At a glance.
- The vacuum cleaner may be listening to you...
- Facebook objects to advertising research.
- Nitro PDF breach effects spread to New Zealand.
Hush, darling—not in front of the vacuum cleaner.
Well, this would suck. A research team from the University of Maryland and the National University of Singapore have discovered your robot vacuum cleaner could be spying on you, Threatpost reports. The “LidarPhone” attack takes advantage of robot vacuums that use Light Detection and Ranging (LiDAR) distance sensors to navigate around your dirty socks as they clean up last night’s cookie crumbs. A proof-of-concept tested on a Xiaomi Roborock determined that a hacker could program those sensors to instead detect acoustic signals, allowing the vacuum to decipher sounds like human voices and even music. The complexity of the hack, which in the PoC involves reverse-engineering the vacuum’s firmware and exploiting a flaw in the Dustcloud server, would make the exploit difficult to pull off, but if successful, the attacker could suck up your private conversations along with your dust bunnies. The researchers, who presented a paper at SenSys 2020 based on prior research from DEFCON 26, assert that a similar tactic could be used to hack other light sensors, including the ones in smartphones.
Facebook faces off with advertising researchers.
Facebook has given the researchers behind the Online Political Ads Transparency Project’s Ad Observatory Program an ultimatum, Wired reports: cease their work by the end of November or face possible legal action. The project, run by an academic team at New York University’s Tandon School of Engineering, is “focused on improving the transparency of online political advertising.” Volunteers can opt into the research by installing Ad Observer, a browser plug-in that collects information about the ads a user sees and then sends that data to the Ad Observatory for analysis. Facebook has asked the Observatory to halt their work and delete their findings, claiming that the gathering of this info is a risk to user privacy. In a Twitter statement, Facebook spokesperson Rob Leathern stated “Collecting personal data via scraping tools is an industry-wide problem that’s bad for people’s privacy & unsafe regardless of who is doing it.” But Facebook’s motivations could be less than altruistic, as in the past the social media giant has been called out by US and European officials for allowing advertisers to use Facebook ads to spread disinformation and target the audiences who are most likely to believe it.
New Zealanders exposed in Nitro PDF breach.
A threat actor infiltrated the systems of PDF creation software provider Nitro PDF and stole the data of at least 2.6 million users, 4,000 of which are New Zealanders, reports RNZ. The stolen data, which includes email addresses and hashed passwords, was published by the threat actor online, and it’s possible there’s more where that came from. CERT-NZ, New Zealand’s cybersecurity watchdog organization, released an alert describing the nature of the breach and advising those affected about next steps.