactful work despite going remote. But before you dive into everything that's broken, start off with a tale of perseverance that starts with the private keys needed to recover $300,000 of bitcoin trapped in an old zip file.

Dutch researchers figured out how to mess with traffic lights across at least 10 cities in the Netherlands. At most they could have caused a few traffic jams—not multicar pileups—but it's an important reminder about the potential fragility of connected city infrastructure. Also fragile: a file type known as Symbolic Link, which gave Apple hacker Patrick Wardle the foothold he needed to compromise macOS in a since-patched vulnerability chain. After months of qualifying rounds, the US Air Force's Hack-a-Sat finals arrived, albeit remotely thanks to the Covid-19 pandemic. And speaking of satellites, hackers have built cheap ground stations that allow anyone to intercept their transmissions. Neat!

We also took a look at how IoT botnets made from high-wattage machines like home appliances could potentially be used to game the energy markets. Decades-old flaws in email protocols make it possible for anyone to hide their true identity, a scary thought given the prevalence of high-stakes phishing attacks. And hackers took over dozens of subreddits Friday, plastering their pages with MAGA imagery and comments.

We talked to former national intelligence official Sue Gordon about how to prevent the next "Cyber 9/11." We explained why the Trump administration's TikTok obsession is just a distraction. And we looked at how Chinese hackers have run roughshod over Taiwan's semiconductor industry, hitting at least seven companies in what researchers are calling Operation Skeleton Key.

Incognito mode might not mean what you think it means. Online retailers are using dirty design tricks to get you to buy more. Voting equipment makers are finally coming around to the idea of making their tech more secure. And while still in beta, iOS 14 is catching data-hungry apps swiping more than they should.

And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

This week, the National Security Agency shared a three-page primer on how to limit your location data exposure. They would know! As a baseline it's a healthy reminder that your smartphone feeds on your location and that a lot of unscrupulous, invisible parties try to sell and obtain it. But it also provides some actually useful advice, especially if this isn't a topic you've given much thought to already.

In addition to turning off location services on your device, the NSA says, you should turn off Bluetooth and Wi-Fi whenever you're not using them. For extra caution, turn on Airplane Mode whenever you're not actively using your phone. Turn off or decline location-sharing permissions for apps whenever possible—including your browser—or at the very least limit their ability to check your location to when you have the app open. Reset your phone's advertising ID at least weekly to confound the ad networks that track you—we have our own guide on how to do that here. Don't use iOS and Android's FindMy or FindMyDevice features, and consider using a trusted VPN provider.

These steps all involve some degree of convenience trade-off, so consider your comfort level and risk profile and adjust accordingly. A lot of it, though, you can implement with minimal interruption to your regularly scheduled smartphone usage.

On the heels of the highly disruptive Garmin ransomware hack, photography giant Canon has fallen victim as well. Hackers from the Maze ransomware group claim to have stolen 10 TB of data from Canon and have threatened to dump it all if they don't get paid. Canon has said only that it's investigating the situation.

It's once again time to add to the pile of Twitter security woes, although this entry's far less severe than the unprecedented hack it suffered a few weeks ago. The company disclosed this week that an old vulnerability in its Android app—patched in 2018—may have allowed hackers to surreptitiously access the DMs of users running Android 8 or 9. About four percent of users hadn't updated their app since then, meaning some portion of the Twitter population remained exposed until very recently. Twitter does say, though, that it sees no indication anyone actually exploited the vulnerability.

In 2016, hackers stole 120,000 bitcoin from Bitfinex, one of the largest cryptocurrency exchanges. Today that haul is worth about $1.3 billion. In perhaps a last-ditch attempt to recover it, Bitfinex said this week that it would offer a bounty of 5 percent of the bitcoin recovered to anyone who connects them to the people responsible. The hackers themselves will get 25 percent of whatever they return if they come forward, meaning Bitfinex could pay out as much as $400 million if it's made whole. (Then again, that scenario requires the hackers to give back around $900 million, so maybe don't get your hopes up.)

Motherboard this week published a nice profile of GamerDoc, whose mission in life has lately been to find and help shut down the hackers and cheat developers who ruin videogames for everyone else. His vigilantism has perhaps unsurprisingly also made him a target among the people he reports.


More Great WIRED Stories