Cyberattack on Breathalyzer Company Strands Drivers

This week, United States law enforcement dismantled the Aisuru, Kimwolf, JackSkid, and Mossad botnets—cybercriminal networks that have compromised over 3 million devices globally, impacting many home networks and facilitating unprecedented cyberattacks. In a related development, hundreds of millions of iPhones are now at risk from a tool known as DarkSword, employed by Russian hackers to extract victims’ information.

A vulnerability was discovered exposing customer service interactions with the Sears Home Services AI bot, Samantha, making personal details accessible until a researcher flagged the issue. Sensitive information from calls and chats was exposed, with some recordings capturing additional audio after customers believed their call had ended. Meanwhile, WIRED examined multiple Telegram channels advertising job openings for “AI face models,” predominantly hiring women who may be exploited as figures in AI scams targeting victims’ finances.

Meta recently revealed plans to remove end-to-end encryption for Instagram Direct Messages starting May 8, attributing the decision to low uptake of the feature. This follows the company’s prior commitment to making such protection standard for Instagram chats, raising concerns among experts about the potential ramifications in the tech landscape. In related news, Signal’s creator Moxie Marlinspike announced a collaboration with Meta to incorporate his encrypted AI platform, Confer, into Meta AI in some capacity.

There’s more to explore. Each week, we summarize the security and privacy news that we didn’t cover in detail. Click on the headlines for full articles, and remember to stay safe.

Consider trying to explain this to your supervisor: You’re unable to reach work because your court-mandated breathalyzer is locking you out—not due to alcohol consumption, but because a cyberattack has disabled the vehicle start function of the device.

Intoxalock, a manufacturer of automotive breathalyzers used by approximately 150,000 drivers daily across the US, reported this week that it had been targeted by a cyberattack, leading to a “downtime” notice on its website. Drivers relying on these devices have found themselves stranded due to the breathalyzers’ failure to connect to company services. One user expressed frustration on Reddit, stating, “Our vehicles are giant paperweights right now through no fault of ours. I’m being held accountable at work and feel completely helpless.”

The lockouts stem from the need for periodic calibrations of Intoxalock’s breathalyzers, which must connect to the company’s servers. Drivers awaiting calibration are stuck due to the service outage; however, Intoxalock has announced a 10-day extension on calibrations due to the cybersecurity issue and may provide towing services in certain cases. The nature of the cyberattack or any potential data compromise remains unclear.

In March 2023, FBI Director Christopher Wray publicly acknowledged for the first time that the agency had acquired US phone location data. He indicated that while the FBI had previously obtained phone data from commercial data brokers without warrants, it had ceased this practice. “That’s not been active for some time,” Wray stated. Fast-forward three years, and the FBI is once again procuring location data used to monitor Americans.

During a Senate hearing on Wednesday, FBI Director Kash Patel confirmed that the agency is purchasing “commercially available information” that he asserted complies with the Constitution and other laws. “It has led to some valuable intelligence for us,” Patel remarked. This practice involves the FBI acquiring information from data brokers who sell extensive data, including phone location data derived from in-app advertising technology.