A week in security (January 12 – January 18)

Last week on Malwarebytes Labs: WhisperPair exposes Bluetooth earbuds and headphones to tracking and eavesdropping Dutch police sell fake tickets to show how easily scams work "Reprompt" attack lets attackers steal data from Microsoft Copilot Phishing scammers are posting fake "account restricted...

Security and Privacy Analysis of Tile's Location Tracking Protocol

We conduct the first comprehensive security analysis of Tile, the second most popular crowd-sourced location-tracking service behind Apple's AirTags. We identify several exploitable vulnerabilities and design flaws, disproving many of the platform's claimed security and privacy guarantees: Tile's...

CVE-2021-30986

A device configuration issue was addressed with an updated configuration. This issue is fixed in macOS Monterey 12.1. A device may be passively tracked by its Bluetooth MAC address...

Apple and Google join forces to stop unwanted tracking

Apple and Google have announced an industry specification for Bluetooth tracking devices which help alert users to unwanted tracking. The specification, called Detecting Unwanted Location Trackers, will make it possible to alert users across both iOS and Android if a device is unknowingly being...

Tracking People via Bluetooth on Their Phones

Weve always known that phones--and the people carrying them--can be uniquely identified from their Bluetooth signatures, and that we need security techniques to prevent that. This new research shows that thats not enough. Computer scientists at the University of California San Diego proved in a...

Bluetooth Signals Can Be Used to Track Smartphones, Say Researchers

Researchers warn Bluetooth signals can be used to track device owners via a unique fingerprinting of the radio signal. The technique was presented via a paper presented at IEEE Security and Privacy conference last month by researchers at the University of California San Diego. The paper suggests...

City fined for tracking its citizens via their phones

The Dutch information watchdog—the Autoriteit Persoonsgegevens AP—has fined the city of Enschede for € 600,000 for tracking its citizens movements without permission. It is the first time that a Dutch government body has been fined by the AP. The investigation was set in motion after it received ...

Apple/Google Exposure Notification API Information Disclosure Vulnerability

The Apple/Google Exposure Notification API is a contact tracking survey application for pandemic diseases. An information disclosure vulnerability exists in the Apple/Google Exposure Notification API beta 2020-05-29 and earlier versions, which can be exploited by an attacker to bypass Bluetooth...