NSO Group, creator of the infamous Pegasus spyware, is spending millions on lobbying in Washington while taking advantage of the crisis in Gaza to paint itself as essential for global security.

On New Year’s Eve, NSO Group—the Israel-based company behind the Pegasus spyware, one of the world’s most sophisticated cyberweapons—quietly released a new transparency report.

The 27-page document is carefully worded—even apologetic—and is intended to demonstrate resilience, progress, and responsibility to further strengthen the company’s human rights compliance program. It claims the company has “opened 19 investigations into allegations of potential product misuse,” which resulted in the “suspension or termination” of six customer accounts. The document even has a dedicated section on journalists, a significant group among as many as 50,000 people worldwide who’ve been targeted by Pegasus, a list that also includes activists, heads of state, and other public figures in more than 50 countries.

NSO Group’s new transparency report—its first in more than two years—arrives amid an apparent push by the spyware vendor to revamp its tarnished image and reverse US regulations that have damaged its business. To achieve its goal, the cyber-intelligence firm is conducting a multimillion-dollar lobbying campaign that attempts to position the company’s spyware as essential for global security.

While an NSO spokesperson tells WIRED that the report “underscores the company’s ongoing commitment to human rights and adherence to ethical standards, while enabling its clients to keep the public safe,” those who have investigated the company’s practices express skepticism about its claims.

“It’s not a transparency report in any meaningful way,” says David Kaye, a University of California, Irvine law professor who has scrutinized the company’s policies as the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression. “It mainly repackages preexisting defenses and statements that NSO Group has put forward to promote its work and brand itself within the commercial spyware sector.”

NSO Group has only published one other transparency report, in June 2021, which civil society largely regarded as a missed opportunity to provide meaningful information about the alarming human rights impacts of its products. The latest transparency report arrives after several bumpy years for the company. In the aftermath of the 2021 Pegasus revelations, the United States government placed the spyware vendor on an Entity List in November 2021, meaning it cannot receive American investment without specific government approval. Subsequently, the company reportedly went into financial freefall, narrowly avoiding defaulting on $500 million in debt. According to Bloomberg, NSO management considered selling the business.

In August 2022, then CEO Shalev Hulio stepped down, naming COO Yaron Shohat as a successor while laying off 100 employees. Following a forced restructuring by its lenders, cofounder Omri Lavie emerged—via the Luxembourg-based Dufresne Holdings—as NSO’s new owner in May 2023. Amid this upheaval, US president Joe Biden issued an executive order, in March 2023, that prohibits federal departments and agencies from using commercial spyware. In June 2023, the White House issued a warning to US firms interested in acquiring NSO assets on the grounds that doing so could pose a counterintelligence threat to the US government.

Then Hamas attacked Israel. Since then, NSO has been in a position to tangibly demonstrate the value of tools like Pegasus in conflict situations. According to press reports, the cyber-intelligence firm has volunteered—along with Candiru, an NSO competitor that’s also blacklisted by the US—to help Israel’s security services track people kidnapped by Hamas.

“People from the government—both in Israel and outside of Israel—now understand much better why they are needed,” an insider with direct overview of NSO’s operations reportedly told Axios in November.

By seizing that opportunity, NSO appears to be trying to rebrand itself as being on the side of the “good guys,” make inroads with the Biden administration, and ultimately reverse the ban on its products. To succeed in its image-rehabilitation efforts, the spyware vendor has enlisted multiple public affairs consultancies and law firms, including government relations firm Chartwell Strategy Group and law firms Paul Hastings LLP, Steptoe, and Pillsbury Winthrop Shaw Pittman, according to lobbying disclosure documents. In the past three years, NSO had also enlisted the services of Bluelight Strategies and Cherie Blair’s Omnia Strategy in the UK.

“NSO Group engaged multiple firms, which is not uncommon but can be a reflection of the complexity of its influence efforts,” says Anna Massoglia, a researcher at the nonprofit OpenSecrets, which tracks US political spending. According to an OpenSecrets analysis of Lobbying Disclosure Act and Foreign Agents Registration Act filings, NSO has spent a total of $3.1 million in lobbying Washington since 2020. Of that, at least $897,000 was spent in 2023 alone, with payments for the final months of the year still being reported.

The lobbying efforts have primarily focussed on pro-Israel Republicans—but not exclusively. “Foreign agents working for NSO Group have also recently reported contacting officials at the Executive Office of the President and Congress as part of these efforts,” says Massoglia.

On November 7, Paul Hastings LLP sent a letter on behalf of NSO to request an urgent meeting with US secretary of state Antony Blinken and other State Department officials, emphasizing that “the ongoing security situation in Israel and the Middle East—and worldwide—once again highlight the necessity and urgency of employing cyber intelligence technology.”

So far, NSO’s efforts to fall back into Washington’s good graces appear to have had little effect. “Despite their pressure, these campaigns have only had varying influence,” says Steven Feldstein, a senior fellow at the Carnegie Endowment for International Peace. “The harms from spyware are well known, and there are only so many ways companies can spin the benefits of software that is inherently intrusive and rights-violating.”

According to a senior Biden administration official who spoke to Politico in November, any changes to the US government’s sanction policy on NSO Group are unlikely. “Without a change to this rule, NSO’s future \[US\] market potential is very, very constrained,” says Feldstein. Still, NSO needs to invest in lobbying, public relations, and transparency exercises to carry on doing business globally.

“NSO’s business model depends on chasing new customers and proliferating spyware for profit. That’s the growth model, and it will inevitably put spyware in the hands of abusers. And they show no signs of abandoning it,” says John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has been instrumental in exposing NSO Group’s products. “By the way, the last time NSO published a transparency report, it was followed by years of abuse scandals.”

While in the US, the Entity List “has sent shivers to larger spyware companies regarding potential consequences for bad behavior,” Feldstein says that there are ways to get around it, such as by working exports through Europe and other countries with more lax export control rules. For example, Cyprus is the only member of the EU that does not participate in the Wassenaar Arrangement, a multilateral export control regime signed by 42 countries that aims to control the sale of arms and technologies including spyware.

Weak legislation at the EU level also allows spyware to spread. The European Media Freedom Act (EMFA), which passed a preliminary vote in December, clearly states that EU member states may deploy spyware under certain conditions. Digital rights defenders have stressed that the retention of the national security exemption in the provisional agreement text enables EU governments to potentially deploy spyware against journalists outside the protective framework of EU law.

“EMFA is not perfect, but it at least tries to limit the deployment of such tools,” EU lawmaker Hannah Neumann tells WIRED. She adds that many members of the European Parliament’s inquiry committee on spyware, of which she was also part, “were frustrated” that the European Commission has not put forward a legislative proposal on how to fix loopholes.

Worth an estimated $12 billion as of 2022, the global spyware industry is likely to continue to do everything it can to stay in business. “As pressure has grown to curtail spyware companies, this has caused them to push even harder to maintain their markets,” says Carnegie’s Feldstein.

Even if high-profile firms like NSO Group were put out of business—admittedly an unlikely outcome—this would still not shut down the spyware market. Feldstein believes that this would instead hasten decentralization and increase opportunities for boutique firms to fill in the gap. “As long as the demand and money are there,” he says, “firms will seek these contracts.”

Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback

The company says it wants to protect you from “viruses.” Experts are skeptical.

Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, \[the virus can\] go to the printer, \[and then\] from the printer, go to the network."

That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

To investigate, I turned to Ars Technica senior security editor Dan Goodin. He told me that he didn't know of any attacks actively used in the wild that are capable of using a cartridge to infect a printer.

Goodin also put the question to Mastodon, and cybersecurity professionals, many with expertise in embedded-device hacking, were decidedly skeptical.

HP’s Evidence

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks.

As detailed in a 2022 article from research firm Actionable Intelligence, a researcher in the program found a way to hack a printer via a third-party ink cartridge. The researcher was reportedly unable to perform the same hack with an HP cartridge.

Shivaun Albright, HP's chief technologist of print security, said at the time:

> A researcher found a vulnerability over the serial interface between the cartridge and the printer. Essentially, they found a buffer overflow. That’s where you have got an interface that you may not have tested or validated well enough, and the hacker was able to overflow into memory beyond the bounds of that particular buffer. And that gives them the ability to inject code into the device.

Albright added that the malware “remained on the printer in memory” after the cartridge was removed.

HP acknowledges that there's no evidence of such a hack occurring in the wild. Still, because chips used in third-party ink cartridges are reprogrammable (their “code can be modified via a resetting tool right in the field,” according to Actionable Intelligence), they’re less secure, the company says. The chips are said to be programmable so that they can still work in printers after firmware updates.

HP also questions the security of third-party ink companies' supply chains, especially compared to its own supply chain security, which is ISO/IEC-certified.

So HP did find a theoretical way for cartridges to be hacked, and it's reasonable for the company to issue a bug bounty to identify such a risk. But its solution for this threat was announced _before_ it showed there could be a threat. HP added ink cartridge security training to its bug bounty program in 2020, and the above research was released in 2022. HP started using Dynamic Security in 2016, ostensibly to solve the problem that it sought to prove exists years later.

Further, there's a sense from cybersecurity professionals that Ars spoke with that even if such a threat exists, it would take a high level of resources and skills, which are usually reserved for targeting high-profile victims. Realistically, the vast majority of individual consumers and businesses shouldn't have serious concerns about ink cartridges being used to hack their machines.

Whose Job Is It to Make HP Printers Secure?

With Dynamic Security, HP claims to be providing a response to cyberthreats against ink cartridges. But its response is to inconvenience customers rather than beef up HP printers to be invulnerable to remote code execution via ink cartridges.

In response to Bugcrowd's research, HP issued a security update in 2022. Despite this, Albright claimed at the time that it still wasn’t safe for customers to use third-party ink because HP could “never guarantee that every interface with a non-HP cartridge on our device will be free of bugs and security vulnerabilities.”

Even if it's theoretically possible for hackers to leverage ink cartridges, it's a minimal concern, and there are far more pressing security threats to printers than third-party ink. Many easier ways exist for a diligent hacker to get into a printer user's network, including by exploiting unfixed software vulnerabilities.

Further, with HP firmware updates becoming associated with printers suddenly not working, we've seen reports of users avoiding printer updates and encouraging others to do the same, which could result in users rejecting important security updates.

An HP spokesperson declined to comment on these matters.

The Real Focus: Protecting IP

Lores' initial response to CNBC Television's question about the lawsuit may be telling. The CEO responded to dictated consumer complaints by highlighting HP's own needs:

> It's important to protect our IP. There is a lot of IP that we build in the inks of the printers, in the printers themselves ... And what we’re doing is, when we identify cartridges that are violating our IP, we stop the printer from work\[ing\].

When HP first announced Dynamic Security in 2016, it claimed that the feature would deliver "the best consumer experience" and protect customers from cartridges "that infringe on our IP." Eight years and several abrupt firmware updates later, the former seems like it has taken a backseat to the latter.

Lores told CNBC Television that non-HP ink can create "all sort\[s\] of issues," saying that printers may stop working if a customer uses ink that is not "designed" to work with HP printers.

Of course, third-party ink manufacturers would have you believe that their ink is meant to work with the printer brands on its products' boxes. But depending on the quality of the product, you might find inconsistent results with third-party ink cartridges.

While brand recognition and reliability could be good reasons for someone to opt for an HP-brand cartridge over a third party's, such decisions are typically left to customers, not forced via firmware updates. Companies like HP can expect to be rewarded for superior products, support, and warranties, but customers who would rather risk quality to save money would prefer to have options.

HP Wants Printing to Be a Subscription

It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies.

But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

HP has been largely focused on pushing its monthly ink subscription program, Instant Ink, over the years. In December, HP CFO Marie Myers noted that subscription models like Instant Ink can bring "20 percent uplift on the value of that customer because you're locking that person" in. In its most recent financial report, HP named Instant Ink one of its "key growth areas."

When asked about concerns that HP is driving up the price of printer ink, Lores told CNBC Television, "This is part of the business model that has been developed over time," noting that HP printer boxes disclose which printers use Dynamic Security. HP's website also notes which printers use Dynamic Security.

But even if you have that information, it's unclear whether an HP printer will immediately work with third-party ink. HP sells printers that work with third-party ink now, but the company says it may update them in the future to "block cartridges using a non-HP chip or modified or non-HP circuitry from working in the printer, including cartridges that work today."

Who’s Investing in Whom?

HP has faced numerous lawsuits in relation to blocking device functionality due to third-party ink and has paid out millions as a result. So why is it still continuing down this road? That might be partially explained by the company's perspective on the vendor-customer relationship.

When people buy an HP printer, they consider it an investment. But HP thinks that when you buy a printer, the company is investing in you.

As Lores put it:

> This is something we announced a few years ago that our goal was to reduce the number of what we call unprofitable customers. Because every time a customer buys a printer, it's an investment for us. We're investing \[in\] that customer, and if this customer doesn’t print enough or doesn’t use our supplies, it’s a bad investment.

HP expects customers who already gave it money for a printer to continue paying the company for years. HP customers expect their purchase to pay off in the long term without stipulations on ink branding. If HP can't find a way to make printer customers feel like their purchase is a benefit rather than a commitment to giving HP money regularly, people may eventually stop thinking that HP printers are a worthy investment.

When reached for comment, an HP spokesperson told Ars, in part, that HP "offers a wide range of printing products and solutions for customers to choose from, including Instant Ink" and "regularly" expands its offerings "to create more value" for customers.

You can watch CNBC Television's interview below:

_This story originally appeared on_ _Ars Technica._

HP CEO Says They Brick Printers That Use Third-Party Ink Because of … Hackers

Apple’s iOS 17.3 introduces Stolen Device Protection to iPhones, which could stop phone thieves from taking over your accounts. Here’s how to enable it right now.

Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change sensitive settings on your device. If someone tries to access passwords stored in Apple’s keychain, for instance, they won’t be able to unless they also use a fingerprint or the phone’s face recognition to prove they’re the legitimate owner.

You don't need to look far to find stories of stolen phones. In London, a phone is stolen every six minutes. Subreddits are littered with people having their phones snatched by thieves. In some of the most extreme cases, crooks can also take the passcodes—forcibly, or by peering over someone’s shoulder—and then steal a phone and unlock it. Social media accounts, passwords, and financial data can all be put at risk.

Stolen Device Protection is included with iOS 17.3, the latest iteration of Apple’s mobile operating system, which was released today. The feature should be high on your list to enable. It better protects your data—without you having to do anything—and has the potential to disrupt thieves. The move from Apple, according to cybersecurity experts, is a positive one and adds to the protections that already accompany passcodes.

The stolen iPhone protection is “likely to act as another barrier and put more pressure on thieves when targeting victims,” says Jake Moore, a global cybersecurity adviser at security firm Eset and a former police computer crime investigator. “Selling phones will always be big business among organized crime groups, but criminals will just need to work harder on their craft now.”

When you turn on Stolen Device Protection, Apple puts extra limits on some settings when your iPhone isn’t at a familiar location, such as your home or work. If someone unlocks your phone and tries to change these settings, they’ll have to use Face ID or Touch ID. So if a thief has your phone and passcode, they won’t be able to change the settings unless they have your biometric information too, which is not straightforward to clone and fool the systems that power them.

These extra checks will appear when someone tries to access passwords or passkeys you’ve saved in iCloud’s keychain, use payment methods saved in Safari, turn off Lost Mode, erase your phone, use your phone in the setup of a new Apple device, apply for a new Apple Card, view your Apple Card’s virtual number, or transfer money with Apple Cash.

There’s also a second layer of checks for even more sensitive information. If your phone is not at a familiar location, Apple will also put in place a one-hour “security delay” after using your biometrics. When this one-hour delay is up, your biometrics are needed again to change the settings. (Your iPhone will still be accessible during this hour.)

This hour delay applies to attempts to change your Apple ID password, sign out of Apple ID, or update Apple ID account security settings, such as removing a trusted device. The delay is also in place if someone tries to remove Face ID or Touch ID accounts, change your iPhone passcode, reset your settings, disable the Find My tool, and turn off Stolen Device Protection itself. If a thief has your phone, there’s a chance they’ll want to change these settings quickly to either take over your phone or online accounts, and the delay may reduce their ability to do so. Moore says the extra hour’s delay adds a “greatly appreciated layer of security.”

Turning on the iPhone’s Stolen Device Protection is simple—it’s just one small toggle in your phone’s settings. You need to make sure your iPhone is updated to iOS 17.3. Open the **Settings** app, scroll to **Face ID & Passcode**, then to **Stolen Device Protection**, and turn the switch on.

With the new feature, Apple is increasingly relying on biometrics, through Touch ID and Face ID, as a way of proving the person with your phone is actually you. “Apple now has a decade of experience with biometrics on hundreds of millions of devices, and its confidence in them seems to be growing,” says Mark Stockley, a cybersecurity expert at security firm Malwarebytes. Traditionally, he says, a password or passcode has been the option that’s turned to when biometrics fail to work. With this new feature, the roles are being reversed, indicating a greater trust in the technologies. “This could be a step towards a passcode-less future,” Stockley says.

While Stolen Device Protection is a step forward, it doesn’t protect everything on your phone if a thief gets hold of it and your passcode. It’s worth making sure your data is backed up, and some apps, such as WhatsApp, will allow you to add another (ideally different) passcode or PIN, on top of your phone’s passcode, before allowing someone into the apps.

Broadly speaking, if your iPhone is stolen—beyond contacting the cops—you’ll also want to visit Apple’s iCloud to take back control of your device. “Start by changing your Apple ID password and ticking the option to sign you out of devices and websites you’re currently logged in to,” Stockley says. Then, within iCloud’s Find Devices settings, you can mark your phone as lost and remotely wipe it. Hopefully, Stolen Device Protection’s features will never need to come to your rescue, but for every person who turns it on, it makes thieves’ lives just that little bit harder.

Apple iOS 17.3: How to Turn on iPhone's New Stolen Device Protection

Police around the US say they're justified to run DNA-generated 3D models of faces through facial recognition tools to help crack cold cases. Everyone but the cops thinks that’s a bad idea.

In 2017, detectives working a cold case at the East Bay Regional Park District Police Department got an idea, one that might help them finally get a lead on the murder of Maria Jane Weidhofer. Officers had found Weidhofer, dead and sexually assaulted, at Berkeley, California’s Tilden Regional Park in 1990. Nearly 30 years later, the department sent genetic information collected at the crime scene to Parabon NanoLabs—a company that says it can turn DNA into a face.

Parabon NanoLabs ran the suspect’s DNA through its proprietary machine learning model. Soon, it provided the police department with something the detectives had never seen before: the face of a potential suspect, generated using only crime scene evidence.

The image Parabon NanoLabs produced, called a Snapshot Phenotype Report, wasn’t a photograph. It was a 3D rendering that bridges the uncanny valley between reality and science fiction; a representation of how the company’s algorithm predicted a person could look given genetic attributes found in the DNA sample.

The face of the murderer, the company predicted, was male. He had fair skin, brown eyes and hair, no freckles, and bushy eyebrows. A forensic artist employed by the company photoshopped a nondescript, close-cropped haircut onto the man and gave him a mustache—an artistic addition informed by a witness description and not the DNA sample.

In a controversial 2017 decision, the department published the predicted face in an attempt to solicit tips from the public. Then, in 2020, one of the detectives did something civil liberties experts say is even more problematic—and a violation of Parabon NanoLabs’ terms of service: He asked to have the rendering run through facial recognition software.

“Using DNA found at the crime scene, Parabon Labs reconstructed a possible suspect’s facial features,” the detective explained in a request for “analytical support” sent to the Northern California Regional Intelligence Center, a so-called fusion center that facilitates collaboration among federal, state, and local police departments. “I have a photo of the possible suspect and would like to use facial recognition technology to identify a suspect/lead.”

The detective’s request to run a DNA-generated estimation of a suspect’s face through facial recognition tech has not previously been reported. Found in a trove of hacked police records published by the transparency collective Distributed Denial of Secrets, it appears to be the first known instance of a police department attempting to use facial recognition on a face algorithmically generated from crime-scene DNA.

It likely won’t be the last.

For facial recognition experts and privacy advocates, the East Bay detective’s request, while dystopian, was also entirely predictable. It emphasizes the ways that, without oversight, law enforcement is able to mix and match technologies in unintended ways, using untested algorithms to single out suspects based on unknowable criteria.

“It’s really just junk science to consider something like this,” Jennifer Lynch, general counsel at civil liberties nonprofit the Electronic Frontier Foundation, tells WIRED. Running facial recognition with unreliable inputs, like an algorithmically generated face, is more likely to misidentify a suspect than provide law enforcement with a useful lead, she argues. “There’s no real evidence that Parabon can accurately produce a face in the first place,” Lynch says. “It’s very dangerous, because it puts people at risk of being a suspect for a crime they didn’t commit.”

It is unknown whether the Northern California Regional Intelligence Center honored the East Bay detective’s request. The NCRIC did not respond to WIRED’s requests for comment about the outcome of the detective's facial recognition request. Captain Terrence Cotcher of the East Bay Regional Park District PD would not comment on the identification request, citing what he describes as an active homicide investigation. However, the executive director of the NCRIC, Mike Sena, told The Markup in 2021 that whenever the fusion center gets facial recognition requests, it will run a search.

For Parabon NanoLabs, if the department ran the predicted face through facial recognition, it isn’t just a violation of the company’s terms of service—it’s a terrible idea.

Parabon NanoLabs, founded in 2008, primarily focuses on forensic genetic genealogy services for law enforcement, a process that involves comparing DNA data with profiles in genealogy databases to locate potential suspects or victims. In 2012, the company received a grant from the US Department of Defense’s Defense Threat Reduction Agency to explore DNA phenotyping, predicting a person's appearance based only on their DNA. According to a 2020 article in _Nature_, the DOD was initially interested in developing phenotyping technology to re-create the faces of people who made improvised explosive devices, using traces of DNA left on the bomb fragments. Parabon pitched an ambitious method that involved machine learning to receive its grant.

Ellen Greytak, the director of bioinformatics at Parabon NanoLabs, says the company uses machine learning to build predictive models “for each part of the face.” The models are trained on the DNA data of more than 1,000 research volunteers and paired with 3D scans of their faces. Each scanned face, Greytak says, has 21,000 phenotypes—observable physical traits—that their models crunch in order to figure out how parts of a DNA sample affect a face’s appearance.

Parabon says it can confidently predict the color of a person's hair, eyes, and skin, along with the amount of freckles they have and the general shape of their face. These phenotypes form the basis of the face renderings the company generates for law enforcement. Parabon’s methods have not been peer-reviewed, and scientists are skeptical about how feasible predicting face shape even is.

In response to questions about the technology's accuracy, Parabon NanoLabs vice president Paula Armentrout tells WIRED that, while the details of its methods are not public, the company has presented its work at conferences and has tested its technology on thousands of samples. She adds that the company posts on its website “every single composite that is publicly disclosed by a customer, so people can draw their own conclusions about how well our technology works.”

Greytak characterizes the company’s face predictions as something more like a description of a suspect than an exact replica of their face. “What we are predicting is more like—given this person’s sex and ancestry, will they have wider-set eyes than average,” she says. “There’s no way you can get individual identifications from that.”

When Parabon NanoLabs launched its face-prediction service around 2015, its terms of service did not explicitly ban clients from using predictions with facial recognition. Soon after launching, however, the company’s law enforcement clients started asking about the viability of running phenotype-generated faces through facial recognition tools. “We were surprised when we heard this,” Greytak says. “It’s just not the intended purpose of the composite images.” In 2016, the company added a clause to its terms prohibiting customers from using facial recognition on its Snapshot Phenotype Reports. However, Armentrout tells WIRED that the company “does not have a way to ensure compliance” with its TOS.

Eight years later, after generating scores of face predictions for law enforcement, some of Parabon NanoLabs’ clients see little reason to not consider using face recognition on these algorithmically generated faces. Officers at all of the departments that WIRED contacted say it should at least be an option.

Jason McDonald is a detective with the Aurora, Colorado, police department’s Major Crime-Homicide Unit. In 2016, his department asked Parabon to use DNA found on the scenes of four 1984 homicides to predict the face of a suspect. McDonald tells WIRED that he believes that running a predicted face through facial recognition could be “justified” and “possibly a useful tool.”

Detective Edward Silver of the St. Clair County Sheriff’s Department in Michigan agrees. His department used Parabon NanoLabs in 2021 to generate the face of a woman whose severely burned body was found in a dumpster in 2003. Silver tells WIRED that he believes the Snapshot Phenotype Reports are accurate enough for facial recognition software.

Representatives from sheriff's offices in Lake County, Florida, and DeKalb County, Illinois, also say they would consider using Parabon NanoLabs’ predicted faces with facial recognition tools. Sheriff Andrew Sullivan of the DeKalb County Sheriff’s Office says in an email that “if there was DNA evidence that was used in the development of Snapshot, yes, we would use that information to try and develop any lead that we had further to solve any homicide.”

Haley Williams, a communications manager with the Boise Police Department in Idaho, tells WIRED in an email that the decision to use facial recognition with an algorithmically generated face would be made on a “case-by-case” basis. She added, however, that the department would “never rely solely on any one piece of evidence and would only use it as a tool to help direct us to other leads or evidence.”

“These are decades-old cases that we have been working,” says a cold-case detective who asked not to be named because they are not authorized to speak to the media. “I know that the Parabon face isn’t perfect, but why wouldn’t we use every tool available to us to try and catch a killer?” Asked if he tried facial recognition with the predicted face, the detective declined to answer, but says, “the family deserves to know that we tried everything.”

Lynch, of the Electronic Frontier Foundation, tells WIRED that while she is sympathetic to detectives wanting to bring closure for the family, the risks of misidentification with this use case are too great. “I think it goes to show a complete misunderstanding about the high-risk errors of facial recognition,” Lynch says. “It’s surprising to me that cops think this kind of technology will produce leads that they can actually use.”

Phenotyping is often a last resort that departments try only after they’ve exhausted other leads. According to Parabon NanoLabs, the majority of cases it works on do not actually get to the facial composite stage. “I joke that my phenotyping can tell you if your suspect has blue eyes, but my genealogist can tell you the guy’s address,” Greytak says.

The fact that law enforcement investigators consider using these predictions in conjunction with facial recognition speaks to a general lack of oversight over investigatory tools, experts say. There are no federal rules that limit the types of images police can use with face recognition software, and it’s up to both the police departments and the facial recognition vendor to implement and enforce safeguards.

According to a report released in September by the US Government Accountability Office, only 5 percent of the 196 FBI agents who have access to facial recognition technology from outside vendors have completed any training on how to properly use the tools. The report notes that the agency also lacks any internal policies for facial recognition to safeguard against privacy and civil liberties abuses.

In the past few years, facial recognition has improved considerably. In 2018, when the National Institute of Standards and Technology tested face recognition algorithms on a mug shot database of 12 million people, it found that 99.9 percent of searches identified the correct person. However, the NIST also found disparities in how the algorithms it tested performed across demographic groups.

Crucially, the NIST tested these algorithms only with high-quality images like driver's license and passport photos; law enforcement is often less discerning. A 2019 report from Georgetown’s Center on Privacy and Technology written by Clare Garvie, a facial recognition expert and privacy lawyer, found that law enforcement agencies nationwide have used facial recognition tools on images that include blurry surveillance camera shots, manipulated photos of suspects, and even composite sketches created by traditional artists.

According to an internal New York Police Department presentation cited by Garvie in her report, NYPD detective Tom Markiewicz wrote in 2018 that the department has tried running face recognition on forensic sketches and found that “sketches do not work.” In another infamous example that Garvie cites in her report, a detective from the NYPD’s Facial Identification Section, after noting that a suspect looked like the actor Woody Harrelson, put a photo of the actor through the department’s facial recognition tool.

“Because modern facial recognition algorithms are trained neural networks, we just don’t know exactly what criteria the systems use to identify a face,” Garvie, who now works at the National Association of Criminal Defense Lawyers, tells WIRED. “Daisy chaining unreliable or imprecise black-box tools together is simply going to produce unreliable results,” she says.

“We should know this by now.”

Cops Used DNA to Predict a Suspect’s Face—and Tried to Run Facial Recognition on It

Software flaws were allegedly hidden from lawyers of wrongly convicted UK postal workers.

Fujitsu software bugs that helped send innocent postal employees to prison in the UK were known "right from the very start of deployment," a Fujitsu executive told a public inquiry today.

"All the bugs and errors have been known at one level or not, for many, many years. Right from the very start of deployment of the system, there were bugs and errors and defects, which were well-known to all parties," said Paul Patterson, co-CEO of Fujitsu's European division.

That goes back to 1999, when the Horizon software system was installed in post offices by Fujitsu subsidiary International Computers Limited. From 1999 to 2015, Fujitsu's faulty accounting software aided in the prosecution and conviction of more than 900 sub-postmasters and postmistresses who were accused of theft or fraud when the software wrongly made it appear that money was missing from their branches.

Some innocent people went to prison, while others were forced to make payments to the UK Post Office to cover the supposed shortfalls. So far, "only 93 convictions have been overturned and thousands of people are still waiting for compensation settlements," a BBC report said.

Post Office Lawyers Allegedly Rewrote Fujitsu Witness Statements

During the prosecutions, courts hearing cases against postal employees "were not told of 29 bugs identified as early as 1999 in the system it built," _The Guardian_ wrote in a summary of Patterson's testimony today. The article said:

> "When bugs were acknowledged, witness statements from Fujitsu staff due to be heard in court were then edited by the Post Office as it sought to maintain the line that the system was working well as it pursued innocent people through the courts.
> 
> Paul Patterson agreed that both organizations had failed the accused. "I am surprised that that detail was not included in the witness statements given by Fujitsu staff to the Post Office and I have seen some evidence of editing witness statements by others," he said.
> 
> Asked by the lead counsel of the public inquiry, Jason Beer KC, whether he agreed that this was shameful, Patterson, who has worked at the company for 14 years, said: “That would be one word I would use. Shameful and appalling. My understanding of how our laws work in this country, is that all of the evidence should have been put in front of the subpostmasters that the Post Office was relying on to prosecute them.”

A Financial Times article said that the public inquiry "heard in December last year that the Post Office's lawyers had rewritten Fujitsu witness statements."

The FT article also said the Post Office, which used prosecution powers available to private corporations in the UK, obtained 700 of the 900 convictions. The other convictions came in cases brought by Scottish prosecutors. The scandal may lead to reforms of the private prosecution system that lets organizations take people to court.

Bugs Were Understood “Way Back to 1999”

Earlier this week, Patterson told UK Parliament members that "Fujitsu would like to apologize for our part in this appalling miscarriage of justice. We were involved from the very start. We did have bugs and errors in the system and we did help the Post Office in their prosecutions of the sub-postmasters. For that we are truly sorry."

Patterson also told Parliament members that Fujitsu has "a moral obligation" to contribute to the compensation for victims.

Patterson testified today in a different setting, answering questions from lawyers representing victims. One of those lawyers, Flora Page, asked Patterson, "Did nobody historically make that pretty obvious connection between very poor code going out into operation and then very poor data coming out and through the litigation support service?"

Patterson answered, "Whether people made that connection or not, what is very evident... is that that connection and understanding about what was going on and where was it, was understood by certainly Fujitsu and certainly understood by Post Office way back to 1999. It's all about what you do with that information... that is a question for this inquiry."

Post Office Minister Kevin Hollinrake, the MP for Thirsk and Malton, told the BBC that his "number one priority" is to "try and get compensation and get answers for people."

"You've had marriages fail, people commit suicide, an horrendous impact on people's lives," he said. "It's perfectly reasonable that the public should demand people are held to account and that should mean criminal prosecutions wherever possible." The UK government also has plans for a new law to "swiftly exonerate and compensate" people who were falsely convicted.

_This story originally appeared on_ _Ars Technica._

Fujitsu Bugs That Sent Innocent People to Prison Were Known ‘From the Start’

Plus: Microsoft says attackers accessed employee emails, Walmart fails to stop gift card fraud, “pig butchering” scams fuel violence in Myanmar, and more.

A major coordinated disclosure this week called attention to the importance of prioritizing security in the design of graphics processing units (GPUs). Researchers published details about the “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could be exploited to steal sensitive data, such as responses from AI systems. Meanwhile, new findings from the cryptocurrency tracing firm Chainalysis show how stablecoins that are tied to the value of the US dollar were instrumental in cryptocurrency-based scams and sanctions evasion last year.

The US Federal Trade Commission reached a settlement earlier this month with the data broker X-Mode (now Outlogic) over its sale of location data gathered from phone apps to the US government and other clients. While the action was hailed by some as a historic privacy win, it also illustrates the limitations of the FTC and the US government's data privacy enforcement power and the ways in which many companies can avoid scrutiny and consequences for failing to protect consumers' data.

The US internet provider Comcast Xfinity may gather data about customers' personal lives for personalized ads, including information about their political beliefs, race, and sexual orientation. If you're a customer, we've got advice for opting out—to the extent that's possible. And if you need a good long read for the weekend, we have the story of how a 27-year-old cryptography graduate student systematically debunked the myth that bitcoin transactions are anonymous. The piece is an excerpt from WIRED writer Andy Greenberg's nonfiction thriller _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, out this week in paperback.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Friday, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular VPN appliances Ivanti Connect Secure and Policy Secure. CISA's executive assistant director, Eric Goldstein, told reporters that CISA has notified every federal agency that is running a version of the products, amounting to “around” 15 agencies that have applied mitigations. “We are not assessing a significant risk to the federal enterprise, but we know that risk is not zero,” Goldstein said. He added that investigations are ongoing into whether any federal agencies have been compromised in the attackers' mass exploitation spree.

Analysis indicates that multiple actors have been hunting for and exploiting vulnerable Ivanti devices to gain access to organizations' networks around the world. The activity began in December 2023, but it has ramped up in recent days as word of the vulnerabilities and a proof of concept have emerged. Researchers from the security firm Volexity say that at least 1,700 Connect Secure devices have been compromised overall. Both Volexity and Mandiant see evidence that at least some of the exploitation activity is motivated by espionage. CISA's Goldstein said on Friday that the US government has not yet attributed any of the exploitation activity to particular actors, but that “exploitation of these products would be consistent with what we have seen from PRC \[People's Republic of China\] actors like Volt Typhoon in the past.”

Ivanti Connect Secure is a rebrand of the Ivanti product series known as Pulse Secure. Vulnerabilities in that VPN platform were notoriously exploited in a rash of high-profile digital breaches in 2021 carried out by Chinese state-backed hackers.

Microsoft said on Friday that it detected a system intrusion on January 12 that it is attributing to the Russian state-backed actor known as Midnight Blizzard or APT 29 Cozy Bear. The company says it has fully remediated the breach, which began in November 2023 and used “password spraying” attacks to compromise historic system test accounts that, in some cases, then allowed the attacker to infiltrate “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” With this access, Cozy Bear hackers were then able to exfiltrate “some emails and attached documents.” Microsoft notes that the attackers appeared to be seeking information about Microsoft's investigations into the group itself. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

Gift card scams in which attackers trick victims into purchasing gift cards for them are a long-standing issue, but new reporting from ProPublica shows how Walmart has been particularly remiss in addressing the problem. For a decade, the retailer has skirted pressure from both regulators and law enforcement to more closely scrutinize gift card sales and money transfers and expand employee training that could save customers from being tricked and exploited by bad actors. ProPublica conducted dozens of interviews and reviewed internal documents, court filings, and public records in its analysis.

“They were concerned about the bucks. That’s all,” Nick Alicea, a former fraud team leader for the US Postal Inspection Service, told ProPublica. Walmart defended its efforts, claiming that it has stopped more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart offers these financial services while working hard to keep our customers safe from third-party fraudsters,” the company said in a statement. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”

As rebel groups in Myanmar violently oppose the country's military government, the human trafficking and abuse fueling pig butchering scams is exacerbating the conflict. The scams have exploded in recent years, carried out not just by bad actors, but by a workforce of forced laborers who have often been kidnapped and are being held against their will. In one case this fall, a collection of rebel groups in Myanmar known as the Three Brotherhood Alliance took control of 100 military outposts in the country's northern Shan state and seized several towns along the border with China, vowing to "eradicate telecom fraud, scam dens and their patrons nationwide, including in areas along the China-Myanmar border.”

The UN estimates that there may be as many as 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve worked in this space for over 20 years and to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of the sheer numbers of people,” Rebecca Miller, regional program director for human trafficking at the UN Office on Drugs and Crime told Vox.

In a new investigation, _Consumer Reports_ and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. In analyzing the data, reporters found that a total of 186,892 companies sent data about the 709 individuals to Facebook. On average, each of those users had information sent to Facebook about them by 2,230 companies. The number varied, though. Some users had less than the average while others had more than 7,000 companies tracking them and providing information to the social network.

US Agencies Urged to Patch Ivanti VPNs That Are Actively Being Hacked

One of America’s largest internet providers may collect data about your political beliefs, race, and sexual orientation to serve personalized ads.

Your internet service provider could have a good idea of who you’re planning to vote for in the 2024 election as well as the gender of the last person you slept with—and it’s saving that information for later. Major internet providers, like Comcast’s Xfinity, stockpile more revealing data than users might initially realize.

For example, Xfinity customers are automatically opted in to allow the company to store sensitive personal information. This could include your “race, ethnicity, political affiliations, or philosophical beliefs,” according to Xfinity’s website. Your sexual orientation, immigration status, biometric info, and precise location are also considered to be sensitive data. While Comcast does not sell this info, the company does use sensitive data in a variety of ways, like to serve up personalized ads and recommendations.

There are many reasons to be anxious about this kind of data collection. Xfinity itself was recently hacked; the personal data of over 30 million customers was stolen in October of last year, yet the breach was revealed by the company to users two months after the fact. (Definitely change your Xfinity password right now, and turn on two factor-authentication if you haven’t already.)

The good news is that you can take steps to opt out of Comcast’s data storage—although there are limitations on how far the privacy options go. Also, if you live in a state with supplemental privacy legislation, then you might have the right to request and receive more details about your collected data.

How to Change Your Sensitive Personal Information Settings

You don’t have to log in to the Xfinity website with your username and password to make this settings change, but be forewarned: You will be asked to fork over your email, phone number, and location.

Start by visiting Xfinity’s Privacy Center and scrolling down to **Review your privacy preferences**. Then, click on **Manage your information** and skim through all the available options to get a better grasp on your choices. Find the **Sensitive personal information preferences** section, and choose **Review settings**.

This next step was sometimes quite slow to load during my testing, so a little patience might be necessary. When it eventually pops up, fill out the form and click **Continue**. You may be asked to confirm the provided address. Finally, after all that clicking, locate the toggle labeled **Storage and usage of sensitive personal information** that appears on the last page and switch it off.

It’s worth pointing out a crucial caveat from Comcast about how the setting works. The catch is that this toggle impacts the use of your personal data only in Comcast’s advertising, marketing, and recommendations systems. “Even when off, we may still use your sensitive personal information for certain purposes, including to provide your Services, security purposes, and fraud monitoring,” reads a disclaimer right below the toggle. While some data collection may be necessary to operate basic services, the lack of accessible, granular control over what’s stored is disappointing.

Depending on where you live in the US, you can learn more about what Comcast stores and scrub it. In the following five states, you have the right to receive more details about the data Xfinity collects about you: California, Colorado, Connecticut, Utah, and Virginia. By residing here, you have the right to receive details about the gathered data and have personal info deleted. Your right to correct inaccurate info is codified in all of these states as well, except for Utah.

Anyone can technically fill out the form and make the request regardless of location, but you might not receive a real answer if you live somewhere without the legal protections. Even in the states where you are legally covered, be prepared to wait. Comcast may take up to a month to process requests from Xfinity customers, and will notify you if the process ends up stretching out even longer.

How to Opt Out of Comcast’s Xfinity Storing Your Sensitive Data

A new report from Chainalysis finds that stablecoins like Tether, tied to the value of the US dollar, were used in the vast majority of crypto-based scam transactions and sanctions evasion in 2023.

Stablecoins, cryptocurrencies pegged to a stable value like the US dollar, were created with the promise of bringing the frictionless, border-crossing fluidity of Bitcoin to a form of digital money with far less volatility. That combination has proved to be wildly popular, rocketing the total value of stablecoin transactions since 2022 past even that of Bitcoin itself.

It turns out, however, that as stablecoins have become popular among legitimate users over the past two years, they were even more popular among a different kind of user: those exploiting them for billions of dollars of international sanctions evasion and scams.

As part of its annual crime report, cryptocurrency-tracing firm Chainalysis today released new numbers on the disproportionate use of stablecoins for both of those massive categories of illicit crypto transactions over the last year. By analyzing blockchains, Chainalysis determined that stablecoins were used in fully 70 percent of crypto scam transactions in 2023, 83 percent of crypto payments to sanctioned countries like Iran and Russia, and 84 percent of crypto payments to specifically sanctioned individuals and companies. Those numbers far outstrip stablecoins' growing overall use—including for legitimate purposes—which accounted for 59 percent of all cryptocurrency transaction volume in 2023.

In total, Chainalysis measured $40 billion in illicit stablecoin transactions in 2022 and 2023 combined. The largest single category of that stablecoin-enabled crime was sanctions evasion. In fact, across all cryptocurrencies, sanctions evasion accounted for more than half of the $24.2 billion in criminal transactions Chainalysis observed in 2023, with stablecoins representing the vast majority of those transactions.

The attraction of stablecoins for both sanctioned people and countries, argues Andrew Fierman, Chainalysis' head of sanctions strategy, is that it allows targets of sanctions to circumvent any attempt to deny them a stable currency like the US dollar. “Whether it's an individual located in Iran or a bad guy trying to launder money—either way, there's a benefit to the stability of the US dollar that people are looking to obtain,” Fierman says. “If you're in a jurisdiction where you don't have access to the US dollar due to sanctions, stablecoins become an interesting play.”

As examples, Fierman points to Nobitex, the largest cryptocurrency exchange operating in the sanctioned country of Iran, as well as Garantex, a notorious exchange based in Russia that has been specifically sanctioned for its widespread criminal use. Stablecoin usage on Nobitex outstrips bitcoin by a 9:1 ratio, and on Garantex by a 5:1 ratio, Chainalysis found. That's a stark difference from the roughly 1:1 ratio between stablecoins and bitcoins on a few nonsanctioned mainstream exchanges that Chainalysis checked for comparison.

Chainalysis's chart showing the growth in stablecoins as a fraction of the value of total illicit crypto transactions over time.

COURTESY OF CHAINALYSIS

Chainalysis concedes that the analysis in its report excludes some cryptocurrencies like Monero and Zcash that are designed to be harder or impossible to trace with blockchain analysis. It also says it based its numbers on the type of cryptocurrency sent directly to an illicit actor, which may leave out other currencies used in money laundering processes that repeatedly swap one type of cryptocurrency for another to make tracing more difficult.

Chainalysis's findings come on the heels of another report released earlier this week by United Nations researchers on the outsize role of stablecoins in illegal gambling and scam operations across East and Southeast Asia. While Chainalysis declined to break out the value of any particular stablecoin in its findings, the UN report singles out Tether, the most popular stablecoin. The report describes Tether sent through the TRON blockchain-based payment network as the “preferred choice for regional cyberfraud operations and money launderers alike due to its stability and the ease, anonymity, and low fees of its transactions.”

“Pig butchering” scams—cons in which scammers typically trick users into sending funds into fraudulent investments—consistently use Tether as the means of bilking victims, says Erin West, a deputy district attorney for California's Santa Clara County and a member of the REACT High Tech Task Force, who has long focused on crypto crime. “It’s always, always, always Tether. I’ve never heard of pig butchering that _isn’t_ Tether,” says West. “These scammers can’t risk the volatility of any of the other coins like bitcoin or ether. All they want is to move assets from the victims' hands to their own in the cheapest, easiest way possible.”

West says that the high proportion of stablecoin use in sanctions evasion also represents a disturbing trend, given that it undermines a system meant to hold specific countries, individuals, and companies accountable for criminal behavior and violations of international law. “It's so dangerous,” West says. “It enables them to have access to the very units of currency that we’re trying to prevent them from accessing. This is exactly what sanctions are meant to stop, and they’re able to bypass it.”

Chainalysis's chart showing how stablecoins dominated cryptocurrency-based sanctions evasion and scams in 2023.

COURTESY OF CHAINALYSIS

When WIRED reached out to Tether Holdings—the company that issues the stablecoin that shares its name—it responded in a statement following publication of this article that “Tether proactively collaborates with global law enforcement agencies to identify and prevent illicit use of” its cryptocurrency, adding that its “commitment to the highest standards of compliance is evident in our efforts to eliminate various forms of criminal activity.”

Tether argued further that it has contributed to freezing the assets of users involved in scams or found to be violating the US Treasury's sanctions lists, and noted that all of its transactions, like many cryptocurrencies, can be publicly observed on blockchains—in other words, the observability that made Chainalysis's report possible. “Between our active and direct engagement with law enforcement and leveraging the transparent nature of blockchain transactions, individuals attempting to conceal their illicit financial activities face significant risks, as every transaction can be easily traced,” the company's statement reads.

Tether Holdings has more flatly denied other reports of Tether's use in crime and sanctions evasion. It wrote that an October _Wall Street Journal_ article on the subject was based on “highly erroneous interpretations of data”—though in that case, the company pointed to Chainalysis findings as a more accurate accounting. “There is simply no evidence that Tether has violated Sanctions laws or the Bank Secrecy Act through inadequate customer due diligence or screening practices,” Tether Holdings wrote in an October 26 blog post addressing the _WSJ_ article.

In contrast to most cryptocurrencies, Tether does have the capability to freeze user funds, and it said in the October blog post that since its launch in 2014, it had frozen $835 million in funds deemed to be tied to illicit activities. “Tether's ethos revolves around transparency, compliance, and proactive collaboration with relevant authorities worldwide,” the company wrote.

Chainalysis' Fierman says that Tether's efforts to freeze criminal funds are having an impact, and more enforcement could help end stablecoins' exploitation by criminals. “Just as we’ve seen with compliant exchanges dominating more and more of total transaction volumes, illicit activity gets pushed to the fringes,” Fierman says.

Despite Tether's ability to freeze funds, Chainalysis' data suggests that illicit use of stablecoins has so far dwarfed those seizures. West, the prosecutor, notes that most Tether associated with crime is cashed out for another currency long before anyone identifies it. That means Tether hasn't yet come close to solving the underlying problem.

“I applaud it. I'm all for it,” West says of Tether's efforts to freeze criminal assets. “But when we're talking about billions and billions of dollars in assets moving, I just think this is one piece of one piece of the puzzle. There are so many more pieces. And the bad actors are so far ahead of us.”

_Updated at 9:45 am ET, January 18, 2024, to correctly identify prosecutor Erin West's professional title and at 2:45 pm ET with a statement from Tether Holdings._

‘Stablecoins’ Enabled $40 Billion in Crypto Crime Since 2022

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

Source

Wired