Crypto-Gram November 15, 2024

by Bruce Schneier Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog,
along with a lively and intelligent comment section. An RSS feed is
available.

** *** ***** ******* *********** ************* In this issue:

If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies
Cheating at Conkers Justice Department Indicts Tech CEO for Falsifying
Security Certifications AI and the SEC Whistleblower Program No, the
Chinese Have Not Broken Modern Encryption Systems with a Quantum
Computer Are Automatic License Plate Scanners Constitutional?
Watermark for LLM-Generated Text Criminals Are Blowing up ATMs in
Germany Law Enforcement Deanonymizes Tor Users Simson Garfinkel on
Spooky Cryptographic Action at a Distance Tracking World Leaders Using
Strava Roger Grimes on Prioritizing Cybersecurity Advice Sophos Versus
the Chinese Hackers AIs Discovering Vulnerabilities IoT Devices in
Password-Spraying Botnet Subverting LLM Coders Prompt Injection
Defenses Against LLM Cyberattacks AI Industry is Trying to Subvert the
Definition of “Open Source AI” Criminals Exploiting FBI Emergency Data
Requests Mapping License Plate Scanners in the US New iOS Security
Feature Makes It Harder for Police to Unlock Seized Phones

** *** ***** ******* *********** ************* More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies

[2024.10.15] The Washington Post has a long and detailed story about the operation that’s well worth reading (alternate version here).

The sales pitch came from a marketing official trusted by Hezbollah
with links to Apollo. The marketing official, a woman whose identity
and nationality officials declined to reveal, was a former Middle East
sales representative for the Taiwanese firm who had established her own
company and acquired a license to sell a line of pagers that bore the
Apollo brand. Sometime in 2023, she offered Hezbollah a deal on one of
the products her firm sold: the rugged and reliable AR924.

“She was the one in touch with Hezbollah, and explained to them why the
bigger pager with the larger battery was better than the original
model,” said an Israeli official briefed on details of the operation.
One of the main selling points about the AR924 was that it was
“possible to charge with a cable. And the batteries were longer
lasting,” the official said.

As it turned out, the actual production of the devices was outsourced
and the marketing official had no knowledge of the operation and was
unaware that the pagers were physically assembled in Israel under
Mossad oversight, officials said. Mossad’s pagers, each weighing less
than three ounces, included a unique feature: a battery pack that
concealed a tiny amount of a powerful explosive, according to the
officials familiar with the plot.

In a feat of engineering, the bomb component was so carefully hidden as
to be virtually undetectable, even if the device was taken apart, the
officials said. Israeli officials believe that Hezbollah did
disassemble some of the pagers and may have even X-rayed them.

Also invisible was Mossad’s remote access to the devices. An electronic
signal from the intelligence service could trigger the explosion of
thousands of the devices at once. But, to ensure maximum damage, the
blast could also be triggered by a special two-step procedure required
for viewing secure messages that had been encrypted.

“You had to push two buttons to read the message,” an official said. In
practice, that meant using both hands.

Also read Bunnie Huang’s essay on what it means to live in a world where people can turn IoT devices into bombs. His conclusion:

Not all things that could exist should exist, and some ideas are better
left unimplemented. Technology alone has no ethics: the difference
between a patch and an exploit is the method in which a technology is
disclosed. Exploding batteries have probably been conceived of and
tested by spy agencies around the world, but never deployed en masse
because while it may achieve a tactical win, it is too easy for weaker
adversaries to copy the idea and justify its re-deployment in an
asymmetric and devastating retaliation.

However, now that I’ve seen it executed, I am left with the terrifying
realization that not only is it feasible, it’s relatively easy for any
modestly-funded entity to implement. Not just our allies can do this --
a wide cast of adversaries have this capability in their reach, from
nation-states to cartels and gangs, to shady copycat battery factories
just looking for a big payday (if chemical suppliers can moonlight in
illicit drugs, what stops battery factories from dealing in bespoke
munitions?). Bottom line is: we should approach the public policy
debate around this assuming that someday, we could be victims of
exploding batteries, too. Turning everyday objects into fragmentation
grenades should be a crime, as it blurs the line between civilian and
military technologies.

I fear that if we do not universally and swiftly condemn the practice
of turning everyday gadgets into bombs, we risk legitimizing a military
technology that can literally bring the front line of every conflict
into your pocket, purse or home.

** *** ***** ******* *********** ************* Cheating at Conkers

[2024.10.16] The men’s world conkers champion is accused of cheating with a steel chestnut.

** *** ***** ******* *********** ************* Justice Department Indicts
Tech CEO for Falsifying Security Certifications

---
* Origin: High Portable Tosser at my node (21:1/229.1)