Mike M. – Page 2

From Iran to Ukraine, everyone’s trying to hack security cameras

civic hacking, Security, security cameras, syndication / Mike M. / March 7, 2026

Research shows apparent Iranian state hackers trying to hijack consumer-grade cameras.

Cameras are placed in public areas in Tehran. Credit: Anadolu/Getty Images

For decades, satellites, drones, and human spotters have all been part of war’s surveillance and reconnaissance tool kit. In an age of cheap, insecure, Internet-connected consumer devices, however, militaries have gained another powerful set of eyes on the ground: every hackable security camera installed outside a home or on a city street, pointed at potential bombing targets.

On Wednesday, Tel Aviv–based security firm Check Point released new research describing hundreds of hacking attempts that targeted consumer-grade security cameras around the Middle East—with many apparently timed to Iran’s recent missile and drone strikes on targets that included Israel, Qatar, and Cyprus. Those camera-hijacking efforts, some of which Check Point has attributed to a hacker group that’s been previously linked to Iranian intelligence, suggest that Iran’s military has tried to use civilian surveillance cameras as a means to spot targets, plan strikes, or assess damage from its attacks as it retaliates for the US and Israeli bombings that have sparked a widening war in the region.

Iran wouldn’t be the first to adopt that camera-hacking surveillance tactic. Earlier this week, the Financial Times reported that the Israeli military had accessed “nearly all” the traffic cameras in Iran’s capital of Tehran and, in partnership with the CIA, used them to target the air strike that killed Ayatollah Ali Khamenei, Iran’s supreme leader. In Ukraine, the country’s officials have warned for years that Russia has hacked consumer surveillance cameras to target strikes and spy on troop movements—while Ukrainian hackers have hijacked Russian cameras to surveil Russian troops and perhaps even to monitor its own attacks.

Exploiting the insecurity of networked civilian cameras is, in other words, becoming part of the standard operating procedures of armed forces around the world: A relatively cheap and accessible means of getting eyes on a target hundreds of thousands of miles away. “Now hacking cameras has become part of the playbook of military activity,” says Sergey Shykevich, who leads threat intelligence research at Check Point. “You get direct visibility without using any expensive military means such as satellites, often with better resolution.”

“For any attacker who is planning military activity, it’s now a straightforward act to try it,” Shykevich adds, “because it’s easy and provides very good value for your effort.”

In the latest example of that recon technique, Check Point found that hackers had attempted to exploit five distinct vulnerabilities in Hikvision and Dahua security cameras that would have allowed their takeover. Shykevich describes dozens of attempts—which Check Point says it blocked—across Bahrain, Cyprus, Kuwait, Lebanon, Qatar, and the United Arab Emirates, as well as hundreds more in Israel itself. Check Point notes it could view attempted intrusions only on networks equipped with its firewall network appliances and that its findings are likely skewed by the company’s relatively larger customer base in Israel.

None of the five vulnerabilities are “complicated or sophisticated,” Shykevich says. All of them have been patched in previous software updates from Hikvision and Dahua and were discovered years ago—one as early as 2017. Yet as with hackable bugs in so many Internet-of-things devices, they persist in security cameras because owners rarely install updates or even become aware that they’re available. (Hikvision and Dahua are both effectively banned in the United States due to security concerns; neither company responded to WIRED’s request for comment on the hacking campaign.)

Check Point found that the camera-hacking attempts were largely timed to February 28 and March 1, just as the US and Israel were beginning their air strikes across Iran. Some of the attempted camera takeovers also occurred in mid-January, as protests spread across Iran and the US and Israel made preparations for their attacks. Check Point says it has tied the targeting of the cameras to three distinct groups it believes to be Iranian in origin, based on the servers and VPNs they used to carry out the campaign. Some of those servers, Shykevich notes, have been previously linked in particular to the Iranian hacker group known as Handala, which several cybersecurity companies have identified as working on behalf of Iran’s Ministry of Intelligence and Security.

In fact, Check Point says it tracked similar Iranian targeting of cameras as early as last June during Israel’s previous 12-day war with Iran. The head of Israel’s National Cybersecurity Directorate, Yossi Karadi, also warned at the time that Iranian hackers were using civilian camera systems to target Israelis and had compromised a street camera across from the country’s Weizmann Institute of Science before hitting it with a missile.

The joint US and Israeli strikes on Iran and the assassination of Khamenei have revealed, however, just how thoroughly Israel’s own hackers—or those of its allies, including potentially the US—had penetrated Tehran’s camera systems, too. Israeli intelligence sources speaking to the Financial Times described assembling the patterns of life of Iranian security guards around Khamenei based on the real-time data that traffic cameras provided across the city. “We knew Tehran like we know Jerusalem,” one source told the FT.

Prior to the current escalating war in the Middle East, the powerful surveillance role of hacked civilian cameras first became apparent in the midst of Russia’s war in Ukraine. Ukrainian officials warned in January 2024, for instance, that Russian forces had hacked two security cameras in the capital of Kyiv to observe Ukrainian infrastructure targets and air defenses. “The aggressor used these cameras to collect data to prepare and adjust strikes on Kyiv,” reads a post from Ukraine’s SSU intelligence service.

The SSU went so far, it writes, as to somehow disable 10,000 Internet-connected cameras—it didn’t reveal how—that could be used by Russia’s military. “The SSU is calling on the owners of street webcams to stop online broadcasts from their devices, and on citizens to report any streams from such cameras,” the post reads.

Even as Ukraine has attempted to block that spying technique, it seems also to have adopted it. When the Ukrainian military used its own underwater drone to blow up a Russian submarine in the bay of Sevastopol in Crimea, it published video that defense-focused news outlet The Military Times noted looked very much like it had come from a hacked surveillance camera. A BBC report about Ukrainian hacktivist group One Fist notes more explicitly that they were commended by the Ukrainian government for work that included hacking cameras to watch Russia’s movement of matériel across the Kerch Bridge between Russia and Crimea.

“The advantages of co-opting a civilian camera network are presence and expense,” says Peter W. Singer, a military-focused researcher at the New America Foundation and the author of the 2015 science fiction novel Ghost Fleet, which imagines future war scenarios. “The adversary’s already done the work for you. They’ve placed cameras all around a city.”

Singer notes that hacking those cameras is vastly cheaper and easier than relying on satellites or high-altitude drones. The trick is stealthier than drones, too, which are only viable when the enemy has few air defenses, and drones can often be detected by countersurveillance measures. Ground-level, hacked cameras also offer angles and perspectives that aren’t possible with the bird’s-eye view of a satellite or drone, he adds. All of that makes them powerful tools for reconnaissance, targeting, and what he calls “bomb damage assessment” after a strike.

Hacked cameras are a tough problem to solve, in part, because those who have the ability to secure them rarely suffer the consequences of that surveillance, says Beau Woods, a security researcher who formerly worked as an adviser to the US Cybersecurity and Infrastructure Security Agency. “The manufacturer of the device and the owner of the device are not the victim,” Woods says. “So the victim isn’t in a position to control the tool that’s used by the adversary.”

The difficulty of pinning down responsibility for Internet-connected consumer cameras means that their role in military surveillance is likely to persist for many years—and wars—to come.

“Who’s liable, who’s responsible, who’s accountable?” Woods asks. “The camera itself is not directly causing the harm. But it’s part of the kill chain.”

This story originally appeared on wired.com.

Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture.

From Iran to Ukraine, everyone’s trying to hack security cameras Read More »

Feds take notice of iOS vulnerabilities exploited under mysterious circumstances

Apple, Biz & IT, exploits, iOS, iPhones, Security, vulnerabilities / Mike M. / March 6, 2026

Coruna is also notable for its use by three distinct hacking groups. Google first detected its use in February of last year in an operation conducted by a “customer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in attacks planted on websites that were frequented by Ukrainian targets. Last December, when it was used by a “financially motivated threat actor from China,” Google was able to retrieve the complete exploit kit.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Google researchers went on to write:

We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).

The 23 exploits, along with the code names and other information, are:

Type	Codename	Targeted versions (inclusive)	Fixed versions	CVE
WebContent R/W	buffout	13 → 15.1.1	15.2	CVE-2021-30952
WebContent R/W	jacurutu	15.2 → 15.5	15.6	CVE-2022-48503
WebContent R/W	bluebird	15.6 → 16.1.2	16.2	No CVE
WebContent R/W	terrorbird	16.2 → 16.5.1	16.6	CVE-2023-43000
WebContent R/W	cassowary	16.6 → 17.2.1	16.7.5, 17.3	CVE-2024-23222
WebContent PAC bypass	breezy	13 → 14.x	?	No CVE
WebContent PAC bypass	breezy15	15 → 16.2	?	No CVE
WebContent PAC bypass	seedbell	16.3 → 16.5.1	?	No CVE
WebContent PAC bypass	seedbell_16_6	16.6 → 16.7.12	?	No CVE
WebContent PAC bypass	seedbell_17	17 → 17.2.1	?	No CVE
WebContent sandbox escape	IronLoader	16.0 → 16.3.116.4.0 (<= A12)	15.7.8, 16.5	CVE-2023-32409
WebContent sandbox escape	NeuronLoader	16.4.0 → 16.6.1 (A13-A16)	17.0	No CVE
PE	Neutron	13.X	14.2	CVE-2020-27932
PE (infoleak)	Dynamo	13.X	14.2	CVE-2020-27950
PE	Pendulum	14 → 14.4.x	14.7	No CVE
PE	Photon	14.5 → 15.7.6	15.7.7, 16.5.1	CVE-2023-32434
PE	Parallax	16.4 → 16.7	17.0	CVE-2023-41974
PE	Gruber	15.2 → 17.2.1	16.7.6, 17.3	No CVE
PPL Bypass	Quark	13.X	14.5	No CVE
PPL Bypass	Gallium	14.x	15.7.8, 16.6	CVE-2023-38606
PPL Bypass	Carbone	15.0 → 16.7.6	17.0	No CVE
PPL Bypass	Sparrow	17.0 → 17.3	16.7.6, 17.4	CVE-2024-23225
PPL Bypass	Rocket	17.1 → 17.4	16.7.8, 17.5	CVE-2024-23296

CISA is adding only three of the CVEs to its catalog. They are:

CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability

CISA is directing agencies to “apply mitigations per vendor instructions, follow applicable… guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The agency went on to warn: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

Feds take notice of iOS vulnerabilities exploited under mysterious circumstances Read More »

Asteroid defense mission shifted the orbit of more than its target

asteroid, astronomy, Dart, NASA, orbital mechanics, Physics, Science / Mike M. / March 6, 2026

The binary asteroid’s orbit around the Sun was affected by the impact.

Italy’s LICIACube spacecraft snapped this image of asteroids Didymos (lower left) and Dimorphos (upper right) a few minutes after the impact of DART on September 26, 2022. Credit: ASI/NASA

On September 26, 2022, NASA’s Double Asteroid Redirection Test (DART) spacecraft crashed into a binary asteroid system. By intentionally ramming a probe into the 160-meter-wide moonlet named Dimorphos, the smaller of the two asteroids, humanity demonstrated that the kinetic impact method of planetary defense actually works. The immediate result was that Dimorphos’ orbital period around Didymos, its larger parent body, was slashed by 33 minutes.

Of course, altering a moonlet’s local orbit doesn’t seem like enough to safeguard Earth from civilization-ending impacts. But now, as long-term observational data has come in, it seems we accomplished more than that. DART actually changed the trajectory of the entire Didymos binary system, altering its orbit around the Sun.

Tracking space rocks

Measuring the orbital shift of a 780-meter-wide primary asteroid and its moonlet from millions of miles away isn’t trivial. When DART slammed into Dimorphos, it didn’t knock the binary system wildly off its trajectory around the Sun. The change in the system’s heliocentric trajectory was expected to be small, a minuscule nudge that would become apparent only after months or years of continuous observation. By analyzing enough painstakingly gathered data, a global team of researchers led by Rahil Makadia at the University of Illinois Urbana-Champaign has now determined the consequences of the DART impact.

To find the infinitesimal deviation DART created, Makadia’s team relied mostly on a technique called stellar occultation. When an asteroid passes in front of a distant star from the perspective of an observer on Earth, the star briefly blinks out. By precisely timing these blinks as they sweep across the globe, astronomers can pinpoint an asteroid’s position with astonishing accuracy.

Between October 2022 and March 2025, we captured 22 such stellar occultations of the Didymos system. Combined with a huge dataset publicly available at the Minor Planet Data Center that included nearly 6,000 ground-based astrometric measurements taken over 29 years, optical navigation data from the DART probe’s approach, and ground-based radar measurements, researchers finally had all they needed.

“Once we had enough measurements before and after the DART impact, we could discern how Didymos’ orbit has changed,” Makadia said.

When the vending-machine-sized DART probe crashed into Dimorphos at over 22,000 kilometers per hour, it decreased the along-track velocity of the entire Didymos system by roughly 11.7 micrometers per second. But the team thinks it’s still significant. “When you do it early enough, even a small impulse can accumulate over years and cause a meaningful shift,” Makadia explained.

Also, the DART impact itself was not the only force that changed Didymos’ orbit.

The ejecta engine

The pure kinetic energy of a 500-kilogram spacecraft hitting at hypersonic speeds is impressive, but on its own, it would not slow a huge asteroid that much. When DART struck Dimorphos, it blasted pulverized rock and dust out into the void. “The material kicked up off an asteroid surface acts like an extra rocket plume,” Makadia said.

Scientists call this effect the momentum enhancement factor, denoted by the Greek letter beta. If the spacecraft impact transferred exactly its own momentum and no debris was kicked up, beta would be exactly one.

Because Dimorphos orbits Didymos, some of the ejecta remained trapped in the system, where it altered the mutual orbit between the two rocks. But a crucial fraction of the ejecta achieved escape velocity from the entire binary system. The momentum carried away by the system-escaping debris is what ultimately contributed to shoving the center of mass of the whole Didymos-Dimorphos pair. “In our case, we found that the beta parameter due to DART impact was around two,” Makadia explained.

The debris blasted completely out of the Didymos system gave the asteroids a push roughly equal to the initial impact of the spacecraft itself.

To calculate how momentum was transferred, Makadia and his colleagues had to determine precisely how massive Didymos and Dimorphos are. By linking the heliocentric deflection to the previously known changes in Dimorphos’ local orbit, the researchers were able to perform a neat mathematical trick to uncover the bulk densities of both asteroids. And this revealed something a bit unexpected about the Didymos system.

“Most studies were going under the assumption that both asteroids have equal density—turns out that assumption was not correct,” Makadia said.

A rubble pile

Based on Makadia’s calculations, Didymos, the primary body, is relatively solid. It has a bulk density of around 2.6 tons per cubic meter, which aligns with standard estimates for siliceous asteroids. Dimorphos, however, is a different story. Its density is a surprisingly low 1.51 tons per cubic meter. This implies that the smaller asteroid targeted by DART is essentially a fluffy, loosely bound agglomeration of boulders, rocks, and dust, with empty voids between the rubble.

“This was a real surprise,” Makadia said. “We previously didn’t know anything about the density of Dimorphos.” The contrast in density tells the story of how this binary system formed.

Billions of years of uneven heating and radiation from the Sun can cause an irregularly shaped asteroid like Didymos to gradually spin faster, a phenomenon known as the YORP (Yarkovsky, O’Keefe, Radzievskii, Paddack) effect. Eventually, Didymos spun so fast that the centrifugal force overcame its gravity, and it began shedding loose material from its equator. That shed material eventually coalesced in orbit, gently clumping together to form the porous, fragile moonlet we now know as Dimorphos.

Overall, Didymos is nearly 200 times more massive than its smaller companion, which explains why shifting the larger asteroid system takes such an enormous amount of force. The sheer inertia of Didymos means that the barycenter deflection of its entire system was just a tiny fraction of the deflection felt locally by Dimorphos.

Planetary defense

Makadia’s findings confirm the models we used to estimate the consequences of the DART impact: The Didymos system still poses zero threat to us, at least for the next 100 years or so. “The pre-DART condition was that the closest the Didymos system can get to Earth was around 15 lunar distances, and this has not changed appreciably,” Makadia explained.

The goal of DART was primarily to take our planetary defense out of the realm of computer models and get us some hands-on, practical experience, and Makadia thinks we succeeded in doing that. “Our work proves that hitting the secondary asteroid is a viable path for deflecting a binary system away as long as the push is large enough,” he said. “This wasn’t the goal of DART, but we can always design a bigger spacecraft.”

This experience applies both to deflecting binary asteroid systems like Didymos and singular objects. “Our results definitely help us in all sorts of future kinetic impact endeavors,” Makadia added.

The final verification of the DART mission’s consequences, though, will come in late 2026, when the European Space Agency’s Hera spacecraft will arrive at the Didymos system.

By performing independent, in-situ measurements of things like the density of Didymos and Dimorphos, Hera will provide a lot of precise gravitational and physical data that Makadia hopes to use to refine his calculations.

“It’s a high-fidelity instrument that hopefully will give us confirmation of what we believe,” Makadia said. “Plus, there are always new things to be found out when we visit an asteroid. I’m very excited about when Hera gets there.”

Science Advances, 2026. DOI: 10.1126/sciadv.aea4259

Jacek Krywko is a freelance science and technology writer who covers space exploration, artificial intelligence research, computer science, and all sorts of engineering wizardry.

Asteroid defense mission shifted the orbit of more than its target Read More »

Amazon appears to be down, with over 20,000 reported problems

Amazon, Tech / Mike M. / March 5, 2026

Based on over 20,000 reports, Amazon appears to be experiencing an outage.

According to Downdetector, reports of problems started increasing at 1: 41 pm ET today. By 2: 26 pm, ET, Downdetector received 18,320 reports of problems with Amazon’s website. The number of complaints peaked at 3: 32 pm ET at 20,804.

As of this writing, Amazon hasn’t confirmed any specific problems. However, an Amazon support account on X said at 3: 02 pm ET today that “some customers may be experiencing issues” and that Amazon is working “to resolve the issue.”

Per Downdetector, 50 percent of reported problems happened at checkout, while 21 percent of outage reports came from mobile app users, and 17 percent of complaints pointed to problems with Amazon’s product pages.

Ars Technica can confirm that some product pages fail to load properly or at all, and that the Amazon homepage sometimes fails to load.

This story is developing…

Amazon appears to be down, with over 20,000 reported problems Read More »

The Boys S5 trailer tees up a bloody final season

amazon video, culture, The Boys / Mike M. / March 5, 2026

In the fifth and final season, it’s Homelander’s world, completely subject to his erratic, egomaniacal whims. Hughie, Mother’s Milk, and Frenchie are imprisoned in a “Freedom Camp.” Annie struggles to mount a resistance against the overwhelming Supe force. Kimiko is nowhere to be found. But when Butcher reappears, ready and willing to use a virus that will wipe all Supes off the map, he sets in motion a chain of events that will forever change the world and everyone in it. It’s the climax, people. Big stuff’s gonna happen.

Most of the main cast is returning for the final season, and we’ll also see the return of Soldier Boy (Jensen Ackles), aka Homelander’s daddy, revealed in the S4 finale mid-credits scene to be alive and chilling out in cryostorage. In addition, Jared Padalecki will join the cast in an as-yet-undisclosed role. This season will also feature several characters from Gen V: Jordan (London Thor), Marie (Jaz Sinclair), Emma/Little Cricket (Lizze Broadway), Cate (Maddie Phillips), Sam (Asa Germann), and Annabeth (Keeya King).

The first two episodes of The Boys’ fifth and final season premiere on April 8, 2026, on Prime Video, with new episodes airing each week through May 20, 2026.

The Boys S5 trailer tees up a bloody final season Read More »

Congress extends ISS and tells NASA to get moving on private space stations

axiom space, blue origin, commercial space stations, cruz, NASA, Senate, Space, vast, Voyager / Mike M. / March 5, 2026

Nominally, NASA plans to have one or more of these companies operating a commercial space station in low-Earth orbit by 2030. This is the date at which the US space agency has stated it will retire the aging laboratory, some elements of which are now nearly three decades old. However, some space policy officials have questioned whether any of the companies might be ready by then.

Cruz and other senators on the committee appear to share those concerns, as their legislation extends the International Space Station’s lifespan from 2030 to 2032 (an extension must still be approved by international partners, including Russia). Moreover, the authorization bill states, “The Administrator shall not initiate the de-orbit of the ISS until the date on which a commercial low-Earth orbit destination has reached an initial operational capability.”

With this legislation, the US Senate is making clear that it views a permanent human presence in low-Earth orbit as a high priority. This version of the authorization legislation must still be passed by the full Senate and work its way through the House of Representatives.

Reaction from the companies

After the legislation passed the Commerce committee, Axiom Space said on social media that it welcomes the changes: “Axiom Space is proud to support the NASA Authorization Act of 2026. The bill is a clear indicator that Chairman @SenTedCruz and the Senate Commerce Committee are determined to ensure the success of the entire human spaceflight enterprise.”

In an interview, the chief executive of Vast, Max Haot, said his company also welcomed the clarifying legislation—both for its language on commercial space stations as well as its reflection of the fact that NASA Administrator Jared Isaacman has been working overtime to set the Artemis lunar program on a better path for success.

“We are really impressed by what Jared has been able to do with the American space program and aligning all of the stakeholders,” he said. “As it relates to commercial space stations, we were happy to see the renewed commitment to transition from the ISS to commercial alternatives.”

Haot said there should not be a hard date for de-orbiting the International Space Station but that it should depend on the readiness of the commercial providers. He said Vast is confident that, should NASA issue an RFP and awards for private providers this year, Vast will be ready to support a continuous human presence in low-Earth orbit by the end of 2030.

Congress extends ISS and tells NASA to get moving on private space stations Read More »

MacBook Neo hands-on: Apple build quality at a substantially lower price

Apple, Apple A18 Pro, Apple silicon, Mac, macbook neo, Tech / Mike M. / March 4, 2026

The Neo won’t be for everyone, but Apple has managed to preserve a premium feel.

Credit: Andrew Cunningham

NEW YORK CITY—Whether you’re talking about the iBook, MacBook, or MacBook Air, Apple’s most basic laptops have started at or within $100 of the $1,000 price point for over 20 years. Sure, the company had quietly been testing the waters with a Walmart-exclusive M1 MacBook Air configuration for several years, first at $699 and then at $599. But as far as what Apple would actively advertise and offer on its own site and in its own retail stores, we’ve never seen anything for substantially below $1,000.

The new MacBook Neo changes that. Apple has experimented with lower-cost products before, most notably with the $329 and $349 iPads and the old $429 iPhone SE. But this is the first time it has used that strategy for the Mac. The Neo starts at $599 for a version with 256GB of storage and no Touch ID sensor, and $699 for a version with Touch ID and 512GB of storage (each also available to educational customers for $100 less).

We had a chance to poke at a MacBook Neo for a while at Apple’s “special experience” event in New York this morning, and what I can tell you is that this does feel like an Apple laptop despite the lower starting price. It definitely has some spec sheet shortcomings, even compared to older M3 or M4 MacBook Airs that you still might be able to get at a discount from third-party retailers or Apple’s refurbished site—more on that in our full review next week. But it’s priced low enough to (1) appeal to people who might not have considered a Mac before, and (2) to make some of its borderline specs feel reasonable, and that’s enough to keep it interesting.

MacBook Air-ish

I had assumed, based on Apple’s history with its lower-end iPads and iPhones, that Apple would essentially reuse the design of the old M1 MacBook Air for this new MacBook. The Neo does share quite a few things in common with that older design, including a 13-inch notchless display, a 2.7 lb weight, and a lack of MagSafe connector. But this is actually a new design after all, one that’s more in line with the current Pro and Air iterations.

The Neo is a flat rectangular slab of aluminum with softly rounded edges, more like the current Airs and Pros than the wedge-shaped design of the old M1 Air (also like modern Airs, the words “MacBook Neo” appear nowhere on the exterior of the computer—the name only exists in stores and in software).

The low-end iPad can feel a bit cheap or hollow, partly because of the small gap between the front glass and the non-laminated LCD display underneath. But holding and interacting with the Neo feels substantially the same as interacting with an Air. It is, however, slightly thicker—an even 0.5 inches, up from 0.44 inches for the M4 Air.

The non-backlit keyboard is a bit of a bummer, although Apple has tried to keep it legible by shifting from white-on-black keycaps to darker legends on a lighter background. But the typing feel is similar to the Air, and we’re told the scissor switches have the same amount of key travel as the switches in the Air keyboards.

The multi-touch trackpad is a little weirder. It looks a lot like Apple’s other trackpads, but it actually has a physical clicking mechanism rather than the haptic feedback Apple has used in its laptop trackpads and Magic Trackpads for years. That means there’s no Force Click functionality and no controls for adjusting the firmness or noisiness of the clicking sensation.

Apple did, at least, figure out a mechanism that makes it feel the same to click anywhere on the trackpad. More traditional physical trackpads, including the ones Apple used to use, had a hinge toward the top of the trackpad that made clicking up there feel stiffer and firmer than clicking at the bottom or in the middle of the trackpad. The Neo’s trackpad doesn’t feel quite as solid, probably because of the space left to make room for a physical clicking mechanism, but, aside from the missing haptics, it seems to work just as well as Apple’s other trackpads.

The laptop’s ports may cause some confusion, for the same reason that any USB-C or Thunderbolt port can cause confusion—the ports look the same but do different things. Either of the laptop’s two USB-C ports can charge the laptop. But only the rear one supports 10 Gbps USB 3 transfer speeds, and it’s also the only one that can drive a display (one 4K screen at up to 60 Hz, down from two higher-resolution external displays for the Air). The port toward the front only supports 480 Mbps USB 2.0 transfer speeds, enough for a keyboard and many other external accessories, but not ideal for external storage.

Neither port is marked in any way, though macOS will apparently alert users if they try to plug something into the USB 2.0 port that won’t work with it.

The four colors of Neo: the pink-ish Blush, blue-tinted Indigo, yellowy Citrus, and traditional MacBook silver. Credit: Andrew Cunningham

The internal display is great for the price, though it falls a bit short of both the current Airs and the M1 Air. The 13-inch 2408×1506 IPS LCD screen is just shy of the old M1 Air’s resolution, and it supports both 500 nits of maximum brightness and full coverage of the sRGB color gamut, both relatively rare in similarly priced PCs. But it’s missing DCI-P3 wide color support and the True Tone feature that subtly adjusts the color temperature of the display based on ambient lighting, two things that were still supported by the old M1 Air.

The biggest sticking point for many buyers will be the processor, an Apple A18 Pro that first appeared in the iPhone 16 Pro.

This chip includes six CPU cores (two performance, four efficiency) and a five-core GPU, which worked just fine under casual use in the hands-on area and in our briefing. We saw it running Safari with multiple tabs open, playing a game, and running Pixelmator Pro, and it handled all three tasks well. But the higher-end apps that aren’t bottlenecked by the CPU or GPU may be bottlenecked by its 8GB of RAM instead.

We’ll do more testing in our review to figure out where people will notice the specs in the real world and where they won’t, but suffice it to say, this isn’t the best laptop to pick if you want to make the most of a Creator Studio subscription.

All in all, the MacBook Neo seems well-positioned to satisfy those whom Apple is marketing it toward. Predominantly, that seems to be iPhone users who don’t have any kind of computer yet, or people who are unhappy with their budget Windows PC or Chromebook. Apple’s product page makes a big deal about the features that work across iOS and macOS and has a dedicated “new to Mac” section that pitches the platform to people who have never used it. The biggest downside for Apple is the risk that the Neo’s 8GB RAM limit and less-powerful chip will end up frustrating people who buy a Mac hoping to use Final Cut or Logic and bump into the limits of the hardware.

Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue.

MacBook Neo hands-on: Apple build quality at a substantially lower price Read More »

FCC chair calls Paramount/WBD merger “a lot cleaner” than defunct Netflix deal

brendan carr, Paramount Skydance, Policy, warner bros. discovery / Mike M. / March 3, 2026

FCC to review foreign debt, but Carr indicates it will be a formality.

Credit: Getty Images | Kenneth Cheung

Paramount Skydance’s $111 billion purchase of Warner Bros. Discovery (WBD) has a notable supporter in Federal Communications Commission Chairman Brendan Carr. The FCC boss told CNBC today that the Paramount/WBD combination “is a lot cleaner” than the now-defunct Netflix deal to buy WBD.

Netflix “would have had a very difficult path forward from a regulatory perspective” because of “the scope and scale” of the streaming service that would have been created by combining Netflix with WBD property HBO Max, Carr said. There were “a lot of concerns in DC” about Netflix buying the company, he said.

Netflix backed out of its deal with Warner Bros. instead of matching the Paramount offer. Although Paramount plans to merge its own Paramount+ streaming service with HBO Max, Carr said the Paramount/WBD merger “does not raise at all the same types of concerns [as Netflix]. I think there’s some real consumer benefits that could emerge from it.”

Paramount Skydance is led by CEO David Ellison. His father, Larry Ellison, pledged $40 billion toward the deal. The Ellisons seem to have won President Trump’s backing for the merger.

The FCC plays a big role in reviewing mergers when broadcast licenses are transferred from one entity to another. There are no license transfers in this case because WBD doesn’t own any TV broadcast licenses.

But Paramount Skydance must comply with the FCC’s foreign ownership rules because it is already an FCC licensee with 28 local CBS stations that it owns and operates. Paramount is apparently financing the WBD purchase partly with money from foreign investors, which could trigger an FCC review of whether a foreign entity would gain control of a broadcaster.

Sovereign wealth funds back Paramount

In December, Paramount said that it lined up “an aggregate $24 billion commitment from three sovereign wealth funds” from Gulf countries, specifically Saudi Arabia, Abu Dhabi, and Qatar. Paramount said at the time that the sovereign wealth funds “agreed to forgo all governance rights (including board representation).”

Carr told the Financial Times yesterday that an FCC review of foreign debt is unlikely to hold up the merger. “All the information that I’ve seen about that foreign debt … is that would qualify under FCC rules as what we call bona fide debt, meaning it would be a very quick, almost pro forma review,” he said. FCC precedents state that bona fide debt may include a guarantee for a loan or a standard loan in which the creditor does not possess an ownership or voting interest in the licensee.

Carr told CNBC that the deal will be reviewed by the Justice Department, and that “if there’s any FCC role at all, it will be a pretty minimal role. I think this is a good deal and I think it should get through pretty quickly.”

The Justice Department is reviewing the merger and is not likely to try to block it, Bloomberg reported. “The agency is taking a softer stance on merger enforcement and hasn’t blocked a deal on antitrust grounds since President Donald Trump took office,” the article said. The deal would still face review by individual US states and regulators in other countries.

Paramount was cagey yesterday about whether sovereign funds are still backing the deal. “In government filings and on an investor call Monday, Paramount reiterated that the Ellisons and private-equity firm RedBird Capital Partners have pledged $47 billion toward the roughly $81 billion Paramount will pay to buy out WBD shareholders,” Business Insider wrote. “The rest will be financed with debt. But Paramount doesn’t say how much the Ellisons and RedBird intend to cough up themselves, and how much will come from other investors.”

Foreign ownership rule

Section 310 of the Communications Act imposes foreign ownership limits of 20 or 25 percent, depending on how the US-based licensee is structured. If the Paramount/WBD deal creates what’s called an “attributable interest” in the entity that holds FCC licenses, the merging companies would need to obtain a waiver, said Harold Feld, a telecom and media lawyer who is senior VP of advocacy group Public Knowledge.

If they’re “changing the corporate structure so that the foreign owners have what the FCC classifies as an attributable interest in the licenses, that would be a change of ownership under the FCC’s rules and would require FCC approval,” Feld told Ars. But if the foreign investment is only a passive interest with no real control over the company, it usually gets a rubber stamp without a difficult review, he said.

Carr’s statement to the Financial Times indicates that it will be a formality. Feld said that “it’s hard to tell whether [Carr] is saying that because the [Trump] administration approves the merger or whether he’s saying that because he’s actually been briefed by the buyers on the nature of the ownership change.”

Paramount has already been talking to regulators about getting the WBD deal approved. Paramount said it made “significant regulatory progress” before signing the deal with WBD and that there are “no statutory impediments to close in [the] US.”

Sen. Elizabeth Warren (D-Mass.) and other Democratic lawmakers alleged in a letter that “the entire process has been clouded by corruption concerns.” The letter to Attorney General Pam Bondi and White House Chief of Staff Susie Wiles said it appears that Trump administration officials discouraged Netflix’s bid in closed-door meetings “so that Paramount Skydance, the bidder reportedly favored by President Trump, could take over Warner Bros. instead.”

Since Warner Bros. properties like HBO Max and CNN offer programming outside the US, other countries’ regulators could try to block the merger. Paramount has started discussions with the European Commission, the firm said.

Paramount gave in to Trump and FCC demands

Trump and Carr have repeatedly criticized TV networks, including Paramount property CBS, for alleged bias. Paramount became the federal government’s preferred buyer of Warner Bros. after multiple instances in which the company acceded to Trump and FCC demands.

Trump sued Paramount because he didn’t like how CBS edited a pre-election interview with Kamala Harris and obtained a $16 million settlement from the company. Trump described the deal as “another in a long line of VICTORIES over the Fake News Media.”

The Paramount/Trump settlement was followed quickly by the FCC approving Paramount’s $8 billion purchase of Skydance in July 2025. To get the merger approval, Paramount agreed to install an ombudsman that Carr described as a “bias monitor.” Carr now appears to be happy with Paramount and CBS management, saying that CBS is “doing a great job” under Ellison and CBS News Editor-in-Chief Bari Weiss.

Carr also seemed pleased with how CBS complied with his demand that late-night shows follow the equal-time rule, after an incident in which host Stephen Colbert alleged that he wasn’t allowed to air an interview with a Democratic politician. Talk shows have historically been exempted from the rule’s requirements, but CBS said it gave Colbert legal guidance on how the planned interview could trigger the equal-time rule after the Carr-led FCC issued a warning to TV broadcasters.

Although the Trump administration appears likely to green-light the Paramount/WBD deal, state governments may not be so quick to approve it. California Attorney General Rob Bonta said, “Paramount/Warner Bros is not a done deal. These two Hollywood titans have not cleared regulatory scrutiny — the California Department of Justice has an open investigation, and we intend to be vigorous in our review.”

Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.

FCC chair calls Paramount/WBD merger “a lot cleaner” than defunct Netflix deal Read More »

Clueless cops post seized crypto wallet password. $5M quickly stolen.

cold wallet, crypto wallet, Cryptocurrency, Policy / Mike M. / March 2, 2026

Because the press release was widely circulated online, the thief could be anyone. South Korea’s National Tax Service has no clear suspects, Gizmodo suggested, and no easy way to claw back funds.

The officials’ best bet might be if the thief tries to move the stolen tokens through a regulated exchange, but The Block noted that the thief might struggle to convert that much cryptocurrency into cash under current market conditions. So seemingly, the thief, who likely wasn’t expecting the big payday anyway, may be motivated to lie low and avoid major exchanges.

Cho suggested that cops could have easily prevented the theft, likening posting any image of the mnemonic recovery phrase to leaving a wallet wide open. He noted that the original holder of the Ledger wallet was following best practices by only recording the phrase on a handwritten note and not storing the password online. Cops should have known to check the images for the recovery phrase, Cho said, and their mistake will likely cost the national treasury billions of won.

It’s possible that whoever took the cryptocurrency just seized on an opportunity after seeing the cops’ failure to redact the images while scrolling through the National Tax Service’s press releases at dawn. It’s also possible that bad actors are closely monitoring South Korean police cryptocurrency announcements, following what The Block reported was “a series of crypto custody lapses.”

In January, officials in Gwangju had to investigate after “a substantial quantity of seized bitcoin was lost,” The Block reported. That was believed to be linked to a phishing attack targeting Coinbase but perhaps signaled that police weren’t always adequately securing seized assets.

Even more disturbingly, last month, police in Seoul’s Gangnam district had to launch an internal investigation after 22 seized bitcoins went missing, The Block reported. That case also involved a cold wallet suddenly drained without the physical device leaving police control, possibly indicating that some sensitive information isn’t handled securely.

In the latest press release, the National Tax Service officer said they are strengthening internal controls and job training to prevent future leaks.

Clueless cops post seized crypto wallet password. $5M quickly stolen. Read More »

The strange animals that control their body heat

heterothermy, homeothermy, mammals, Science, syndication / Mike M. / March 1, 2026

Some creatures can dramatically alter their internal temperature and outlast storms, floods and, predators

An edible dormouse. Credit: DeAgostini/Getty Images

In 1774, British physician-scientist Charles Blagden received an unusual invitation from a fellow physician: to spend time in a small room that was hotter, he wrote, “than it was formerly thought any living creature could bear.”

Many people may have been appalled by this offer, but Blagden was delighted by the opportunity for self-experimentation. He marveled as his own temperature remained at 98° Fahrenheit (approximately 37° Celsius), even as the temperature of the room approached 200°F (about 93°C).

Today, this ability to maintain a stable body temperature—called homeothermy—is known to exist among myriad species of mammals and birds. But there are also some notable exceptions. The body temperature of the fat-tailed dwarf lemur, for example, can fluctuate by nearly 45°F (25°C) over a single day.

In fact, a growing body of research suggests that many more animals than scientists once appreciated employ this flexible approach—heterothermy—varying their body temperature for minutes, hours, or weeks at a time. This may help the animals to persist through all sorts of dangers.

“Because we’re homeotherms, we assume all mammals work the way we do,” says Danielle Levesque, a mammalian ecophysiologist at the University of Maine. But in recent years, as improvements in technology allowed researchers to more easily track small animals and their metabolisms in the wild, “we’re starting to find a lot more weirdness,” she says.

The most extreme—and well-known—form of heterothermy is classic hibernation, which has been most extensively studied in critters who use it to save energy and so survive the long, cold winters of the Northern Hemisphere. These animals enter long periods of what scientists call deep torpor, when metabolism slows to a crawl and body temperature can drop to just above freezing.

But hibernation is just one end of what some scientists now consider a spectrum. Many mammals can deploy shorter bouts of shallow torpor—loosely defined as smaller reductions in metabolism and smaller fluctuations in body temperature—as the need arises, suggesting that torpor has more functions than scientists previously realized.

“It’s extremely complicated,” says comparative physiologist Fritz Geiser of the University of New England in Australia. “It’s much more interesting than homeothermy.”

Australian eastern long-eared bats, for example, adjust their torpor use based on day-to-day changes in weather conditions. Mari Aas Fjelldal, a bat biologist at the Norwegian University of Life Sciences and the University of Helsinki, used tiny transmitters to measure skin temperatures as 37 free-ranging bats in Australia went about their daily lives. Like many heterothermic species, the bats spent more time in torpor when it was cold, but they also sank into torpor more often as rain and wind speeds picked up, Fjelldal and colleagues reported in Oecologia in 2021. This hunkering down makes sense, says Fjelldal: Wind and rain make flying more energetically demanding—a big problem when you weigh less than a small packet of M&M’s—and make it more costly to find the insects the bats eat.

There are even reports of pregnant hoary bats entering torpor during unpredictable spring storms, a physiological maneuver that basically pauses their pregnancies. “It means that they can, to some degree, actually decide a bit when to give birth,” says Fjelldal, “which is really handy when you’re living in an environment that can be quite harsh in the spring.” Fjelldal, who wasn’t involved in that study, notes that producing milk is expensive metabolically, so it’s advantageous to give birth when food availability is good.

Other animals, like sugar gliders—tiny, pink-nosed marsupials that “fly” through the trees using wing-like folds of skin—rarely use torpor but seem able to take advantage of it in the case of major weather emergencies. During a storm with category 1 cyclone winds of nearly 100 kilometers per hour and 9.5 centimeters of rain falling in a single night, the gliders were more likely to stay cuddled up in their tree-hole nests, and many entered torpor, reducing body temperature from 94.1°F (34.5°C) to an average of about 66°F (19°C), Geiser and colleagues found.

Similarly, in response to an accidental flooding event in the lab, researchers observed a highly unusual period of multiday torpor in a golden spiny mouse, its temperature reaching a low of about 75°F (24°C).

This more flexible use of torpor can help heterotherms wait out a catastrophe, Geiser says. In contrast, homeothermic species can’t just dial back their need for food and water and may not be able to outlast challenging conditions.

“Maybe there’s no food, maybe no water, it may be really warm,” says ecophysiologist Julia Nowack of Liverpool John Moores University in England, a coauthor on the sugar glider study. Torpor, especially in the tropics, has “lots of different triggers.”

Threats of a different sort, such as the presence of predators, can also prompt hunkering down. The (perhaps perfectly named) edible dormouse, for example, sometimes enters long periods of torpor in early summer. At first, this behavior puzzled researchers—why snooze away the summer, when temperatures are comfortable and food abundant, especially if it meant forgoing the chance to reproduce?

After looking at years of data collected by various scientists, a pair of researchers concluded that because spring and early summer are especially active periods for owls, these small snackable critters were likely opting to spend their nights torpid, safely hidden in underground burrows, to avoid becoming dinner. In what is thought to be a similar strategy to avoid nocturnal predators, Fjelldal’s bats alter their torpor use slightly depending on the phase of the moon, spending more time torpid as the moon grows fuller and they become easier to spot.

The fat-tailed dunnart, a mouse-like carnivorous marsupial native to Australia, is a third species to lie low when it feels more at risk of being eaten. In one study, researchers placed dunnarts in two types of enclosures: Some had lots of ground cover in the form of plastic sheeting, simulating an environment protected from predators, while other enclosures had little cover, simulating a greater risk of predation. In the higher-risk settings, the animals foraged less and their body temperatures became more variable.

Levesque, who has studied similar non-torpor temperature flexibility in large tree shrews, says that even small variations in body temperature can be important for saving water and energy.

Indeed, water loss during hot weather can pose serious risks to many mammals, and heterothermy is an important conservation tool for some. As Blagden observed, people are marvelously capable of maintaining stable temperatures even in horrifically hot environments, due in large part to our sweating abilities. But this isn’t necessarily a good strategy for smaller mammals—such evaporative cooling in a sweltering climate can quickly lead to dehydration.

Instead, creatures like Madagascar’s leaf-nosed bats use torpor. On warm days, the bats enter mini bouts of torpor lasting just a few minutes. But during especially hot days, the bats become torpid for up to seven hours, reducing their metabolism to less than 25 percent of normal and allowing their body temperature to rise as high as 109.2°F (42.9°C). And in an experiment with ringtail possums, slightly raising their body temperature by about 3°C (5.4°F) during a simulated heat wave saved the animals an estimated 10 grams of water per hour — a lot for a creature weighing less than 800 grams.

This heterothermic way of life gives some animals a bit of a buffer when it comes to coping with variability in their environments, says physiological ecologist Liam McGuire of the University of Waterloo in Ontario, Canada. But it can only do so much, he says; heterothermy is unlikely to exempt them from the challenge of rapidly evolving weather conditions brought by climate change.

As for Blagden, he saw the human body as remarkable in its capacity to maintain a steady temperature, even by “generating cold” when ambient temperatures climbed too high. Today, however, scientists are beginning to appreciate that for many mammals, allowing body temperature to be a bit more flexible may be key to survival as well.

This story originally appeared at Knowable Magazine.

Knowable Magazine explores the real-world significance of scholarly work through a journalistic lens.

The strange animals that control their body heat Read More »

Ford is recalling 4.3 million trucks and SUVs to fix a towing software bug

auto recall, Cars, Ford / Mike M. / February 26, 2026

Last year, Ford set a new industry record: It issued 152 safety recalls, almost twice the previous high set by General Motors back in 2014. More than 24 million vehicles were recalled in the US last year, and more than half—13 million—were either Fords or Lincolns. By contrast, Tesla issued 11 recalls, affecting just 745,000 vehicles.

Truth be told, Ford’s not doing too hot in 2026, either; it’s currently leading the National Highway Traffic Safety Administration’s chart for recalls this year, with 10 on the books already. The latest is a big one, affecting almost 4.4 million trucks, vans, and SUVs.

The recall affects the Ford Maverick (model years 2022–2026), Ford Ranger (MY 2024–2026), Ford Expedition (MY 2022–2026), Ford E-Transit (MY 2026), Ford F-150 (MY 2021–2026), Ford F-250 SD (MY 2022–2026), and the Lincoln Navigator (MY 2022–2026). Just the F-150s alone number 2.3 million.

The problem is with the vehicles’ integrated trailer module, which allows the trailer’s lights and brakes to work in conjunction with those of the towing vehicle. According to the recall notice, a “software vulnerability within the ITRM allows for a potential race condition to occur between the ITRM and the CAN Standy [sic] Control bit (STBCC) during initial power-up.” If that happens, the trailer will have no lights or brakes, and you’ll get a pop-up alert on the main instrument display.

Ford is recalling 4.3 million trucks and SUVs to fix a towing software bug Read More »

New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises

Biz & IT, Encryption, Features, Networking, Security, wi-fi / Mike M. / February 26, 2026

CLOWNS TO THE LEFT, JOKERS TO THE RIGHT

That guest network you set up for your neighbors may not be as secure as you think.

Credit: Getty Image | BlackJack3D

It’s hard to overstate the role that Wi-Fi plays in virtually every facet of life. The organization that shepherds the wireless protocol says that more than 48 billion Wi-Fi-enabled devices have shipped since it debuted in the late 1990s. One estimate pegs the number of individual users at 6 billion, roughly 70 percent of the world’s population.

Despite the dependence and the immeasurable amount of sensitive data flowing through Wi-Fi transmissions, the history of the protocol has been littered with security landmines stemming both from the inherited confidentiality weaknesses of its networking predecessor, Ethernet (it was once possible for anyone on a network to read and modify the traffic sent to anyone else), and the ability for anyone nearby to receive the radio signals Wi-Fi relies on.

Ghost in the machine

In the early days, public Wi-Fi networks often resembled the Wild West, where ARP spoofing attacks that allowed renegade users to read other users’ traffic were common. The solution was to build cryptographic protections that prevented nearby parties—whether an authorized user on the network or someone near the AP (access point)—from reading or tampering with the traffic of any other user.

New research shows that behaviors that occur at the very lowest levels of the network stack make encryption—in any form, not just those that have been broken in the past—incapable of providing client isolation, an encryption-enabled protection promised by all router makers, that is intended to block direct communication between two or more connected clients.

The isolation can effectively be nullified through AirSnitch, the name the researchers gave to a series of attacks that capitalize on the newly discovered weaknesses. Various forms of AirSnitch work across a broad range of routers, including those from Netgear, D-Link, Ubiquiti, Cisco, and those running DD-WRT and OpenWrt.

AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks,” Xin’an Zhou, the lead author of the research paper, said in an interview. “Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It’s really a threat to worldwide network security.” Zhou presented his research on Wednesday at the 2026 Network and Distributed System Security Symposium.

Paper co-author Mathy Vanhoef, said a few hours after this post went live that the attack may be better described as a Wi-Fi encryption “bypass,” “in the sense that we can bypass client isolation. We don’t break Wi-Fi authentication or encryption. Crypto is often bypassed instead of broken. And we bypass it ;)” People who don’t rely on client or network isolation, he added, are safe.

Previous Wi-Fi attacks that overnight broke existing protections such as WEP and WPA worked by exploiting vulnerabilities in the underlying encryption they used. AirSnitch, by contrast, targets a previously overlooked attack surface—the lowest levels of the networking stack, a hierarchy of architecture and protocols based on their functions and behaviors.

The lowest level, Layer-1, encompasses physical devices such as cabling, connected nodes, and all the things that allow them to communicate. The highest level, Layer-7, is where applications such as browsers, email clients, and other Internet software run. Levels 2 through 6 are known as the Data Link, Network, Transport, Session, and Presentation layers, respectively.

Identity crisis

Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross-layer identity desynchronization is the key driver of AirSnitch attacks.

The most powerful such attack is a full, bidirectional machine-in-the-middle (MitM) attack, meaning the attacker can view and modify data before it makes its way to the intended recipient. The attacker can be on the same SSID, a separate one, or even a separate network segment tied to the same AP. It works against small Wi-Fi networks in both homes and offices and large networks in enterprises.

With the ability to intercept all link-layer traffic (that is, the traffic as it passes between Layers 1 and 2), an attacker can perform other attacks on higher layers. The most dire consequence occurs when an Internet connection isn’t encrypted—something that Google recently estimated occurred when as much as 6 percent and 20 percent of pages loaded on Windows and Linux, respectively. In these cases, the attacker can view and modify all traffic in the clear and steal authentication cookies, passwords, payment card details, and any other sensitive data. Since many company intranets are sent in plaintext, traffic from them can also be intercepted.

Even when HTTPS is in place, an attacker can still intercept domain look-up traffic and use DNS cache poisoning to corrupt tables stored by the target’s operating system. The AirSnitch MitM also puts the attacker in the position to wage attacks against vulnerabilities that may not be patched. Attackers can also see the external IP addresses hosting webpages being visited and often correlate them with the precise URL.

Given the range of possibilities it affords, AirSnitch gives attackers capabilities that haven’t been possible with other Wi-Fi attacks, including KRACK from 2017 and 2019 and more recent Wi-Fi attacks that, like AirSnitch, inject data (known as frames) into remote GRE tunnels and bypass network access control lists.

“This work is impressive because unlike other frame injection methods, the attacker controls a bidirectional flow,” said HD Moore, a security expert and the founder and CEO of runZero.

He continued:

This research shows that a wireless-connected attacker can subvert client isolation and implement full relay attacks against other clients, similar to old-school ARP spoofing. In a lot of ways, this restores the attack surface that was present before client isolation became common. For folks who lived through the chaos of early wireless guest networking rollouts (planes, hotels, coffee shops) this stuff should be familiar, but client isolation has become so common, these kinds of attacks may have fallen off people’s radar.

Stuck in the middle with you

The MitM targets Layers 1 and 2 and the interaction between them. It starts with port stealing, one of the earliest attack classes of Ethernet that’s adapted to work against Wi-Fi. An attacker carries it out by modifying the Layer-1 mapping that associates a network port with a victim’s MAC—a unique address that identifies each connected device. By connecting to the BSSID that bridges the AP to a radio frequency the target isn’t using (usually a 2.4GHz or 5GHz) and completing a Wi-Fi four-way handshake, the attacker replaces the target’s MAC with one of their own.

The attacker spoofs the victim’s MAC address on a different NIC,

causing the internal switch to mistakenly associate the victim’s address with the attacker’s port/BSSID. As a result, frames intended for the victim are

forwarded to the attacker and encrypted using the attacker’s PTK. Credit: Zhou et al.

In other words, the attacker connects to the Wi-Fi network using the target’s MAC and then receives the target’s traffic. With this, an attacker obtains all downlink traffic (data sent from the router) intended for the target. Once the switch at Layer-2 sees the response, it updates its MAC address table to preserve the new mapping for as long as the attacker needs.

This completes the first half of the MitM, allowing all data to flow to the attacker. That alone would result in little more than a denial of service for the target. To prevent the target from noticing—and more importantly, to gain the bidirectional MitM capability needed to perform more advanced attacks—the attacker needs a way to restore the original mapping (the one assigning the victim’s MAC to the Layer-1 port). An attacker performs this restoration by sending an ICMP ping from a random MAC. The ping, which must be wrapped in a Group Temporal key shared among all clients, triggers replies that cause the Layer-1 mapping (i.e., port states) to revert back to the original one.

“In a normal Layer-2 switch, the switch learns the MAC of the client by seeing it respond with its source address,” Moore explained. “This attack confuses the AP into thinking that the client reconnected elsewhere, allowing an attacker to redirect Layer-2 traffic. Unlike Ethernet switches, wireless APs can’t tie a physical port on the device to a single client; clients are mobile by design.”

The back-and-forth flipping of the MAC from the attacker to the target, and vice versa, can continue for as long as the attacker wants. With that, the bidirectional MitM has been achieved. Attackers can then perform a host of other attacks, both related to AirSnitch or ones such as the cache poisoning discussed earlier. Depending on the router the target is using, the attack can be performed even when the attacker and target are connected to separate SSIDs connected by the same AP. In some cases, Zhou said, the attacker can even be connected from the Internet.

“Even when the guest SSID has a different name and password, it may still share parts of the same internal network infrastructure as your main Wi-Fi,” the researcher explained. “In some setups, that shared infrastructure can allow unexpected connectivity between guest devices and trusted devices.”

No, enterprise defenses won’t protect you

Variations of the attack defeat the client isolation promised by makers of enterprise routers, which typically use credentials and a master encryption key that are unique to each client. One such attack works across multiple APs when they share a wired distribution system, as is common in enterprise and campus networks.

In their paper, AirSnitch: Demystifying and Breaking Client Isolation in Wi-Fi Networks, the researchers wrote:

Although port stealing was originally devised for hosts on the same switch, we show that attackers can hijack MAC-to-port mappings at a higher layer, i.e., at the level of the distribution switch—to intercept traffic to victims associated with different APs. This escalates the attack beyond its traditional limits, breaking the assumption that separate APs provide effective isolation.

This discovery exposes a blind spot in client isolation: even physically separated APs, broadcasting different SSIDs, offer ineffective isolation if connected to a common distribution system. By redirecting traffic at the distribution switch, attackers can intercept and manipulate victim traffic across AP boundaries, expanding the threat model for modern Wi-Fi networks.

The researchers demonstrated that their attacks can enable the breakage of RADIUS, a centralized authentication protocol for enhanced security in enterprise networks. “By spoofing a gateway MAC and connecting to an AP,” the researchers wrote, “an attacker can steal uplink RADIUS packets.” The attacker can go on to crack a message authenticator that’s used for integrity protection and, from there, learn a shared passphrase. “This allows the attacker to set up a rogue RADIUS server and associated rogue WPA2/3 access point, which allows any legitimate client to connect, thereby intercepting their traffic and credentials.”

The researchers tested the following 11 devices:

Netgear Nighthawk x6 R8000
Tenda RX2 Pro
D-LINK DIR-3040
TP-LINK Archer AXE75
ASUS RT-AX57
DD-WRT v3.0-r44715
OpenWrt 24.10
Ubiquiti AmpliFi Alien Router
Ubiquiti AmpliFi Router HD
LANCOM LX-6500
Cisco Catalyst 9130

As noted earlier, every tested router was vulnerable to at least one attack. Zhou said that some router makers have already released updates that mitigate some of the attacks, and more updates are expected in the future. But he also said some manufacturers have told him that some of the systemic weaknesses can only be addressed through changes in the underlying chips they buy from silicon makers.

The hardware manufacturers face yet another challenge: The client isolation mechanisms vary from maker to maker. With no industry-wide standard, these one-off solutions are splintered and may not receive the concerted security attention that formal protocols are given.

So how bad is AirSnitch, really?

With a basic understanding of AirSnitch, the next step is to put it into historical context and assess how big a threat it poses in the real world. In some respects, it resembles the 2007 PTW attack (named for its creators Andrei Pyshkin, Erik Tews, and Ralf-Philipp Weinmann) that completely and immediately broke WEP, leaving Wi-Fi users everywhere with no means to protect themselves against nearby adversaries. For now, client isolation is similarly defeated—almost completely and overnight—with no immediate remedy available.

At the same time, the bar for waging WEP attacks was significantly lower, since it was available to anyone within range of an AP. AirSnitch, by contrast, requires that the attacker already have some sort of access to the Wi-Fi network. For many people, that may mean steering clear of public Wi-Fi networks altogether.

If the network is properly secured—meaning it’s protected by a strong password that’s known only to authorized users—AirSnitch may not be of much value to an attacker. The nuance here is that even if an attacker doesn’t have access to a specific SSID, they may still use AirSnitch if they have access to other SSIDs or BSSIDs that use the same AP or other connecting infrastructure.

Yet another difference to the PTW attack—and others that have followed breaking WPA, WPA2, and WPA3 protections—is that they were limited to hacks using terrestrial radio signals, a much more limited theater than the one AirSnitch uses. Ultimately, the AirSnitch attacks are broader but less severe.

Also unlike those previous attacks, firewall mitigations may be more problematic.

“We expand the threat model showing an attacker can be on another channel or port, or can be from the Internet,” Zhou said. “Firewalls are also networking devices. We often say a firewall is a Layer-3 device because it works at the IP layer. But fundamentally, it’s connected by wire to different network elements. That wire is not secure.”

Some of the threat can be mitigated by using VPNs, but this remedy has all the usual drawbacks that come with them. For one, VPNs are notorious for leaking metadata, DNS queries, and other traffic that can be useful to attackers, making the protection limited. And for another, finding a reputable and trustworthy VPN provider has historically proven to be vexingly difficult, though things have improved more recently. Ultimately, a VPN shouldn’t be regarded as much more than a bandage.

Another potential mitigation is using wireless VLANs to isolate one SSID from another. Zhou said such options aren’t universally available and are also “super easy to be configured wrong.” Specifically, he said VLANs can often be implemented in ways that allow “hopping vulnerabilities.” Further, Moore has argued why “VLANs are not a practical barrier” against all AirSnitch attacks

The most effective remedy may be to adopt a security stance known as zero trust, which treats each node inside a network as a potential adversary until it provides proof it can be trusted. This model is challenging for even well-funded enterprise organizations to adopt, although it’s becoming easier. It’s not clear if it will ever be feasible for more casual Wi-Fi users in homes and smaller businesses.

Probably the most reasonable response is to exercise measured caution for all Wi-Fi networks managed by people you don’t know. When feasible, use a trustworthy VPN on public APs or, better yet, tether a connection from a cell phone.

Wi-Fi has always been a risky proposition, and AirSnitch only expands the potential for malice. Then again, the new capabilities may mean little in the real world, where evil twin attacks accomplish many of the same objectives with much less hassle.

Moore said the attacks possible before client isolation were often as simple as running ettercap or similar tools as soon as a normal Wi-Fi connection was completed. AirSnitch attacks require considerably more work, at least until someone writes an easy-to-use script that automates it.

“It will be interesting to see if the wireless vendors care enough to resolve these issues completely and if attackers care enough to put all of this together when there might be easier things to do (like run a fake AP instead),” Moore said. “At the least it should make pentesters’ lives more interesting since it re-opens a lot of exposure that many folks may not have any experience with.”

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises Read More »

Author name: Mike M.