Facebook spying on teens, Twitter accounts hijacked by terrorists, and sexual abuse imagery found on Bing and Giphy were amongst the ugly truths revealed by TechCrunch’s investigating reporting in 2019. The tech industry needs more watchdogs than ever as its size enlargens the impact of safety failures and the abuse of power. Whether through malice, naivety, or greed, there was plenty of wrongdoing to sniff out.
Led by our security expert Zack Whittaker, TechCrunch undertook more long-form investigations this year to tackle these growing issues. Our coverage of fundraises, product launches, and glamorous exits only tell half the story. As perhaps the biggest and longest running news outlet dedicated to startups (and the giants they become), we’re responsible for keeping these companies honest and pushing for a more ethical and transparent approach to technology.
If you have a tip potentially worthy of an investigation, contact TechCrunch at firstname.lastname@example.org or by using our anonymous tip line’s form.
Image: Bryce Durbin/TechCrunch
Here are our top 10 investigations from 2019, and their impact:
Josh Constine’s landmark investigation discovered that Facebook was paying teens and adults $20 in gift cards per month to install a VPN that sent Facebook all their sensitive mobile data for market research purposes. The laundry list of problems with Facebook Research included not informing 187,000 users the data would go to Facebook until they signed up for “Project Atlas”, not receiving proper parental consent for over 4300 minors, and threatening legal action if a user spoke publicly about the program. The program also abused Apple’s enterprise certificate program designed only for distribution of employee-only apps within companies to avoid the App Store review process.
The fallout was enormous. Lawmakers wrote angry letters to Facebook. TechCrunch soon discovered a similar market research program from Google called Screenwise Meter that the company promptly shut down. Apple punished both Google and Facebook by shutting down all their employee-only apps for a day, causing office disruptions since Facebookers couldn’t access their shuttle schedule or lunch menu. Facebook tried to claim the program was above board, but finally succumbed to the backlash and shut down Facebook Research and all paid data collection programs for users under 18. Most importantly, the investigation led Facebook to shut down its Onavo app, which offered a VPN but in reality sucked in tons of mobile usage data to figure out which competitors to copy. Onavo helped Facebook realize it should acquire messaging rival WhatsApp for $19 billion, and it’s now at the center of anti-trust investigations into the company. TechCrunch’s reporting weakened Facebook’s exploitative market surveillance, pitted tech’s giants against each other, and raised the bar for transparency and ethics in data collection.
Zack Whittaker’s profile of the heroes who helped save the internet from the fast-spreading WannaCry ransomware reveals the precarious nature of cybersecurity. The gripping tale documenting Marcus Hutchins’ benevolent work establishing the WannaCry kill switch may have contributed to a judge’s decision to sentence him to just one year of supervised release instead of 10 years in prison for an unrelated charge of creating malware as a teenager.
TechCrunch contributor Mark Harris’ investigation discovered inadequate emergency exits and more problems with Elon Musk’s plan for his Boring Company to build a Washington D.C.-to-Baltimore tunnel. Consulting fire safety and tunnel engineering experts, Harris build a strong case for why state and local governments should be suspicious of technology disrupters cutting corners in public infrastructure.
Josh Constine’s investigation exposed how Bing’s image search results both showed child sexual abuse imagery, but also suggested search terms to innocent users that would surface this illegal material. A tip led Constine to commission a report by anti-abuse startup AntiToxin (now L1ght), forcing Microsoft to commit to UK regulators that it would make significant changes to stop this from happening. However, a follow-up investigation by the New York Times citing TechCrunch’s report revealed Bing had made little progress.
Zack Whittaker’s investigation surfaced contradictory evidence in a case of alleged grade tampering by Tufts student Tiffany Filler who was questionably expelled. The article casts significant doubt on the accusations, and that could help the student get a fair shot at future academic or professional endeavors.
Natasha Lomas’ chronicle of troubles at educational computer hardware startup pi-top, including a device malfunction that injured a U.S. student. An internal email revealed the student had suffered a “a very nasty finger burn” from a pi-top 3 laptop designed to be disassembled. Reliability issues swelled and layoffs ensued. The report highlights how startups operating in the physical world, especially around sensitive populations like students, must make safety a top priority.
Sarah Perez and Zack Whittaker teamed up with child protection startup L1ght to expose Giphy’s negligence in blocking sexual abuse imagery. The report revealed how criminals used the site to share illegal imagery, which was then accidentally indexed by search engines. TechCrunch’s investigation demonstrated that it’s not just public tech giants who need to be more vigilant about their content.
Megan Rose Dickey explored a botched case of discrimination policy enforcement by Airbnb when a blind and deaf traveler’s reservation was cancelled because they have a guide dog. Airbnb tried to just “educate” the host who was accused of discrimination instead of levying any real punishment until Dickey’s reporting pushed it to suspend them for a month. The investigation reveals the lengths Airbnb goes to in order to protect its money-generating hosts, and how policy problems could mar its IPO.
Zack Whittaker discovered that Islamic State propaganda was being spread through hijacked Twitter accounts. His investigation revealed that if the email address associated with a Twitter account expired, attackers could re-register it to gain access and then receive password resets sent from Twitter. The article revealed the savvy but not necessarily sophisticated ways terrorist groups are exploiting big tech’s security shortcomings, and identified a dangerous loophole for all sites to close.
Josh Constine found dozens of pornography and real-money gambling apps had broken Apple’s rules but avoided App Store review by abusing its enterprise certificate program — many based in China. The report revealed the weak and easily defrauded requirements to receive an enterprise certificate. Seven months later, Apple revealed a spike in porn and gambling app takedown requests from China. The investigation could push Apple to tighten its enterprise certificate policies, and proved the company has plenty of its own problems to handle despite CEO Tim Cook’s frequent jabs at the policies of other tech giants.
This Game Of Thrones-worthy tale was too intriguing to leave out, even if the impact was more of a warning to all startup executives. Josh Constine’s look inside gaming startup HQ Trivia revealed a saga of employee revolt in response to its CEO’s ineptitude and inaction as the company nose-dived. Employees who organized a petition to the board to remove the CEO were fired, leading to further talent departures and stagnation. The investigation served to remind startup executives that they are responsible to their employees, who can exert power through collective action or their exodus.
If you have a tip for Josh Constine, you can reach him via encrypted Signal or text at (585)750-5674, joshc at TechCrunch dot com, or through Twitter DMs
Microsoft has confirmed a security flaw affecting Internet Explorer is currently being used by hackers, but that it has no immediate plans to fix.
In a late-evening tweet, US-CERT, the division of Homeland Security tasked with reporting on major security flaws, tweeted a link to a security advisory detailing the bug, describing it as “being exploited in the wild.”
Microsoft said all supported versions of Windows are affected by the flaw, including Windows 7, which after this week no longer receives security updates.
The vulnerability was found in how Internet Explorer handles memory. An attacker could use the flaw to remotely run malicious code on an affected computer, such as tricking a user into opening a malicious website from a search query or a link sent by email.
It’s believed to be a similar vulnerability as one disclosed by Mozilla, the maker of the Firefox browser, earlier this week. Both Microsoft and Mozilla credited Qihoo 360, a China-based security research team, with finding flaws under active attack. Earlier in the week, Qihoo 360 reportedly deleted a tweet referencing a similar flaw in Internet Explorer.
Microsoft told TechCrunch that it was was “aware of limited targeted attacks” and was “working on a fix,” but that it was unlikely to release a patch until its next round of monthly security fixes — scheduled for February 11.
Neither Qihoo, Microsoft nor Mozilla said how attackers were exploiting the bug, who the attackers were, or who was being targeted. The U.S. government’s cybersecurity advisory unit also issued a warning about current exploitation.
Microsoft assigned the bug with a common vulnerability identifier, CVE-2020-0674, but specific details of the bug have yet to be released.
When reached, a Microsoft spokesperson did provide comment.
VU#338824: Microsoft Internet Explorer Scripting Engine memory corruption vulnerability https://t.co/VAnKfBDdLU
— US-CERT (@USCERT_gov) January 18, 2020
The UK’s data protection regulator has been slammed by privacy experts for once again failing to take enforcement action over systematic breaches of the law linked to behaviorally targeted ads — despite warning last summer that the adtech industry is out of control.
The Information Commissioner’s Office (ICO) has also previously admitted it suspects the real-time bidding (RTB) system involved in some programmatic online advertising to be unlawfully processing people’s sensitive information. But rather than take any enforcement against companies it suspects of law breaches it has today issued another mildly worded blog post — in which it frames what it admits is a “systemic problem” as fixable via (yet more) industry-led “reform”.
Yet it’s exactly such industry-led self-regulation that’s created the unlawful adtech mess in the first place, data protection experts warn.
The pervasive profiling of Internet users by the adtech ‘data industrial complex’ has been coming under wider scrutiny by lawmakers and civic society in recent years — with sweeping concerns being raised in parliaments around the world that individually targeted ads provide a conduit for discrimination, exploit the vulnerable, accelerate misinformation and undermine democratic processes as a consequence of platform asymmetries and the lack of transparency around how ads are targeted.
In Europe, which has a comprehensive framework of data protection rights, the core privacy complaint is that these creepy individually targeted ads rely on a systemic violation of people’s privacy from what amounts to industry-wide, Internet-enabled mass surveillance — which also risks the security of people’s data at vast scale.
It’s now almost a year and a half since the ICO was the recipient of a major complaint into RTB — filed by Dr Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Dr Michael Veale, a data and policy lecturer at University College London — laying out what the complainants described then as “wide-scale and systemic” breaches of Europe’s data protection regime.
The complaint — which has also been filed with other EU data protection agencies — agues that the systematic broadcasting of people’s personal data to bidders in the adtech chain is inherently insecure and thereby contravenes Europe’s General Data Protection Regulation (GDPR), which stipulates that personal data be processed “in a manner that ensures appropriate security of the personal data”.
The regulation also requires data processors to have a valid legal basis for processing people’s information in the first place — and RTB fails that test, per privacy experts — either if ‘consent’ is claimed (given the sheer number of entities and volumes of data being passed around, which means it’s not credible to achieve GDPR’s ‘informed, specific and freely given’ threshold for consent to be valid); or ‘legitimate interests’ — which requires data processors carry out a number of balancing assessment tests to demonstrate it does actually apply.
“We have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient,” writes Simon McDougall, the ICO’s executive director of technology and innovation, developing a warning over the industry’s rampant misuse of legitimate interests to try to pass off RTB’s unlawful data processing as legit.
The ICO also isn’t exactly happy about what it’s found adtech doing on the Data Protection Impact Assessment front — saying, in so many words, that it’s come across widespread industry failure to actually, er, assess impacts.
“The Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual,” writes McDougall.
“We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient,” he adds.
Yet — again — despite fresh admissions of adtech’s lawfulness problem the regulator is choosing more stale inaction.
In the blog post McDougall does not rule out taking “formal” action at some point — but there’s only a vague suggestion of such activity being possible, and zero timeline for “develop[ing] an appropriate regulatory response”, as he puts it. (His preferred ‘E’ word in the blog is ‘engagement’; you’ll only find the word ‘enforcement’ in the footer link on the ICO’s website.)
“We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis,” he adds.
McDougall also trumpets some incremental industry fiddling — such as trade bodies agreeing to update their guidance — as somehow relevant to turning the tanker in a fundamentally broken system.
(Trade body the Internet Advertising Bureau’s UK branch has responded to developments with an upbeat note from its head of policy and regulatory affairs, Christie Dennehy-Neil, who lauds the ICO’s engagement as “a constructive process”, claiming: “We have made good progress” — before going on to urge its members and the wider industry to implement “the actions outlined in our response to the ICO” and “deliver meaningful change”. The statement climaxes with: “We look forward to continuing to engage with the ICO as this process develops.”)
McDougall also points to Google removing content categories from its RTB platform from next month (a move it announced months back, in November) as an important development; and seizes on the tech giant’s recent announcement of a proposal to phase out support for third party cookies within the next two years as ‘encouraging’.
Privacy experts have responded with facepalmed outrage to yet another can-kicking exercise by the UK regulator — warning that cosmetic tweaks to adtech won’t fix a system that’s designed to feast off an unlawful and inherently insecure high velocity background trading of Internet users’ personal data.
“When an industry is premised and profiting from clear and entrenched illegality that breach individuals’ fundamental rights, engagement is not a suitable remedy,” said UCL’s Veale in a statement. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”
ICO believes that cosmetic fixes can do the job when it comes to #adtech. But no matter how secure data flows are and how beautiful cookie notices are, can people really understand the consequences of their consent? I'm convinced that this consent will *never* be informed. 1/2 https://t.co/1avYt6lgV3
— Karolina Iwańska (@ka_iwanska) January 17, 2020
The trio behind the RTB complaints (which includes Veale) have also issued a scathing collective response to more “regulatory ambivalence” — denouncing the lack of any “substantive action to end the largest data breach ever recorded in the UK”.
“The ‘Real-Time Bidding’ data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination,” they warn. “Regulatory ambivalence cannot continue. The longer this data breach festers, the deeper the rot sets in and the further our data gets exploited. This must end. We are considering all options to put an end to the systemic breach, including direct challenges to the controllers and judicial oversight of the ICO.”
Wolfie Christl, a privacy researcher who focuses on adtech — including contributing to a recent study looking at how extensively popular apps are sharing user data with advertisers — dubbed the ICO’s response “disastrous”.
“Last summer the ICO stated in their report that millions of people were affected by thousands of companies’ GDPR violations. I was sceptical when they announced they would give the industry six more months without enforcing the law. My impression is they are trying to find a way to impose cosmetic changes and keep the data industry happy rather than acting on their own findings and putting an end to the ubiquitous data misuse in today’s digital marketing, which should have happened years ago. The ICO seems to prioritize appeasing the industry over the rights of data subjects, and this is disastrous,” he told us.
“The way data-driven online marketing currently works is illegal at scale and it needs to be stopped from happening,” Christl added. “Each day EU data protection authorities allow these practices to continue further violates people’s rights and freedoms and perpetuates a toxic digital economy.
“This undermines the GDPR and generally trust in tech, perpetuates legal uncertainty for businesses, and punishes companies who comply and create privacy-respecting services and business models.
“Twenty months after the GDPR came into full force, it is still not enforced in major areas. We still see large-scale misuse of personal information all over the digital world. There is no GDPR enforcement against the tech giants and there is no enforcement against thousands of data companies beyond the large platforms. It seems that data protection authorities across the EU are either not able — or not willing — to stop many kinds of GDPR violations conducted for business purposes. We won’t see any change without massive fines and data processing bans. EU member states and the EU Commission must act.”
Cyral, an early-stage startup that helps protect data stored in cloud repositories, announced an $11 million Series A today. The company also revealed a previous undisclosed $4.1 million angel investment, making the total $15.1 million.
The Series A was led by Redpoint Ventures. A.Capital Ventures, Costanoa VC, Firebolt, SV Angel and Trifecta Capital also participated in on the round.
Cyral co-founder and CEO Manav Mital says the company’s product acts as a security layer on top of cloud data repositories — whether databases, data lakes, data warehouse or other data repository — helping identify issues like faulty configurations or anomalous activity.
Mital says that unlike most security data products of this ilk, Cyral doesn’t use an agent or watch points to try to detect signals that indicate something is happening to the data. Instead, he says that Cyral is a security layer attached directly to the data.
“The core innovation of Cyral is to put a layer of visibility attached right to the data endpoint, right to the interface where application services and users talk to the data endpoint, and in real time see the communication,” Mital explained.
As an example, he says that Cyral could detect that someone has suddenly started scanning rows of credit card data, or that someone was trying to connect to a database on an unencrypted connection. In each of these cases, Cyral would detect the problem, and depending on the configuration, send an alert to the customer’s security team to deal with the problem, or automatically shut down access to the database before informing the security team.
It’s still early days for Cyral, with 15 employees and a handful of early access customers. Mital says for this round he’s working on building a product to market that’s well-designed and easy to use.
He says that people get the problem he’s trying to solve. “We could walk into any company and they are all worried about this problem. So for us getting people interested has not been an issue. We just want to make sure we build an amazing product,” he said.
In a tweet late Tuesday, President Trump criticized Apple for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.
It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.
The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.
Presidential candidate Pete Buttigieg has lost his campaign’s chief information security officer, citing “differences” with the campaign over its security practices.
Mick Baccio, who served under the former South Bend mayor’s campaign for the White House, left his position earlier this month.
The Wall Street Journal first reported the news. TechCrunch also confirmed Baccio’s resignation, who left less than a year after joining the Buttigieg campaign.
“I had fundamental philosophical differences with campaign management regarding the architecture and scope of the information security program,” Baccio told TechCrunch.
“We thank him for the work he did to protect our campaign against attacks,” said Buttigieg spokesperson Chris Meagher. The spokesperson said that the campaign had retained a new security firm, but would not say which company.
Baccio was the only known staffer to oversee cybersecurity out of all the presidential campaigns. News of his departure comes at a time just months to go before millions of Americans are set to vote in the 2020 presidential campaign.
But concerns have been raised about the overall security posture of the candidates’ campaigns, as well as voting and election infrastructure across the United States, ahead of the vote.
A report from a government watchdog last March said Homeland Security “does not have dedicated staff” focused on election infrastructure. Since then, security researchers found many of the largest voting districts are vulnerable to simple cyberattacks, such as sending malicious emails designed to look like a legitimate message, a type of tactic used by Russian operatives during the 2016 presidential election.
In October, Iran-backed hackers unsuccessfully targeted President Trump’s re-election campaign.
More than half a year after Google said Android phones could be used as a security key, the feature is coming to iPhones.
Google said it’ll bring the feature to iPhones in an effort to give at-risk users, like journalists and politicians, access to additional account and security safeguards, effectively removing the need to use a physical security key like a Yubico or a Google Titan key.
Two-factor authentication remains one of the best ways to protect online accounts. Typically it works by getting a code or a notification sent to your phone. By acting as an additional layer of security, it makes it far more difficult for even the most sophisticated and resource-backed attackers to break in. Hardware keys are even stronger. Google’s own data shows that security keys are the gold standard for two-factor authentication, surpassing other options, like a text message sent to your phone.
Google said it was bringing the technology to iPhones as part of an effort to give at-risk groups greater access to tools that secure their accounts, particularly in the run-up to the 2020 presidential election, where foreign interference remains a concern.
Network security giant Cloudflare said it will provide its security tools and services to U.S. political campaigns for free, as part of its efforts to secure upcoming elections against cyberattacks and election interference.
The company said its new Cloudflare for Campaigns offering will include distributed denial-of-service attack mitigation, load balancing for campaign websites, a website firewall, and anti-bot protections.
It’s an expansion of the company’s security offering for journalists, civil rights activists and humanitarian groups under its Project Galileo, which aims to protect against disruptive cyberattacks. The project later expanded to smaller state and local government sites in 2018, with an aim of protecting servers containing voter registration data and other election infrastructure from attacks.
Cloudflare’s co-founder and chief executive Matthew Prince said there was a “clear need” to help campaigns secure not only their public facing websites but also their internal data security.
The company said it’s working with the non-partisan, non-profit organization Defending Digital Campaigns to provide its services to campaigns. Last year the Federal Elections Commission changed the rules to allow political campaigns to receive discounted cybersecurity assistance, which was previously a campaign finance violation.
Not the city, the $57 million-funded cryptocurrency custodian startup. When someone wants to keep tens or hundreds of millions of dollars in Bitcoin, Ethereum, or other coins safe, they put them in Anchorage’s vault. And now they can trade straight from custody so they never have to worry about getting robbed mid-transaction.
With backing from Visa, Andreessen Horowitz, and Blockchain Capital, Anchorage has emerged as the darling of the cryptocurrency security startup scene. Today it’s flexing its muscle and war chest by announcing its first acquisition, crypto risk modeling company Merkle Data.
Anchorage has already integrated Merkle’s technology and team to power today’s launch of its new trading feature. It eliminates the need for big crypto owners to manually move assets in and out of custody to buy or sell, or to set up their own in-house trading. Instead of grabbing some undisclosed spread between the spot price and the price Anchorage quotes its clients, it charges a transparent per transaction fee of a tenth of a percent.
It’s stressful enough trading around digital fortunes. Anchorage gives institutions and token moguls peace of mind throughout the process while letting them stake and vote while their riches are in custody. Anchorage CEO Nathan McCauley tells me “Our clients want to be able to fund a bank account with USD and have it seamlessly converted into crypto, securely held in their custody accounts. Shockingly, that’s not yet the norm–but we’re changing that.”
Founded in 2017 by leaders behind Docker and Square, Anchorage’s core business is its omnimetric security system that takes passwords that can be lost or stolen out of the equation. Instead, it uses humans and AI to review scans of your biometrics, nearby networks, and other data for identity confirmation. Then it requires consensus approval for transactions from a set of trusted managers you’ve whitelisted.
With Anchorage Trading, the startup promises efficient order routing, transparent pricing, and multi-venue liquidity from OTC desks, exchanges, and market makers. “Because trading and custody are directly integrated, we’re able to buy and sell crypto from custody, without having to make risky external transfers or deal with multiple accounts from different providers” says Bart Stephens, founder and managing partner of Blockchain Capital.
Trading isn’t Anchorage’s primary business, so it doesn’t have to squeeze clients on their transactions and can instead try to keep them happy for the long-term. That also sets up Anchorage to be foundational part of the cryptocurrency stack. It wouldn’t disclose the terms of the Merkle Data acquisition, but the Pantera Capital-backed company brings quantative analysts to Anchorage to keep its trading safe and smart.
“Unlike most traditional financial assets, crypto assets are bearer assets: in order to do anything with them, you need to hold the underlying private keys. This means crypto custodians like Anchorage must play a much larger role than custodians do in traditional finance” says McCauley. “Services like trading, settlement, posting collateral, lending, and all other financial activities surrounding the assets rely on the custodian’s involvement, and in our view are best performed by the custodian directly.”
Anchorage will be competing with Coinbase, which offers integrated custody and institutional brokerage through its agency-only OTC desk. Fidelity Digital Assets combines trading and brokerage, but for Bitcoin only. BitGo offers brokerage from custody through a partnership with Genesis Global Trading. But Anchorage hopes its experience handling huge sums, clear pricing, and credentials like membership in Facebook’s Libra Association will win it clients.
McCauley says the biggest threat to Anchorage isn’t competitors, thoguh, but hazy regulation. Anchorage is building a core piece of the blockchain economy’s infrastructure. But for the biggest financial institutions to be comfortable getting involved, lawmakers need to make it clear what’s legal.
A security researcher has found several vulnerabilities in a number of Ruckus wireless routers, which the networking giant has since patched.
Gal Zror told TechCrunch that the vulnerabilities he found lie inside in the web user interface software that runs on the company’s Unleashed line of routers.
The flaws can be exploited without needing a router’s password, and can be used to take complete control of affected routers from over the internet.
Routers act as a gateway between a home or office network and the wider internet. Routers are also a major line of defense against unauthorized access to that network. But routers can be a single point of failure. If attackers find and take advantage of vulnerabilities in the router’s software, they can control the device and gain access to the wider internal network, exposing computers and other devices to hacks and data theft.
Zror said his three vulnerabilities can be used to to gain “root” privileges on the router — the highest level of access — allowing the attacker unfettered access to the device and the network.
Although the three vulnerabilities vary by difficulty to exploit, the easiest of the vulnerabilities uses just a single line of code, Zror said.
With complete control of a router, an attacker can see all of the network’s unencrypted internet traffic. An attacker also can silently re-route traffic from users on the network to malicious pages that are designed to steal usernames and passwords.
Zror said that because many of the routers are accessible from the internet, they make “very good candidates for botnets.” That’s when an attacker forcibly enlists a vulnerable router — or any other internet-connected device — into its own distributed network, controlled by a malicious actor, which can be collectively told to pummel websites and other networks with massive amounts of junk traffic, knocking them offline.
There are “thousands” of vulnerable Ruckus routers on the internet, said Zror. He revealed his findings at the annual Chaos Communication Congress conference in Germany.
Ruckus told TechCrunch it fixed the vulnerabilities in the 18.104.22.168.92 software update, but said that customers have to update their vulnerable devices themselves.
“By design our devices do not fetch and install software automatically to ensure our customers can manage their networks appropriately,” said Ruckus spokesperson Aharon Etengoff. “We are strongly advising our customers and partners to deploy the latest firmware releases as soon as possible to mitigate these vulnerabilities,” he said.
Ruckus confirmed its SmartZone-enabled devices and Ruckus Cloud access points are not vulnerable.
“It’s very important for the customers to know that if they’re running an old version [of the software], they might be super vulnerable to this very simple attack,” said Zror.