Security Now 1048: "Mic-E-Mouse"
Date: October 22, 2025
Hosts: Steve Gibson & Leo Laporte
Episode Overview
This week’s "Security Now" delivers a rich mix of timely security discussions:
- The legal and technical fallout from Texas' controversial age verification law (SB2420)
- NIST’s long-overdue overhaul of password policy and what it means in practice
- The recent major AWS outage as a cautionary tale about “Internet monoculture”
- A surprising revelation: mice (the computer kind) as unexpected eavesdropping devices
- Other highlights: Unencrypted satellite data, continued activities of hacking group Scattered Lapsis Hunters, U.S.-China cyber claims, and insightful listener feedback
Main Topics & Key Discussions
1. Texas Age Verification Law – Lawsuit, Impact, and Industry Response
[17:00]
Steve and Leo reflect on listener engagement and recap Texas SB2420, which requires age verification for mobile app stores and parental consent for minors. The new law, taking effect January 1st, 2026, is being challenged:
- Lawsuits (from the CCIA and a youth advocacy group) argue SB2420 imposes unconstitutional prior restraint and compelled speech.
- The law applies broadly to any “app store” for mobile devices, affecting everything from social media to educational and news apps—potentially “Wikipedia, messaging apps, content libraries, and more.”
- The Supreme Court's prior ruling on a comparable Texas pornography law supported age verification, stating: “Adults have no First Amendment right to avoid age verification.” ([29:04], Steve Gibson)
- Both Apple and Google outline compliance plans, with Google Play announcing new APIs for developers and parental control mechanisms. ([31:00], Steve summarizes Google’s steps)
- Steve and Leo warn about increased “choke points” due to app store centralization: “It only works because there are two companies you have to penalize.” ([34:10], Leo Laporte)
Notable Quotes
- “The Constitution also forbids restricting adult access to speech in the name of protecting children.” ([24:26], Steve, quoting lawsuit)
- “No one ever got fired for choosing IBM. AWS is the same now.” ([102:17], Steve Gibson)
Broader Implications
- The loophole of unregulated desktop platforms is noted ([36:44]), as are the perverse incentives for biometric age verification and technical workarounds by minors.
- Listener feedback expands on practical circumvention (“older brother loophole” – [122:00], Duncan in Australia) and the global trend (see Australia, Mississippi, EU chat controls, etc.).
2. NIST’s Password Policy Overhaul
[44:00]
Steve celebrates NIST finally abandoning their long-discredited password recommendations, after 13 years:
- No more forced complexity: Emphasize password length over symbols/numbers.
- Length is strength: Minimum 15 characters if no multifactor authentication, and support for passwords up to 64 characters (!).
- No more periodic resets: Only reset after compromise.
- Phase out “security questions” and hints: Too easily bypassed.
- Implement password blocklists for common/compromised passwords.
Steve’s historical “Password Haystacks” work predicted this trend:
“If all possible passwords were going to be checked…only the password’s length mattered.” ([44:02], Steve Gibson)
- Resource: Steve created a shortcut to the new NIST guidelines: GRC.SC/1048 ([59:17], Steve)
Notable Quotes
- “Now we have new official NIST guidelines that can be…waved around in front of the IT department.” ([58:48], Steve)
- “The IT department…changed their policy back in the day and ain’t going to fix it.” ([59:03], Leo Laporte)
3. AWS Major Outage – Risks of Internet Monoculture
[91:14]
The episode reviews the previous day’s AWS outage, which took down major Internet services (Snapchat, Fortnite, Slack, Coinbase, ring, etc.), hospitals, banks, even smart beds:
- It was the result of an IT error—misconfigured DNS affecting critical Amazon DynamoDB resources across US-East, causing “cascading failure” in 143 AWS services ([102:52], Steve).
- The incident highlights the risk of too much dependence on a few cloud providers:
- “Experts…warned of the perils of relying on a small number of companies for operating the global Internet…” (The Guardian, quoted by Steve [95:12])
- “No one’s forcing you to use AWS—but everyone does.” ([102:13], Steve)
- The discussion points out how monopolistic app stores and cloud providers deliver both stability and catastrophic risk when centralized infrastructure fails.
4. “Mickey Mouse” – Your Mouse as a Microphone
[143:00]
Featured Topic: Shocking new academic research uncovers that modern optical computer mice can “detect” speech via surface vibrations and potentially act as covert listening devices!
- UC Irvine researchers demonstrated, using advanced signal processing and AI, that audio vibrations from ambient speech can subtly move the mouse and be detected via mouse sensors.
- Standard user-space software, or even websites with high-speed mouse tracking (WebAssembly), could exfiltrate these signals without extra privileges.
- Results: In tests, up to ~61% accurate speech recognition on standard datasets.
- Security implication: “You may not want to repeat…important passwords out loud—your mouse might indeed have very big ears.” ([160:40], Steve)
Technical Details
The “Mic-E-Mouse” attack demonstrates:
- Modern gaming mice sample movement at up to 4,000Hz or 8,000Hz, are highly sensitive, and ambient vibrations encode speech.
- AI models (OpenAI’s Whisper, retrained) can map noisy X/Y data back to corresponding audio with surprising accuracy.
- Even websites are theoretically able to exploit this if they capture high-precision pointer movement ([163:00], Steve).
Notable Quotes
- “Websites are also able to obtain mouse coordinates in real time...a website you visit...might now be sufficient to collect sufficient mouse vibration data, to later reverse engineer the speech.” ([154:20], Steve)
- “61% is amazing—that’s really good.” ([153:07], Leo)
- “Whoever thought that tightly watching mouse position could be a security vulnerability?” ([153:26], Steve)
Link: Mik-E-Mouse research & code
5. Unencrypted Satellite Data – Classic Security Through Obscurity ([71:46] & [75:00])
A team from UC San Diego & Maryland discovered staggering amounts of unencrypted IP data spilling from geostationary satellites:
- Exposed: Cellular backhaul, military, government, inflight Wi-Fi, corporate emails, VoIP, retail, SCADA infrastructure— all in the clear, accessible with ~$750 of standard SDR gear.
- “Apparently because no one ever thought to look up,” says Steve; a classic case of so-called “security through obscurity.”
- “If shining a very bright light on this doesn’t get it fixed, then nothing will.” ([84:29], Steve)
6. Brief Headlines and Updates
- Scattered Lapsis Hunters: The hacking group is still active, “reports of their demise were greatly exaggerated.” ([60:31], Steve)
- NSA-China Cyber Tit for Tat: China claims US NSA hacked their national time center; Steve notes it’s “not unwelcome” to hear that Western powers are also on the offense. ([62:44], Steve)
- Listener feedback: A substantial mailbag covers: loopholes in age-gating, the older brother workaround, Discord’s document leak, F-Droid and third-party app stores, EU chat controls, and the challenge of true parental controls.
- Media Pick: Steve and Leo recommend the new season of Netflix series "The Diplomat." ([134:55], Steve)
Highlighted Timestamps
- [17:00]: Texas SB2420 lawsuit details, implications, and analysis
- [24:26]: “Pushback and chilling tidbits” from the law and Supreme Court
- [44:00]: NIST password guidelines overhauled, Steve’s “haystacks” principle vindicated
- [58:48]: Steve’s shortcut to new NIST policy for IT departments
- [71:46]: Unencrypted satellite traffic study—security by obscurity in practice
- [91:14]: Discussion of AWS outage and dangers of infrastructure monoculture
- [102:52]: Technical breakdown: what went wrong at AWS
- [143:00]: Mouse as eavesdropping device—Mic-E-Mouse research explained
Memorable Quotes
- Steve Gibson: “If you tossed a coin three times, there’s a 1 in 4 chance you get all heads or all tails… Statistics is weird.” ([04:05])
- Steve Gibson: “Free is free. Right. And asking someone to pay anything is…a heavy lift. I get it.” ([05:29])
- Leo Laporte: “This points out the real issue with having app stores as the only way to get apps…now they’re a choke point the government can use to enforce this.” ([34:10])
- Steve Gibson: “You may not want to repeat…important passwords out loud. Your mouse might indeed have very big ears.” ([160:40])
- Leo Laporte: “We really made these browsers way too powerful if you could do that.” ([163:13])
Listener Feedback Highlights
- Older Sibling Loophole: Age gating will always be defeated by kids sharing credentials or devices; “It’s futile from the start.” ([122:00])
- Discord’s document leak: Despite claims of not storing data, 70,000+ IDs were compromised—regulatory/legal exposure looms. ([126:16])
- F-Droid & 3rd Party App Stores: Legal language is broad; even FOSS app catalogues might be vulnerable to new laws. ([116:00])
- Satellites: Hobbyist opportunity or privacy disaster? Everything’s broadcast if you know where to look. ([86:46])
Tone and Style
Steve and Leo keep it light, humorous, and deeply analytical, often interleaving playful banter (“My balls” from old mice!), with dense technical explanation. The show is fast-paced but always takes time for clear breakdowns, memorable analogies, and credit to the community for feedback and corrections.
Conclusion
This episode delivers signature "Security Now": practical tech analysis, legal insight, anticipation of social and technical workarounds, plus classic mind-bending security research. If you want to understand why password rules are changing, how a law in Texas could affect your child's devices, or if even your mouse is listening—this is your must-listen briefing.
For detailed resources, show notes, and links to research papers: visit GRC.com.