This Week In Security: Signal DRM, Modern Phone Phreaking, And The Impossible SSH RCE

May 23, 2025 by Jonathan Bennett No comments

Digital Rights Management (DRM) has been the bane of users since it was first introduced. Who remembers the battle it was getting Netflix running on Linux machines, or the literal legal fight over the DVD DRM decryption key? So the news from Signal, that DRM is finally being put to use to protect users is ironic.

The reason for this is Microsoft Recall — the AI powered feature that takes a snapshot of everything on the user’s desktop every few seconds. For whatever reason, you might want to exempt some windows from Recall’s memory window. It doesn’t speak well for Microsoft’s implementation that the easiest way for an application to opt out of the feature is to mark its window as containing DRM content. Signal, the private communications platform, is using this to hide from Recall and other screenshotting applications.

The Signal blogs warns that this may be just the start of agentic AI being rolled out with insufficient controls and permissions. The issue here isn’t the singularity or AI reaching sentience, it’s the same old security and privacy problems we’ve always had: Too much information being collected, data being shared without permission, and an untrusted actor having access to way more than it should. Continue reading “This Week In Security: Signal DRM, Modern Phone Phreaking, And The Impossible SSH RCE” →

This Week In Security: No More CVEs, 4chan, And Recall Returns

April 18, 2025 by Jonathan Bennett 7 Comments

The sky is falling. Or more specifically, it was about to fall, according to the security community this week. The MITRE Corporation came within a hair’s breadth of running out of its contract to maintain the CVE database. And admittedly, it would be a bad thing if we suddenly lost updates to the central CVE database. What’s particularly interesting is how we knew about this possibility at all. An April 15 letter sent to the CVE board warned that the specific contract that funds MITRE’s CVE and CWE work was due to expire on the 16th. This was not an official release, and it’s not clear exactly how this document was leaked.

Many people made political hay out of the apparent imminent carnage. And while there’s always an element of political maneuvering when it comes to contract renewal, it’s worth noting that it’s not unheard of for MITRE’s CVE funding to go down to the wire like this. We don’t know how many times we’ve been in this position in years past. Regardless, MITRE has spun out another non-profit, The CVE Foundation, specifically to see to the continuation of the CVE database. And at the last possible moment, CISA has announced that it has invoked an option in the existing contract, funding MITRE’s CVE work for another 11 months.

Continue reading “This Week In Security: No More CVEs, 4chan, And Recall Returns” →

This Week In Security: Recall, BadRAM, And OpenWRT

December 13, 2024 by Jonathan Bennett 6 Comments

Microsoft’s Recall feature is back. You may remember our coverage of the new AI feature back in June, but for the uninitiated, it was a creepy security trainwreck. The idea is that Windows will take screenshots of whatever is on the screen every few seconds, and use AI to index the screenshots for easier searching. The only real security win at the time was that Microsoft managed to do all the processing on the local machine, instead of uploading them to the cloud. All the images and index data was available unencrypted on the hard drive, and there weren’t any protections for sensitive data.

Things are admittedly better now, but not perfect. The recall screenshots and database is no longer trivially opened by any user on the machine, and Windows prompts the user to set up and authenticate with Windows Hello before using Recall. [Avram] from Tom’s Hardware did some interesting testing on the sensitive information filter, and found that it worked… sometimes.

So, with the public preview of Recall, is it still creepy? Yes. Is it still a security trainwreck? It appears that the security issues are much improved. Time will tell if a researcher discovers a way to decrypt the Recall data outside of the Recall app.

Patch Tuesday

Since we’re talking about Microsoft, this week was Patch Tuesday, and we had seventy-one separate vulnerabilities fixed, with one of those being a zero-day that was used in real-world attacks. CVE-2024-49138 doesn’t seem to have a lot of information published yet. We know it’s a Heap-based Buffer Overflow in the Common Log File driver, and allows an escalation of privilege to SYSTEM on Windows machines. Continue reading “This Week In Security: Recall, BadRAM, And OpenWRT” →

This Week In Security: Recall, Modem Mysteries, And Flipping Pages

June 7, 2024 by Jonathan Bennett 6 Comments

Microsoft is racing to get into the AI game as part of Windows 11 on ARM, calling it Copilot+. It’s an odd decision, but clearly aimed at competing with the Apple M series of MacBooks. Our focus of interest today is Recall, a Copilot+ feature that not only has some security problems, but also triggers a sort of visceral response from regular people: My computer is spying on me? Eww.

Yes, it really sort of is. Recall is a scheme to take screen shots of the computer display every few seconds, run them through character recognition, and store the screenshots and results in a database on the local machine hard drive. There are ways this could be useful. Can’t remember what website had that recipe you saw? Want to revisit a now-deleted tweet? Is your Google-fu failing you to find a news story you read last week? Recall saw it, and Recall remembers. But what else did Recall see? Every video you watched, ever website you visited, and probably some passwords and usernames you typed in.

Continue reading “This Week In Security: Recall, Modem Mysteries, And Flipping Pages” →

Software Bug Results In Insulin Pump Injuries, Spurs Recall

May 11, 2024 by Dan Maloney 24 Comments

Managing Type 1 diabetes is a high-stakes balancing act — too much or too little insulin is a bad thing, resulting in blood glucose levels that deviate from a narrow range with potentially dire consequences on either side. Many diabetics choose to use an insulin pump to make managing all this easier, but as a recent recall of insulin pump software by the US Food and Drug Administration shows, technology isn’t foolproof.

Thankfully, the recall is very narrow in scope. It’s targeted at users of the Tandem t:slim X2 insulin pump, and specifically the companion application running on iOS devices. The mobile app is intended to run on the user’s phone to monitor and control the pump. The pump itself is a small, rechargeable device that users often keep on their belt or tucked into a pocket that delivers a slow, steady infusion of insulin during the day, plus larger bolus doses to compensate for meals.

Hackaday

recall

17 Articles