Code used to encrypt sensitive radio communications around the world for years had major flaws that could be exploited by attackers, according to new research. Among the flaws: a secret backdoor.
A group of researchers from the Netherlands discovered multiple vulnerabilities in encryption algorithms used in the European radio standard TETRA, which is used in radio communications by police, critical infrastructure workers, mass transit and freight trains, and major government bodies. While the TETRA standard is public, the ciphers used to encrypt the communications were kept secret. One of the algorithms, known as TEA1, had a feature that reduces its 80-bit encryption down to just 32 bits—a backdoor, the researchers say, that made it vulnerable to eavesdropping and potentially other attacks.
The body that develops and maintains TETRA—the European Telecommunications Standards Institute—rejects the “backdoor” label, saying that the weakened encryption was implemented to abide by encryption export controls in place when it was released in the 1990s. Regardless of what you call it, ETSI has released a replacement for the TEA1 algorithm and fixed another major flaw that made communications vulnerable to interception.
In the world of AI-fueled chatbots, security researchers warn that third-party plug-ins for ChatGPT’s paid version could add a layer of risk to users’ data and potentially be abused by attackers. OpenAI, the creator of ChatGPT, says it maintains high security standards for the plug-ins listed on its website. But ultimately, the choice to use a plug-in largely depends on whether you trust the developer who made it.
Even if you trust someone online, however, there’s no guarantee that they are who you think they are. This week, we detailed the saga of a Twitter user who thought he was buying a Macbook from someone he knew but ended up sending $1,000 to a scammer who used a hacked Twitter account to pull off the swindle. Threat researchers got involved and ultimately traced the scammers’ real-life identities, then handed over what they found to police.
Finally, in Washington, DC, the National Security Agency has been quietly pushing members of the US Congress to abandon an amendment to the “must-pass” National Defense Authorization Act (NDAA) that would prevent military intelligence agencies like the NSA for buying commercially available data on US citizens. Even if the NSA’s lobbying is successful, it may be forced to keep up the fight as separate legislation is making its way through Congress that would ban the purchase of sensitive data far more broadly than the NDAA amendment.
