Police on US Bypass Orders with Mass Location Tracking Tool

As summer draws to a close, researchers this week warned of systemic vulnerabilities in mobile app infrastructure, as well as a new iOS security flaw and one in TikTok. And new findings on ways to abuse Microsoft’s Power Automate tool in Windows 11 show how it can be used to spread malware, from ransomware to keyloggers and more.

The anti-Putin media network February Morning, which runs on the communication app Telegram, has played a crucial role in the underground resistance against the Kremlin. Meanwhile, the California Age-Appropriate Design Code passed the California legislature this week with major potential implications for the online privacy of children and everyone else.

And if you’re ready to take a more radical step to protect your privacy on mobile, and you’re feeling a badass doing so, we’ve got a guide to setting up and using burner phones.

But wait, there’s more! Every week we highlight the news that we have not covered extensively ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Data broker Fog Data Science sells access to its claims to billions of location data points from more than 250 million smartphones to local, state and federal law enforcement agencies in the US. The data comes from technology companies and cell towers and is collected in the Fog Reveal tool from thousands of iOS and Android apps. Crucially, access to the service is cheap, often costing local law enforcement agencies less than $10,000 a year, and investigations by the Associated Press and Electronic Frontier Foundation have found that law enforcement officers sometimes request location data without a warrant. The EFF conducted its investigation on the basis of more than 100 requests for public records made over several months. “Disconcertingly, those data show that Fog and some law enforcement officers did not believe that Fog’s oversight implied people’s Fourth Amendment rights and that authorities should get a warrant,” the EFF wrote.

An unsecured database containing information about millions of faces and license plates was visible and publicly accessible in the cloud for months, until it was finally protected in mid-August. TheTechWarrior linked the data to Xinai Electronics, a technology company based in Hangzhou in eastern China. The company develops authentication systems for access to areas such as parking garages, construction sites, schools, offices or vehicles. It also offers additional services related to payroll, employee attendance and performance tracking, and license plate recognition. The company has a huge network of cameras across China that capture facial and license plate data. Security researcher Anurag Sen warned TheTechWarrior about the unsecured database, which also revealed residents’ names, ages and ID numbers in facial data. The revelation comes just months after a massive Shanghai police database was leaked online.

Montenegro authorities said on Wednesday that a gang called “Cuba” attacked its government networks with a ransomware attack last week. The gang also claimed responsibility for the attack on a dark website. Montenegro’s National Security Agency (ANB) said the group has ties to Russia. The attackers reportedly deployed a malware strain called “Zerodate” and infected 150 computers in 10 Montenegrin government agencies. It is unclear whether the attackers exfiltrated data as part of the hack. The US Federal Bureau of Investigation is sending investigators to Montenegro to help analyze the attack.

On Monday, the US Federal Trade Commission announced it is suing data broker Kochava for selling geolocation data collected from apps on “hundreds of millions of mobile devices.” The data could be used, the FTC said, to track people’s movements and reveal information about where they’re going, including showing visits to sensitive locations. “Kochava’s data may reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction treatment facilities,” the agency wrote. “The FTC alleges that by selling data that tracks people, Kochava enables others to identify individuals and expose them to threats of stigma, stalking, discrimination, job loss and even physical violence.” The lawsuit aims to prevent Kochava from selling sensitive location data, and the agency is asking the company to remove what it already has.

In August, the prolific ransomware gang hacked into South Staff Water, a UK water supply company, Cl0p. The gang said it even had access to SSW’s industrial control network, which handles things like water flow. The hackers have published screenshots that allegedly show their access to the water supply control panels. Experts told Motherboard that it appears that the hackers were able to really interfere with the water supply, highlighting the risks when critical infrastructure networks are not sufficiently separated from regular corporate networks. “Yes, there was access, but we only took screenshots,” Cl0p told Motherboard. “We do not harm people and treat critical infrastructure with respect. … We didn’t really go into it because we didn’t want to hurt anyone.” SSW said in a statement, “This incident has not affected our ability to provide safe water.”