Feedback & Followups
- Some context for a story we covered many times in 2025: Amazon blocked 1,800 employment attempts by North Korean agents — cyberinsider.com/…
- Yet another reason to steer clear of VS Code forks: VSCode IDE forks expose users to “recommended extension” attacks — www.bleepingcomputer.com/… (most of these are for AI, and we’ve already reported on how they are very slow to incorporate up-stream patches, leaving users very vulnerable)
- Yet another illustration of Meta’s hostility to their user’s privacy rights: Reuters Exposes Meta’s Tactics to Avoid Scam Ad Oversight — tidbits.com/…
- More examples of obsolete or unsupported routers being fundamentally unsafe:
- A real-world example of the importance of DMARC: Microsoft: How attackers spoof email addresses to steal corporate funds — cyberinsider.com/… (See CCATP 827)
Deep Dive 1 — a Bad Month for Bluetooth
A Known Issue Evolves
First, the technical detail, including sample exploit code, of the flaw in headphone firmware used by multiple vendors we warned about a few weeks ago, is now out. If you have an affected headset from a major brand like Sony, JBL, Bose, or Marshall, make sure your firmware is up to date!
Below is a quick reminder of the issue (from cyberinsider.com/…):
During their research, ERNW demonstrated how an attacker can silently connect to a vulnerable headphone via BLE, dump its firmware to extract stored Bluetooth link keys, and then use those keys to impersonate the headphone to a paired smartphone. Once impersonation is successful, attackers can:
- Initiate phone calls or accept incoming calls silently.
- Access the victim’s phone number and contacts using HfP commands.
- Trigger voice assistants like Siri or Google Assistant to send texts or perform other actions.
- Eavesdrop using the phone’s microphone by silently placing a call to an attacker-controlled number.
A Major New Vulnerability — ‘WhisperPair’
TL:DR — if you have an affected headset, you need a firmware update.
Researchers at the KU Leuven University in Belgium has released details of a new Bluetooth vulnerability they’ve named WhisperPair. It affects hundreds of products from big-name brands, including Google, Jabra, JBL, Logitech, Marshall, Nothing, OnePlus, Sony, Soundcore, Xiaomi, Olufsen, and even Beats (but not Apple’s own brand devices)! (The researchers have provided a nice search tool to check your device — whisperpair.eu/…)
The problem is with the way many vendors have implemented Google’s Fast Pair protocol, an Android equivalent of Apple’s AirPods pairing system. But note that the flaw is in the device firmware, so all users of these devices are vulnerable, whether or not they use Android!
One reason this flaw is so widespread is that Google’s certification process did not correctly test an important aspect of the pairing process, so the affected devices are all certified as safe by Google! Google have now updated their tests, so new devices will not get certified until they implement the pairing process securely, but all the affected devices need firmware fixes.
As the name suggests, the bug lets attackers within Bluetooth range stealthily pair their device to vulnerable headsets. To make matters worse, the Fast Pair algorithm not only pairs Bluetooth, but it also facilitates the registration of devices that support the feature into Google’s Find Hub network (their equivalent to Apple’s Find My network). There are three important caveats to this, though:
- Only some of the affected devices support Find Hub
- Attackers can only register previously unregistered devices
- Victims will receive a warning that they are being followed by a tracking device within a day or two of the attack, though, since the warning will show their own device in the warning, the true meaning of the warning could easily be lost on victims.
Putting it all together, the risks for victims are:
- Physically dangerous pranks like blasting loud music at full volume into people’s ears unexpectedly (at best, terrifying, but could easily cause hearing damage), but only while the attacker is within Bluetooth range.
- Abuse of the mic for eavesdropping, again, only while the attacker is in Bluetooth range.
- Abuse of the Find Hub network for persistent tracking (with the three caveats above)
If you have an affected device, upgrade your firmware as soon as possible, and in the meantime, be aware of the risks and adjust your behaviour accordingly.
Links
- The vulnerability’s home page (including the search tool) — whisperpair.eu/…
- Critical WhisperPair flaw lets hackers track, eavesdrop via Bluetooth audio devices — www.bleepingcomputer.com/…
- WhisperPair attack exposes millions of Bluetooth devices to location tracking — cyberinsider.com/…
Deep Dive 2 — The Risks from Dodgy Android Devices Become Real with the Kimwolf Botnet
Brian Krebs detailed the abuse of unofficial Android devices combined with flaws in so-called residential proxy services to build up a massive botnet in great technical detail in a recent article (krebsonsecurity.com/…) that caught Allison’s attention.
The article described both the actual Kimwolf botnet and all the theoretical implications in great technical detail. Krebs’ audience is mostly cybersecurity professionals, and he pitches his articles appropriately. This means he explains all the theoretical risks in great detail, but doesn’t spend much, if any, time putting those risks into context for regular home users. This often makes his articles sound more alarming than they really are.
Before digging in more deeply, here are the important takeaways for home users from a publication targeted at home users (www.bleepingcomputer.com/…):
Researchers observed increased activity for the malware since last August. Over the past month, Kimwolf has intensified its scanning of proxy networks, searching for devices with exposed Android Debug Bridge (ADB) services.
Common targets are Android-based TV boxes and streaming devices that allow unauthenticated access over ADB.
…
Most of the infected Android devices are in Vietnam, Brazil, India, and Saudi Arabia.
…
The general recommendation is to avoid low-cost generic Android TV boxes and to prefer ‘Google Play Protect certified’ devices from reputable OEMs, such as Google’s Chromecast, NVIDIA Shield TV, and Xiaomi Mi TV Box.
That’s the real-world risk for home users today, and the practical advice that users can take on board today.
But the Krebs article did highlight bigger hypothetical risks the security industry is going to need to monitor and protect against going forward.
Today, attackers are abusing piracy-enabling unofficial Android TV boxes, but in theory, they could abuse any Android device not protected by Google Play Services, including things like photo frames from careless or malicious vendors.
The attacks leveraged weaknesses in some legally dubious services that are theoretically legal, probably, but definitely ethically questionable. These are the so-called residential proxy services. These are companies which admit to providing unscrupulous app vendors with code to include in their dodgy free apps to enroll their users’ devices into their proxy networks. They then sell anonymous proxy services that let you send any traffic you like via these enrolled devices.
Spammers and cybercriminals use these networks to route their spam and DDoS attacks through regular people’s phones and homes to make them harder for victims to detect. Why? Because the attack traffic blends in with all the regular traffic in a way that attacks coming from data centres don’t.
There is also good evidence that many of these services augment their networks with hacked devices. Plenty of malware strains enroll devices into these kinds of networks.
You don’t want your devices in these networks anyway, but what the Kimwolf criminals discovered is that these networks are bad at security as well as just being morally questionable, allowing users to send traffic to LAN IPs through the network, effectively using enrolled devices as bridges into people’s private networks.
The Kimwolf attackers abused these security weaknesses to leverage the fact that dodgy Android TV devices also have terribly poor security, making them trivial to hack, allowing them to enroll the Android TV devices into their botnets.
In theory, the proxy services could abuse iOS apps too, but they aren’t, and it’s not clear they’d get past Apple’s gate-keeping if they tried. It’s also not clear whether this is a big problem in the Google Play store, but it could become so. For now, the biggest risk is side-loaded apps, especially morally questionable ones like piracy apps and apps offering free pornography, illegal access to gambling services, and dodgy cryptocurrency services/scams.
Links
- The original reporting from Brian Krebs: The Kimwolf Botnet is Stalking Your Local Network — krebsonsecurity.com/… (via Allison on the Nosillacast Slack)
- A human-friendly summary: Kimwolf Android botnet abuses residential proxies to infect internal devices — www.bleepingcomputer.com/…
❗ Action Alerts
- iPhone XS, iPhone XR, Apple TV HD get critical security updates — appleinsider.com/…
- Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws — www.bleepingcomputer.com/…
Worthy Warnings
- No matter what meme you read on social media, don’t say ‘112’ to Siri in any way, you’ll illegally call emergency services — www.macobserver.com/…
- Bonus Tip: 112 is part of the GSM standard, so if you’re travelling, that number will divert to the correct local emergency services number, e.g., 911 in the US, and 999 in the UK & Ireland
- Something seems to have happened at Instagram; there seems to be at least some data leaked, but it’s not at all clear what is going on — cyberinsider.com/… & www.bleepingcomputer.com/…
- There are fake password reset emails doing the rounds, ignore them if you get one — appleinsider.com/…
- Grubhub have definitely lost some customer data, but they’re not being forthcoming with the details — www.bleepingcomputer.com/…
- There also appears to have been some kind of leak at WIRED, but again, no clarity — cyberinsider.com/… & www.bleepingcomputer.com/…
Notable News
- 🇪🇺 The EU-based privacy-focused messaging app Threema has new owners, but thankfully, they don’t raise any red flags — cyberinsider.com/… (Still a good alternative for users outside America looking for digital sovereignty and privacy)
- 🇺🇸 California launches tool enabling mass opt-out from data brokers — cyberinsider.com/… (DROP, for Delete Requests and Opt-Out Platform)
- 🇺🇸 Some welcome enforcement actions:
- California shuts down sale of health data in major enforcement action — cyberinsider.com/…
- Texas sues major TV brands for spying on consumers via smart TVs — cyberinsider.com/… (Sony, Samsung, LG, Hisense & TCL)
- Disney agrees to pay $10M for illegally tracking children on YouTube — cyberinsider.com/…
- Some nice security enhancements:
- Apple have updated the AirDrop process to make sending to users not in your contact list a little safer by requiring a code to be shared — sixcolors.com/…
- Microsoft rolls out hardware-accelerated BitLocker in Windows 11 — www.bleepingcomputer.com/…
- Microsoft to enforce MFA for Microsoft 365 admin center sign-ins — www.bleepingcomputer.com/… (Will make many smaller organisations much more secure)
- Firefox 147 tightens web security, reduces data sharing with Google — cyberinsider.com/… (Safe Browsing updated from V4 to V5)
Interesting Insights
- A nice overview: The biggest cybersecurity and cyberattack stories of 2025 — www.bleepingcomputer.com/…
- 🇺🇸 Not happy reading, but might be of interest to some: Dismantling Defenses: Trump 2.0 Cyber Year in Review — krebsonsecurity.com/…
- OWASP have released a new top ten vulnerabilities framework for agentic AI, this will help the security community get to grips with this new attack surface — www.bleepingcomputer.com/…
Palate Cleansers
- From Allison:
xkcd.com/…- guthib.com/… (via Kanton on the Nosillacast Slack)
- From Bart:
- 🎦 This orrery (model of the solar system) takes nerdy Lego to the next level — m.youtube.com/… (from one of my nerdier colleagues in Maynooth University)
- 🎧 kill switch: how to- protect yourself from online harassment — overcast.fm/…
- The recommended resource: Online Harassment Field Manual (from PEN America) — onlineharassmentfieldmanual.pen.org
- Jim Moylan and the Moylan Arrow — daringfireball.net/… (We need something similar for EVs!)
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |