Risky Bulletin: Research Turns Any Bluetooth Device into an AirTag
Hosted by risky.biz
Release Date: March 5, 2025

1. Turning Bluetooth Devices into AirTags: The EnRoute Tag Technique

In the opening segment, host Claire Aird delves into a groundbreaking study by U.S. academics that unveils the EnRoute tag technique. This method allows attackers to transform any Bluetooth device into an AirTag tracker. Unlike previous methods that required root-level access to impersonate an AirTag, EnRoute operates with just user-level permissions, broadening the scope of potential targets.

Claire Aird highlights, "The EnRoute tag technique could cause any Bluetooth device to impersonate an AirTag, enabling tracking even without root access" (00:45).

Apple responded by releasing security updates in December to mitigate this vulnerability. However, devices that remain unpatched continue to relay sensitive tracking information, posing ongoing security risks.

2. VMware Hypervisor Zero Days Patched by Broadcom

Broadcom has successfully patched three zero-day vulnerabilities within the VMware hypervisor. These vulnerabilities formed an exploit chain capable of breaching virtual machines and accessing the host operating system. The discovery and reporting of these flaws are credited to Microsoft's Ms. Tic security team.

Claire Aird notes, "Broadcom credited Microsoft's Ms. Tic security team with spotting the bugs in the wild and reporting them" (02:15).

3. Google Addresses Actively Exploited Android Zero Days

In its March security update, Google has patched two actively exploited zero-day vulnerabilities affecting Android devices. One of these vulnerabilities was exploited in Cellebrite's phone unlocking products. Amnesty International uncovered this zero-day while investigating spyware cases targeting anti-government dissidents in Serbia. The update addresses 30 high or critical flaws, enhancing Android's security stance.

4. Ransom Note Scams Targeting U.S. Companies

Security firm GuidePoint reports a surge in scammers sending printed ransom notes to U.S. companies, falsely claiming affiliation with the Bian Lian ransomware group. These scammers allege data theft and demand Bitcoin payments ranging from $250,000 to $350,000. The malicious letters arrived in early March, exploiting companies' fears of data breaches.

Claire Aird adds a touch of dark humor, "The scammers will be hoping they didn't leave any saliva DNA on the envelope" (05:20).

5. Arrest and Release of Black Basta Ransomware Group Leader

The suspected leader of the Black Basta ransomware group, Oleg Nefyodov, was arrested in Armenia in June. However, he was released three days later due to a technicality. Leaked internal chat logs reveal his arrogance, where he "boasted about his friends at a really high level" (07:05). Armenian authorities, acting on a U.S. arrest warrant, struggled to retain custody.

6. France's Proposal for Encrypted Communication Backdoors

The French government is considering an amendment to its narcotrafficking law, aiming to grant authorities access to encrypted communications. This proposal mirrors a similar move in Sweden but extends its reach to include VPN providers. In response, Signal, the encrypted messaging service, has threatened to withdraw from France if the law passes, reflecting growing tensions between privacy advocates and governmental surveillance efforts.

7. North Korea's Cryptocurrency Laundering Efforts

Despite a significant hack against cryptocurrency exchange Bybit, North Korea is making strides in laundering the stolen $1.5 billion. Approximately 20% of the funds have been successfully laundered and rendered untraceable. As of two weeks post-hack, Bybit has managed to recover or freeze only 3% of the stolen assets, leaving the majority still traceable—for now.

8. UK Privacy Watchdog Investigates Social Media Platforms

The UK's Information Commissioner's Office (ICO) has launched investigations into TikTok for its collection of children's data and content recommendation algorithms. Additionally, the ICO plans to scrutinize Reddit and Imgur for similar privacy concerns, signaling increased regulatory oversight of major social media platforms regarding user data protection.

9. Google's AI-Powered Scam Detection for Android

Google is enhancing security on Android devices by deploying two new AI-driven scam detection systems. These systems analyze ongoing text messages and phone calls to identify and prevent financial scams. Unlike traditional methods that focus solely on initial messages, Google's approach monitors entire conversations, aiming to intercept fraudsters who transition from friendly dialogue to scam tactics.

10. Indictment of NSO Group Executives in Catalonia

A Catalonian court has indicted three executives from the Israeli spyware company NSO Group: Shalev, Julio, Omri Lavie, and Yuval Sommek. They are accused of facilitating unlawful surveillance of 63 Catalan individuals during anti-government protests in the mid-2010s. The court also criticized the Spanish public prosecutor's office for attempting to impede the case's progress, highlighting alleged misuse of NSO's spyware against political activists.

11. US Sanctions on Iranian Dark Web Administrator

The U.S. Treasury has sanctioned Behrooz Parsarad, an Iranian national who administered the dark web marketplace Nemesis. Seized by German authorities a year prior, Nemesis launched in 2021 and boasted over 150,000 users, primarily facilitating the sale of illegal drugs. This sanction underscores the international efforts to dismantle illicit online marketplaces.

12. Emerging Cyber Espionage: Crafty Camel Targets UAE

A new cyber espionage group named Crafty Camel has emerged, specifically targeting aviation and satellite companies in the UAE. According to security firm Proofpoint, the group employs spear-phishing attacks with final payloads deploying backdoors like Sasano, which utilizes polyglot files to evade detection. This highlights the growing sophistication of state-sponsored cyber threats.

13. Leaked API Keys and Passwords in Open Source Datasets

Security researchers have discovered nearly 12,000 live API keys and passwords within an open-source dataset used for training AI models, specifically the 400-terabyte Common Crawl database. Services like Deepseek have utilized this data, which includes 219 different types of secrets. Notably, AWS root keys are the most prevalent, raising significant security concerns about the inadvertent exposure of sensitive credentials.

Conclusion

This episode of Risky Bulletin underscores a dynamic and evolving cybersecurity landscape, marked by innovative attack techniques, significant vulnerability patches, and heightened regulatory actions. From the alarming capability to turn everyday Bluetooth devices into trackers to the sophisticated maneuvers of ransomware and espionage groups, the threats are both diverse and persistent. Additionally, the proactive steps by major tech companies and governments highlight the ongoing battle to safeguard digital infrastructures and user privacy.

Notable Quotes:

• "The EnRoute tag technique could cause any Bluetooth device to impersonate an AirTag, enabling tracking even without root access" — Claire Aird (00:45)

• "Broadcom credited Microsoft's Ms. Tic security team with spotting the bugs in the wild and reporting them" — Claire Aird (02:15)

• "The scammers will be hoping they didn't leave any saliva DNA on the envelope" — Claire Aird (05:20)

• "Boasted about his friends at a really high level" — Claire Aird (07:05)

This summary is based on the transcript of the Risky Bulletin podcast episode released on March 5, 2025.