Amazon

Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

Amazon, data privacy, deceptive trade, e-commerce, malware, online marketplace, Online Privacy, online shopping app, Policy, spyware, temu / Ari B / June 27, 2024

“Cleverly hidden spyware” —

Temu “surprised” by the lawsuit, plans to “vigorously defend” itself.

Ashley Belanger – Jun 27, 2024 5: 35 pm UTC

Enlarge / A person is holding a package from Temu.

Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is “dangerous malware” that’s secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.

Griffin cited research and media reports exposing Temu’s allegedly nefarious design, which “purposely” allows Temu to “gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications.”

“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”

Griffin fears that Temu is capable of accessing virtually all data on a person’s phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin’s suit claimed, which Temu then allegedly monetizes by selling it to third parties, “profiting at the direct expense” of users’ privacy rights.

“Compounding” risks is the possibility that Temu’s Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese “laws that mandate secret cooperation with China’s intelligence apparatus regardless of any data protection guarantees existing in the United States.”

Griffin’s suit cited an extensive forensic investigation into Temu by Grizzly Research—which analyzes publicly traded companies to inform investors—last September. In their report, Grizzly Research alleged that PDD Holdings is a “fraudulent company” and that “Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests.”

As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu’s goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu’s end goal isn’t to be the world’s biggest shopping platform but to steal data.

Investigators agreed, the lawsuit said, concluding “we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure.”

Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu’s alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app.

Temu “surprised” by lawsuit

The company that owns Temu, PDD Holdings, was founded in 2015 by a former Google employee, Colin Huang. It was originally based in China, but after security concerns were raised, the company relocated its “principal executive offices” to Ireland, Griffin’s complaint said. This, Griffin suggested, was intended to distance the company from debate over national security risks posed by China, but because the majority of its business operations remain in China, risks allegedly remain.

PDD Holdings’ relocation came amid heightened scrutiny of Pinduoduo, the Chinese app on which Temu’s shopping platform is based. Last year, Pinduoduo came under fire for privacy and security risks that got the app suspended from Google Play as suspected malware. Experts said Pinduoduo took security and privacy risks “to the next level,” the lawsuit said. And “around the same time,” Apple’s App Store also flagged Temu’s data privacy terms as misleading, further heightening scrutiny of two of PDD Holdings’ biggest apps, the complaint noted.

Researchers found that Pinduoduo “was programmed to bypass users’ cell phone security in order to monitor activities on other apps, check notifications, read private messages, and change settings,” the lawsuit said. “It also could spy on competitors by tracking activity on other shopping apps and getting information from them,” as well as “run in the background and prevent itself from being uninstalled.” The motivation behind the malicious design was apparently “to boost sales.”

According to Griffin, the same concerns that got Pinduoduo suspended last year remain today for Temu users, but the App Store and Google Play have allegedly failed to take action to prevent unauthorized access to user data. Within a year of Temu’s launch, the “same software engineers and product managers who developed Pinduoduo” allegedly “were transitioned to working on the Temu app.”

Google and Apple did not immediately respond to Ars’ request for comment.

A Temu spokesperson provided a statement to Ars, discrediting Grizzly Research’s investigation and confirming that the company was “surprised and disappointed by the Arkansas Attorney General’s Office for filing the lawsuit without any independent fact-finding.”

“The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded,” Temu’s spokesperson said. “We categorically deny the allegations and will vigorously defend ourselves.”

While Temu plans to defend against claims, the company also seems to potentially be open to making changes based on criticism lobbed in Griffin’s complaint.

“We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us,” Temu’s spokesperson said. “We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time.”

Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims Read More »

VMware customers may stay, but Broadcom could face backlash “for years to come”

Amazon, Amazon Web Services, Biz & IT, Broadcom, vmware / Blake Jones / June 7, 2024

“The emotional shock has started to metabolize” —

300 director-level IT workers making VMware decisions were questioned.

Scharon Harding – Jun 7, 2024 2: 24 pm UTC

After acquiring VMware, Broadcom swiftly enacted widespread changes that resulted in strong public backlash. A new survey of 300 director-level IT workers at companies that are customers of North American VMware provides insight into the customer reaction to Broadcom’s overhaul.

The survey released Thursday doesn’t provide feedback from every VMware customer, but it’s the first time we’ve seen responses from IT decision-makers working for companies paying for VMware products. It echos concerns expressed at the announcement of some of Broadcom’s more controversial changes to VMware, like the end of perpetual licenses and growing costs.

CloudBolt Software commissioned Wakefield Research, a market research agency, to run the study from May 9 through May 23. The “CloudBolt Industry Insights Reality Report: VMware Acquisition Aftermath” includes responses from workers at 150 companies with fewer than 1,000 workers and 150 companies with more than 1,000 workers. Survey respondents were invited via email and took the survey online, with the report authors writing that results are subject to sampling variation of ±5.7 percentage points at a 95 percent confidence level.

Notably, Amazon Web Services (AWS) commissioned the report in partnership with CloudBolt. AWS’s partnership with VMware hit a road bump last month when Broadcom stopped allowing AWS to resell the VMware Cloud on AWS offering—a move that AWS said “disappointed it.” Kyle Campos, CloudBolt CTPO, told Ars Technica that the full extent to which AWS was involved in this report was helping underwrite the cost of research. But you can see why AWS would have interest in customer dissatisfaction with VMware.

Widespread worry

Every person surveyed said that they expect VMware prices to rise under Broadcom. In a March “User Group Town Hall,” attendees complained about “price rises of 500 and 600 percent,” according to The Register. We heard in February from ServeTheHome that “smaller” cloud service providers were claiming to see costs grow tenfold. In this week’s survey, 73 percent of respondents said they expect VMware prices to more than double. Twelve percent of respondents expect a price hike of 301 to 500 percent. Only 1 percent anticipate price hikes of 501 to 1,000 percent.

“At this juncture post-acquisition, most larger enterprises seem to have a clear understanding of how their next procurement cycle with Broadcom will be impacted from a pricing and packaging standpoint,” the report noted.

Further, 95 percent of survey respondents said they view Broadcom buying VMware as disruptive to their IT strategy, with 46 percent considering it extremely or very disruptive.

Widespread concerns about cost and IT strategy help explain why 99 percent of the 300 respondents said they are concerned about Broadcom owning VMware, with 46 percent being “very concerned” and 30 percent “extremely concerned.”

Broadcom didn’t respond to Ars’ request for comment.

Not jumping ship yet

Despite widespread anxiety over Broadcom’s VMware, most of the respondents said they will likely stay with VMware either partially (43 percent of respondents) or fully (40 percent). A smaller percentage of respondents said they would move more workloads to the public cloud (38 percent) or a different hypervisor (34 percent) or move entirely to the public cloud (33 percent). This is with 69 percent of respondents having at least one contract expiring with VMware within the next 12 months.

Many companies have already migrated easy-to-move workloads to the public cloud, CloudBolt’s Campos said in a statement. For many firms surveyed, what’s left in the data center “is a mixture of workloads requiring significant modernization or compliance bound to the data center,” including infrastructure components that have been in place for decades. Campos noted that many mission-critical workloads remain in the data center, and moving them is “daunting with unclear ROI.”

“The emotional shock has started to metabolize inside of the Broadcom customer base, but it’s metabolized in the form of strong commitment to mitigating the negative impacts of the Broadcom VMware acquisition,” Campos told Ars Technica.

Resistance to ditching VMware reflects how “embedded” VMware is within customer infrastructures, the CloudBolt exec told Ars, adding:

In many cases, the teams responsible for purchasing, implementing, and operating VMware have never even considered an alternative prior to this acquisition; it’s the only operating reality they know and they are used to buying out of this problem.

Top reasons cited for considering abandoning VMware partially or totally were uncertainty about Broadcom’s plans, concerns about support quality under Broadcom, and changes to relationships with channel partners (each named by 36 percent of respondents).

Following closely was the shift to subscription licensing (34 percent), expected price bumps (33 percent), and personal negative experiences with Broadcom (33 percent). Broadcom’s history with big buys like Symantec and CA Technologies also has 32 percent of people surveyed considering leaving VMware.

Although many firms seem to be weighing their options before potentially leaving VMware, Campos warned that Broadcom could see backlash continue “for months and even years to come,” considering the areas of concern cited in the survey and how all VMware offerings are near-equal candidates for eventual nixing.

VMware customers may stay, but Broadcom could face backlash “for years to come” Read More »

Prime Video subs will soon see ads for Amazon products when they hit pause

ads, Amazon, amazon prime video, streaming, Tech / Ryan Harris / May 8, 2024

Amazon’s ad affinity —

Amazon is adding three types of shoppable ads to Prime Video’s ad tier.

Scharon Harding – May 7, 2024 10: 55 pm UTC

A scene from the Prime Video original series <em>Fallout</em>.” src=”https://cdn.arstechnica.net/wp-content/uploads/2024/05/fallout-800×334.jpg”></img><figcaption>
<p><a data-height=

Amazon Prime Video subscribers will see new types of advertisements this broadcast year. Amazon announced today that it’s adding new ad formats to its video streaming service, hoping to encourage people to interact with the ads and shop on Amazon.

In January, Prime Video streams included commercials unless subscribers paid $3 extra per month. That has meant that watching stuff on Prime Video ad-free costs $12 per month or, if you’re also a Prime subscriber, $18 per month.

New types of Prime Video ads

Amazon has heightened focus on streaming ads this year. Those who opted for Prime Video with commercials will soon see shoppable carousel ads, interactive pause ads, and interactive brand trivia ads, as Amazon calls them. Amazon said that advertisers could buy these new displays to be shown “across the vast majority of content on Prime Video, wherever it’s streamed.” All the new ad formats allow a viewer to place advertised products in their Amazon cart.

With carousel ads, subscribers will be pushed to shop “a sliding lineup of” products during ad breaks during shows and movies, Amazon said, adding: “The ad automatically pauses so that customers can browse, and automatically resumes play when ad interaction has stopped.”

The pause ads will be visible during Prime Video TV shows, movies, and live sports. These types of ads have been around since Hulu introduced them in 2019. Since they can show up whenever someone hits the pause button, these displays mean that Prime Video users will see ads beyond their scheduled breaks.

In Prime Video’s case, pausing the program will bring up “a translucent ad featuring brand messaging and imagery, along with an ‘Add to Cart’ and ‘Learn More'” overlay, per Amazon. Advertisers can also use pause ads to acquire voluntary viewers’ email addresses (so viewers can “get more information,” per Amazon).

Amazon trivia-themed ads will also appear during shows, movies, and live sports. The ad will try to sell stuff by offering “rewards like Amazon shopping credits.”

Amazon’s ad business is growing

Amazon is already one of the three biggest digital advertising firms (in addition to Alphabet and Meta). But its interest in using its streaming service to sell ad space has grown as ad dollars continue shifting away from linear, traditional TV platforms. The streaming industry has been trying to capitalize on advertisers’ growing interest with new ad types that users can shop from. Amazon research from 2023 claims that interactive ads increase product page views and conversions for products sold on Amazon tenfold.

On the other hand, Amazon has not released research publicly on how much constant ad viewing can impact the user experience or interest in a streaming service.

Still, Amazon claimed today that Prime Video ads reach an average of 200 million people monthly. Amazon hasn’t provided a firm figure on how many Prime Video subscribers it currently has overall, however. In 2021, Amazon said that Prime, which includes Prime Video, had 200 million subscribers.

Amazon has, however, boasted about how well it is selling ads recently. In its Q1 2024 earnings report released on April 30, Amazon said its ad business grew 24 percent year over year. Most of Amazon’s ad dollars come from its retail business, as The Hollywood Reporter noted, but in a statement at the time, Amazon CEO and President Andy Jassy noted that Prime Video was also a contributor.

According to a Hub Media Entertainment survey from January to March 2024, 6,338 US TV viewers between 16 to 74 years old watched at least one hour of TV per week, and 85 percent of Prime Video subscribers in the survey are on Amazon’s ad tier. (Amazon hasn’t confirmed those figures.) The Hub Entertainment Media survey claims that Amazon has a higher ad-based-to-ad-free ratio of subscribers than all other video-streaming services examined, including Netflix, Max, and Hulu. But it’s worth noting that Amazon automatically moved all Prime Video subscribers to its ad tier in January, while others, like Netflix, introduced ad tiers as a new option to sign up for.

A fine line

Like all streamers, Amazon is toeing a fine line between using ads to boost the average revenue it makes per user and aggravating subscribers to the point of cancellation.

Amazon is already facing a lawsuit regarding ads on Prime Video that seeks class-action certification and was filed by people who purchased annual subscriptions.

Prime Video subs will soon see ads for Amazon products when they hit pause Read More »

Two giants in the satellite telecom industry join forces to counter Starlink

Amazon, Commercial space, Intelsat, kuiper, Science, ses, Space, spacex, starlink / Mike M. / May 1, 2024

M&A —

SES is buying Intelsat, the world’s first commercial satellite operator, for $3.1 billion.

Stephen Clark – May 1, 2024 1: 30 am UTC

Enlarge / The Intelsat 901 satellite is seen by a Northrop Grumman servicing vehicle in 2020.

Facing competition from Starlink and other emerging satellite broadband networks, the two companies that own most of the traditional commercial communications spacecraft in geostationary orbit announced plans to join forces Tuesday.

SES, based in Luxembourg, will buy Intelsat for $3.1 billion. The acquisition will create a combined company boasting a fleet of some 100 multi-ton satellites in geostationary orbit, a ring of spacecraft located more than 22,000 miles (nearly 36,000 kilometers) over the equator. This will be more than twice the size of the fleet of the next-largest commercial geostationary satellite operator.

The problem is that demand is waning for communication services through large geostationary (GEO) satellites. There are some large entrenched customers, like video media companies and the military, that will continue to buy telecom capacity on geostationary satellites. But there’s a growing demand among consumers, and some segments of the corporate and government markets, for the types of services offered by constellations of smaller satellites flying closer to Earth.

The biggest of these constellations, by far, is SpaceX’s Starlink network, with more than 5,800 active satellites in its low-Earth orbit fleet a few hundred miles above Earth. Each of the Starlink satellites is smaller than a conventional geostationary platform, but linked together with laser communication terminals, thousands of these spacecraft pack enough punch to eclipse the capacity of internet networks anchored by geostationary satellites. Starlink now has more than 2.6 million subscribers, according to SpaceX.

Satellites in low-Earth orbit (LEO) offer some advantages over geostationary satellites. Because they are closer to users on the ground, low-Earth orbit satellites provide signals with lower latency. The satellites for these constellations can be mass-produced at relatively low cost, compared to a single geostationary satellite, which often costs $250 million or more to build and launch.

“In a fast-moving and competitive satellite communication industry, this transaction expands our multi-orbit space network, spectrum portfolio, ground infrastructure around the world, go-to-market capabilities, managed service solutions, and financial profile,” said Adel Al-Saleh, CEO of SES, in a statement announcing the acquisition of Intelsat.

A trend of consolidation

Some of the largest legacy operators in geostationary orbit have made moves over the last decade to respond to the new competition.

The only operational low-Earth orbit internet constellation besides Starlink was launched by OneWeb, which primarily sells capacity to existing internet providers, who then distribute services to individual consumers. This is in contrast to SpaceX’s approach with Starlink providing services direct to homes and businesses.

Eutelsat, the third-largest operator of geostationary satellites, merged with OneWeb last year, creating a company with a blended offering of GEO and LEO services. Viasat, a pioneer in satellite internet services using dedicated spacecraft in geostationary orbit, last year purchased Inmarsat, which specialized in providing connectivity to airplanes and ships.

SES’s acquisition of Intelsat stands apart due to the size of their satellite fleets. Founded in 1985, SES currently operates 43 geostationary satellites, plus 26 broadband spacecraft in medium-Earth orbit (MEO) a few thousand miles above Earth. These MEO satellites operate in a kind of middle ground between LEO and GEO satellites, offering lower-latency than geostationary networks, while still flying high enough to not require hundreds or thousands of spacecraft to blanket the globe.

Intelsat has 57 geostationary satellites, primarily for television and video relay services. Al-Saleh said the combined company will offer coverage over 99 percent of the world, and provide services through a range of communication bands. For now, LEO broadband satellites in the Starlink and OneWeb networks beam signals to user terminals in Ku-band.

Al-Saleh said the combined networks of SES and Intelsat will span Ka-band, Ku-band, X-band, C-band, UHF, and secure bands tailored for military use. “That gives us a unique position in the market place to be able to deliver to our clients,” he said.

SES and Intelsat have 13 new satellites on order, including six GEO spacecraft and seven broadband MEO satellites. Intelsat also brings to the table access to OneWeb’s LEO constellation. Earlier this year, Intelsat announced it reserved $250 million of capacity on OneWeb’s network over the next six years, with an option to purchase double that amount.

Enlarge / This illustration shows the relative locations of satellites in geostationary orbit, medium-Earth orbit, and low-Earth orbit.

“We will create a stronger expanded network capabilities that are multi-orbit,” Al-Saleh said in an earnings call Tuesday. “We are not just a GEO player. We are an all-orbit player.”

Internet signals coming from a GEO satellite, like a Viasat spacecraft, typically have a latency of about 600 milliseconds. Al-Saleh said SES’s O3b network in medium-Earth orbit provides signals with a latency of about 120 milliseconds. According to SpaceX, Starlink latency ranges between 25 and 60 milliseconds.

A satellite pioneer

Intelsat has a storied history. Founded in 1964 as an intergovernmental organization, Intelsat operated the first commercial communications satellite in geostationary orbit. It became a private company in 2001, then went public in 2013 before filing for bankruptcy in 2020. Intelsat emerged from bankruptcy proceedings as a private company in 2022.

“Over the past two years, the Intelsat team has executed a remarkable strategic reset,” said David Wajsgras, CEO of Intelsat, in a statement. “We have reversed a 10-year negative trend to return to growth, established a new and game-changing technology roadmap, and focused on productivity and execution to deliver competitive capabilities.”

SES and Intelsat expect the acquisition to close in the second half of 2025, pending regulatory approvals. The boards of both companies unanimously approved the transaction.

Both companies maintain hundreds of millions of dollars of business with the US government each year, and the military’s appetite for commercial satellite communications is going up. “I think many of the satellite players are seeing the benefit of that, not just us,” Al-Saleh said. “You can look at our competitors. You can look at Starlink. You can look at others. We’re all seeing an uptick in demand.”

Al-Saleh said he doesn’t foresee any roadblocks from the Pentagon or any government regulators before closing the transaction next year.

SES and Intelsat revealed last year there were in talks to combine. According to Al-Saleh, SES looked at multiple opportunities for mergers or acquisitions to make use of a multibillion-dollar windfall from the Federal Communications Commission tied to the auction of C-band satellite spectrum for cellular networks.

“It was clear to us that this particular transaction, if we’re able to successfully close it with the right type of value, is the most compelling proposition we had on the table,” he said.

Two giants in the satellite telecom industry join forces to counter Starlink Read More »

AWS S3 storage bucket with unlucky name nearly cost developer $1,300

Amazon, amazon s3, AWS, Biz & IT, Cloud Storage, Tech / Mike M. / May 1, 2024

Not that kind of bucket list —

Amazon says it’s working on stopping others from “making your AWS bill explode.”

Kevin Purdy – Apr 30, 2024 7: 43 pm UTC

A blue bucket, held by red and yellow brackets, being continuously filled and overflowing — Enlarge / Be careful with the buckets you put out there for anybody to fill.

Getty Images

If you’re using Amazon Web Services and your S3 storage bucket can be reached from the open web, you’d do well not to pick a generic name for that space. Avoid “example,” skip “change_me,” don’t even go with “foo” or “bar.” Someone else with the same “change this later” thinking can cost you a MacBook’s worth of cash.

Ask Maciej Pocwierz, who just happened to pick an S3 name that “one of the popular open-source tools” used for its default backup configuration. After setting up the bucket for a client project, he checked his billing page and found nearly 100 million unauthorized attempts to create new files on his bucket (PUT requests) within one day. The bill was over $1,300 and counting.

Nothing, nothing, nothing, nothing, nothing … nearly 100 million unauthorized requests.

“All this actually happened just a few days after I ensured my client that the price for AWS services will be negligible, like $20 at most for the entire month,” Pocwierz wrote over chat. “I explained the situation is very unusual but it definitely looked as if I didn’t know what I’m doing.”

Pocwierz declined to name the open source tool that inadvertently bum-rushed his S3 account. In a Medium post about the matter, he noted a different problem with an unlucky default backup. After turning on public writes, he watched as he collected more than 10GB of data in less than 30 seconds. Other people’s data, that is, and they had no idea that Pocwierz was collecting it.

Some of that data came from companies with customers, which is part of why Pocwierz is keeping the specifics under wraps. He wrote to Ars that he contacted some of the companies that either tried or successfully backed up their data to his bucket, and “they completely ignored me.” “So now instead of having this fixed, their data is still at risk,” Pocwierz writes. “My lesson is if I ever run a company, I will definitely have a bug bounty program, and I will treat such warnings seriously.”

As for Pocwierz’s accounts, both S3 and bank, it mostly ended well. An AWS representative reached out on LinkedIn and canceled his bill, he said, and was told that anybody can request refunds for excessive unauthorized requests. “But they didn’t explicitly say that they will necessarily approve it,” he wrote. He noted in his Medium post that AWS “emphasized that this was done as an exception.”

In response to Pocwierz’s story, Jeff Barr, chief evangelist for AWS at Amazon, tweeted that “We agree that customers should not have to pay for unauthorized requests that they did not initiate.” Barr added that Amazon would have more to share on how the company could prevent them “shortly.” AWS has a brief explainer and contact page on unexpected AWS charges.

The open source tool did change its default configuration after Pocwierz contacted them. Pocwierz suggested to AWS that it should restrict anyone else from creating a bucket name like his, but he had yet to hear back about it. He suggests in his blog post that, beyond random bad luck, adding a random suffix to your bucket name and explicitly specifying your AWS region can help avoid massive charges like the one he narrowly dodged.

AWS S3 storage bucket with unlucky name nearly cost developer $1,300 Read More »

Critics question tech-heavy lineup of new Homeland Security AI safety board

AI, AI ethics, AI safety, alphabet, Amazon, Anthropic, Biz & IT, DHS, Dr. Margaret Mitchell, executive order, Google, Joe Biden, machine learning, Meta, microsoft, NVIDIA, openai, Policy, President Biden, sam altman, Satya Nadella, Sundar Pichai / Blake Jones / April 30, 2024

Adventures in 21st century regulation —

CEO-heavy board to tackle elusive AI safety concept and apply it to US infrastructure.

Benj Edwards – Apr 29, 2024 8: 15 pm UTC

A modified photo of a 1956 scientist carefully bottling

On Friday, the US Department of Homeland Security announced the formation of an Artificial Intelligence Safety and Security Board that consists of 22 members pulled from the tech industry, government, academia, and civil rights organizations. But given the nebulous nature of the term “AI,” which can apply to a broad spectrum of computer technology, it’s unclear if this group will even be able to agree on what exactly they are safeguarding us from.

President Biden directed DHS Secretary Alejandro Mayorkas to establish the board, which will meet for the first time in early May and subsequently on a quarterly basis.

The fundamental assumption posed by the board’s existence, and reflected in Biden’s AI executive order from October, is that AI is an inherently risky technology and that American citizens and businesses need to be protected from its misuse. Along those lines, the goal of the group is to help guard against foreign adversaries using AI to disrupt US infrastructure; develop recommendations to ensure the safe adoption of AI tech into transportation, energy, and Internet services; foster cross-sector collaboration between government and businesses; and create a forum where AI leaders to share information on AI security risks with the DHS.

It’s worth noting that the ill-defined nature of the term “Artificial Intelligence” does the new board no favors regarding scope and focus. AI can mean many different things: It can power a chatbot, fly an airplane, control the ghosts in Pac-Man, regulate the temperature of a nuclear reactor, or play a great game of chess. It can be all those things and more, and since many of those applications of AI work very differently, there’s no guarantee any two people on the board will be thinking about the same type of AI.

This confusion is reflected in the quotes provided by the DHS press release from new board members, some of whom are already talking about different types of AI. While OpenAI, Microsoft, and Anthropic are monetizing generative AI systems like ChatGPT based on large language models (LLMs), Ed Bastian, the CEO of Delta Air Lines, refers to entirely different classes of machine learning when he says, “By driving innovative tools like crew resourcing and turbulence prediction, AI is already making significant contributions to the reliability of our nation’s air travel system.”

So, defining the scope of what AI exactly means—and which applications of AI are new or dangerous—might be one of the key challenges for the new board.

A roundtable of Big Tech CEOs attracts criticism

For the inaugural meeting of the AI Safety and Security Board, the DHS selected a tech industry-heavy group, populated with CEOs of four major AI vendors (Sam Altman of OpenAI, Satya Nadella of Microsoft, Sundar Pichai of Alphabet, and Dario Amodei of Anthopic), CEO Jensen Huang of top AI chipmaker Nvidia, and representatives from other major tech companies like IBM, Adobe, Amazon, Cisco, and AMD. There are also reps from big aerospace and aviation: Northrop Grumman and Delta Air Lines.

Upon reading the announcement, some critics took issue with the board composition. On LinkedIn, founder of The Distributed AI Research Institute (DAIR) Timnit Gebru especially criticized OpenAI’s presence on the board and wrote, “I’ve now seen the full list and it is hilarious. Foxes guarding the hen house is an understatement.”

Critics question tech-heavy lineup of new Homeland Security AI safety board Read More »

War never changes: A Fallout fan’s spoiler-laden review of the new TV series

Amazon, amazon prime video, Bethesda Game Studios, culture, Fallout, fallout 4, Fallout: New Vegas, gaming, Todd Howard, TV / Blake Jones / April 21, 2024

The nukes went off in 2077 in Fallout's universe. The show tells us more about this event than we've learned from the games before. — Enlarge / The nukes went off in 2077 in Fallout’s universe. The show tells us more about this event than we’ve learned from the games before.

Amazon

It’s been just over a week since the Fallout TV series premiered on Amazon Prime, and one thing’s for sure: It’s a huge hit. You can hardly open a social media app without seeing content about it, the reviews are positive, and the active players for the Fallout games have doubled over the past week.

A few days ago, I shared some spoiler-free impressions of the first three episodes. I loved what I’d seen up to that point—the show seemed faithful to the games, but it was also a great TV show. A specific cocktail of tongue-in-cheek humor, sci-fi campiness, strong themes, great characters, and visceral violence really came together into a fantastic show.

Still, I had some questions at that point: Would the franchise’s penchant for satire and its distinct political and social viewpoint come through? Where was all this headed?

Like a lot of us, I’ve now finished the series. So if you have, too (or if you haven’t but just don’t care about spoilers), it’s time to dive into all eight episodes of season one together.

I’m a long-time Fallout fan, so I’ll focus on how the show ties in with the games, but like the show itself, I aim to make this interesting even for the newbies.

Heavy spoilers for Fallout season one start here, as well as a few spoilers about Fallout New Vegas and Fallout 4.

Something for everybody

So was the show as good after eight episodes as it was after three? Absolutely. If anything, the show only got better as it progressed. The more inducted into the world, lore, and characters new viewers became, the more effective the show could be.

There was a lot to set up, after all. Some of us have been playing the games for years, so we knew all about Vault-Tec, the Brotherhood of Steel, the Enclave, the New California Republic, Pip-Boys, gulpers, and ghouls. But if you’re coming into the world fresh, that’s a lot to take on.

I was worried while watching that despite the show’s efforts to introduce new viewers, it might not be good enough, but I’ve been told by multiple people who haven’t played the games that they didn’t have trouble keeping up.

Once the various elements were established, the show was able to hit its stride and start bringing in the aspects of Fallout that weren’t prominent in the opening stretch.

Further, it expertly walked the line to give established fans something to chew on at the same time. The timeline of Fallout lore and stories spans hundreds of years, but the TV show is actually set after all of the games.

Event	Year
Bombs Drop	2077
Fallout 76 (2018)	2102
Fallout (1997)	2161
Fallout 2 (1998)	2241
Fallout 3 (2008)	2277
Fallout New Vegas (2010)	2281
Fallout 4 (2015)	2287
Fallout Season 1 (2024)	2296

That meant the show revealed some things about what happened to certain factions and places that previously appeared in the games. Most notably, Shady Sands is a crater, and the New California Republic—one of the most important factions and one of the strongest governments from the games—no longer exists as we knew it.

That led some fans to speculate that TV series executive producer and game creative director Todd Howard was trying to make the popular New Vegas game (which was not made by his team) non-canon, but in a recent interview, he clarified that both the show and New Vegas are very much canon, noting that the bomb fell on Shady Shands very shortly after the events of that game. The timeline on the show is cutting it close, but a generous interpretation allows it all to line up.

Of course, the show expanded on some elements from the games in ways that could be seen as breaching canon. You could write most of them away as things the games never addressed—like the vials ghouls must consume to avoid going feral or the origin story of gulpers. The games at times implied different things about both of those aspects, but they didn’t necessarily contradict them.

The series also canonized some specific choices that players could make in some prior games. For example, it’s confirmed that the Brotherhood of Steel airship seen in the show is the same one seen in Fallout 4, meaning that the canon outcome for Fallout 4 is obviously not one where that airship was destroyed. (Players of that game had the option of pursuing paths that led to its destruction or not.)

Shady Sands as it’s seen in the show.

Amazon
New Vegas is teased as the next destination.

Amazon
The last moments had a brief tease with what appears to be a Deathclaw skull, too.

Amazon

With minimal exceptions, previous games in the series avoided canonizing outcomes like that by being set decades or even centuries (as well as hundreds or even thousands of miles) apart—such that it wasn’t necessary to reveal what happened in those cases. Since this show is set in a region that is well-documented in prior Fallout titles, that’s not the case here.

The tease that we’re going to New Vegas next season probably means that several multiple-choice outcomes from that game will have to be canonized, too. Is Mr. House still running the show? What happened to Caesar’s Legion? Why does New Vegas look so bombed out compared to how it appeared in the game? We’ll probably find out.

All told, new fans got to explore the world of Fallout for the first time, even as longtime fans got to see where the story has gone since they last played the games. The story hadn’t been moved forward in nine years, since 2018’s Fallout 76 was actually a prequel that took place long before any of the other games in the series.

It took some skillful work to serve both of those audiences without compromising the experience of the other, so kudos to the show’s writers.

War never changes: A Fallout fan’s spoiler-laden review of the new TV series Read More »

Prime Video looking to fix “extremely sloppy mistakes” in library, report says

Amazon, amazon prime video, Disney, Disney Plus, Hulu, streaming, Tech / Mike M. / April 19, 2024

Morfydd Clark is Galadriel in <em>The Lord of the Rings: The Rings of Power</em>.” src=”https://cdn.arstechnica.net/wp-content/uploads/2022/07/lotr-rings-of-power-listing-800×450.png”></img><figcaption>
<p><a data-height=

Subscribers lodged thousands of complaints related to inaccuracies in Amazon’s Prime Video catalog, including incorrect content and missing episodes, according to a Business Insider report this week. While Prime Video users aren’t the only streaming users dealing with these problems, Insider’s examination of leaked “internal documents” brings more perspective into the impact of mislabeling and similar errors on streaming platforms.

Insider didn’t publish the documents but said they show that “60 percent of all content-related customer-experience complaints for Prime Video last year were about catalogue errors,” such as movies or shows labeled with wrong or missing titles.

Specific examples reportedly named in the document include Season 1, Episode 2 of The Rings of Power being available before Season 1, Episode 1; character names being mistranslated; Continuum displaying the wrong age rating; and the Spanish-audio version of Die Hard With a Vengeance missing a chunk of audio.

The documents reportedly pointed to problems with content localization, noting the “poor linguistic quality of assets” related to a “lack of in-house expertise” of some languages. Prime Video pages with these problems suffered from 20 percent more engagement drop-offs, BI said, citing one of the documents.

Following Insider’s report, however, Quartz reported that an unnamed source it described as “familiar with the matter” said the documents were out of date, despite Insider claiming that the leaked reports included data from 2023. Quartz’s source also claimed that customer engagement was not affected,

Ars Technica reached out to Amazon for comment but didn’t hear back in time for publication. The company told Insider that “catalogue quality is an ongoing priority” and that Amazon takes “it seriously and work[s] relentlessly alongside our global partners and dedicated internal teams to continuously improve the overall customer experience.”

Other streaming services have errors, too

Insider’s report focuses on leaked documents regarding Prime Video, but rival streaming services make blunders, too. It’s unclear how widespread the problem is on Prime Video or across the industry. There are examples of people reporting Prime Video inaccuracies online, like on Amazon’s forum or on Reddit. But with some platforms not offering online forums and it being impossible to know how frequently users actually report spotted problems, we can’t do any apples-to-apples comparisons. We also don’t know if these problems are more prevalent for subscribers living outside of the US.

Beyond Prime Video, users have underscored similar inaccuracies within the past year on rival services, like Disney+, Hulu, and Netflix. A former White Collar executive producer pointed out that the show’s episodes were mislabeled and out of order on Netflix earlier this month. Inaccurate content catalogs appear more widespread if you go back two years or more. Some video streamers (like (Disney and Netflix) have pages explaining how to report such problems.

Streaming services have only gotten more expensive and competitive, making such mistakes feel out of place for the flagship video platform of a conglomerate in 2024.

And despite content errors affecting more than just Prime Video, Insider’s report provides a unique look at the problem and efforts to fix it.

Prime Video looking to fix “extremely sloppy mistakes” in library, report says Read More »

Amazon virtually kills efforts to develop Alexa Skills, disappointing dozens

alexa, Amazon, amazon alexa, developers, generative ai, Tech / Blake Jones / April 11, 2024

disincentives —

Most devs would need to pay out of pocket to host Alexa apps after June.

Scharon Harding – Apr 11, 2024 9: 27 pm UTC

amazon echo dot gen 4 — Enlarge / The 4th-gen Amazon Echo Dot smart speaker.

Amazon

Alexa hasn’t worked out the way Amazon originally planned.

There was a time when it thought that Alexa would yield a robust ecosystem of apps, or Alexa Skills, that would make the voice assistant an integral part of users’ lives. Amazon envisioned tens of thousands of software developers building valued abilities for Alexa that would grow the voice assistant’s popularity—and help Amazon make some money.

But about seven years after launching a rewards program to encourage developers to build Skills, Alexa’s most preferred abilities are the basic ones, like checking the weather. And on June 30, Amazon will stop giving out the monthly Amazon Web Services credits that have made it free for third-party developers to build and host Alexa Skills. The company also recently told devs that its Alexa Developer Rewards program was ending, virtually disincentivizing third-party devs to build for Alexa.

Death knell for third-party Alexa apps

The news has left dozens of Alexa Skills developers wondering if they have a future with Alexa, especially as Amazon preps a generative AI and subscription-based version of Alexa. “Dozens” may sound like a dig at Alexa’s ecosystem, but it’s an estimation based on a podcast from Skills developers Mark Tucker and Allen Firstenberg, who, in a recent podcast, agreed that “dozens” of third-party devs were contemplating if it’s still worthwhile to develop Alexa skills. The casual summary wasn’t stated as a hard fact or confirmed by Amazon but, rather, seemed like a rough and quick estimation based on the developers’ familiarity with the Skills community. But with such minimal interest and money associated with Skills, dozens isn’t an implausible figure either.

Amazon admitted that there’s little interest in its Skills incentives programs. Bloomberg reported that “fewer than 1 percent of developers were using the soon-to-end programs,” per Amazon spokesperson Lauren Raemhild.

“Today, with over 160,000 skills available for customers and a well-established Alexa developer community, these programs have run their course, and we decided to sunset them,” she told the publication.

The writing on the wall, though, is that Amazon doesn’t have the incentive or money to grow the Alexa app ecosystem it once imagined. Voice assistants largely became money pits, and the Alexa division has endured recent layoffs as it fights for survival and relevance. Meanwhile, Google Assistant stopped using third-party apps in 2022.

“Many developers are now going to need to make some tough decisions about maintaining existing or creating future experiences on Alexa,” Tucker said via a LinkedIn post.

Alexa Skills criticized as “useless”

As of this writing, the top Alexa skills, in order, are: Jeopardy, Are You Smarter Than a 5th Grader?, Who Wants to Be a Millionaire?, and Calm. That’s not exactly a futuristic list of must-have technological feats. For years, people have wondered when the “killer app” would come to catapult Alexa’s popularity. But now it seems like Alexa’s only hope at that killer use case is generative AI (a gamble filled with its own obstacles).

But like Amazon, third-party developers found it hard to make money off Skills, with a rare few pointing to making thousands of dollars at most and the vast majority not making anything.

“If you can’t make money off it, no one’s going to seriously engage,” Joseph “Jo” Jaquinta, a developer who had made over 12 Skills, told CNET in 2017.

By 2018, Amazon had paid developers millions to grow Alexa Skills. But by 2020, Amazon reduced the amount of money it paid out to third-party developers, an anonymous source told Bloomberg, The source noted that the apps made by paid developers weren’t making the company much money. Come 2024, the most desirable things you can make Alexa do remain basic tasks, like playing a song and apparently trivia games.

Amazon hasn’t said it’s ending Skills. That would seem premature considering that its Alexa chatbot isn’t expected until June. Developers can still make money off Skills with in-app purchases, but the incentive is minimal.

“Developers like you have and will play a critical role in the success of Alexa, and we appreciate your continued engagement,” Amazon’s notice to devs said, per Bloomberg.

We’ll see how “critical” Amazon treats those remaining developers once its generative AI chatbot is ready.

Amazon virtually kills efforts to develop Alexa Skills, disappointing dozens Read More »

Quantum computing progress: Higher temps, better error correction

Amazon, Computer science, ibm, Physics, quantum computing, quantum mechanics, Science / Ari B / March 27, 2024

conceptual graphic of symbols representing quantum states floating above a stylized computer chip.

There’s a strong consensus that tackling most useful problems with a quantum computer will require that the computer be capable of error correction. There is absolutely no consensus, however, about what technology will allow us to get there. A large number of companies, including major players like Microsoft, Intel, Amazon, and IBM, have all committed to different technologies to get there, while a collection of startups are exploring an even wider range of potential solutions.

We probably won’t have a clearer picture of what’s likely to work for a few years. But there’s going to be lots of interesting research and development work between now and then, some of which may ultimately represent key milestones in the development of quantum computing. To give you a sense of that work, we’re going to look at three papers that were published within the last couple of weeks, each of which tackles a different aspect of quantum computing technology.

Hot stuff

Error correction will require connecting multiple hardware qubits to act as a single unit termed a logical qubit. This spreads a single bit of quantum information across multiple hardware qubits, making it more robust. Additional qubits are used to monitor the behavior of the ones holding the data and perform corrections as needed. Some error correction schemes require over a hundred hardware qubits for each logical qubit, meaning we’d need tens of thousands of hardware qubits before we could do anything practical.

A number of companies have looked at that problem and decided we already know how to create hardware on that scale—just look at any silicon chip. So, if we could etch useful qubits through the same processes we use to make current processors, then scaling wouldn’t be an issue. Typically, this has meant fabricating quantum dots on the surface of silicon chips and using these to store single electrons that can hold a qubit in their spin. The rest of the chip holds more traditional circuitry that performs the initiation, control, and readout of the qubit.

This creates a notable problem. Like many other qubit technologies, quantum dots need to be kept below one Kelvin in order to keep the environment from interfering with the qubit. And, as anyone who’s ever owned an x86-based laptop knows, all the other circuitry on the silicon generates heat. So, there’s the very real prospect that trying to control the qubits will raise the temperature to the point that the qubits can’t hold onto their state.

That might not be the problem that we thought, according to some work published in Wednesday’s Nature. A large international team that includes people from the startup Diraq have shown that a silicon quantum dot processor can work well at the relatively toasty temperature of 1 Kelvin, up from the usual milliKelvin that these processors normally operate at.

The work was done on a two-qubit prototype made with materials that were specifically chosen to improve noise tolerance; the experimental procedure was also optimized to limit errors. The team then performed normal operations starting at 0.1 K, and gradually ramped up the temperatures to 1.5 K, checking performance as they did so. They found that a major source of errors, state preparation and measurement (SPAM), didn’t change dramatically in this temperature range: “SPAM around 1 K is comparable to that at millikelvin temperatures and remains workable at least until 1.4 K.”

The error rates they did see depended on the state they were preparing. One particular state (both spin-up) had a fidelity of over 99 percent, while the rest were less constrained, at somewhere above 95 percent. States had a lifetime of over a millisecond, which qualifies as long-lived int he quantum world.

All of which is pretty good, and suggests that the chips can tolerate reasonable operating temperatures, meaning on-chip control circuitry can be used without causing problems. The error rates of the hardware qubits are still well above those that would be needed for error correction to work. However, the researchers suggest that they’ve identified error processes that can potentially be compensated for. They expect that the ability to do industrial-scale manufacturing will ultimately lead to working hardware.

Quantum computing progress: Higher temps, better error correction Read More »

Facebook secretly spied on Snapchat usage to confuse advertisers, court docs say

Amazon, anticompetitive behavior, Antitrust law, facebook, Google, Instagram, mark zuckerberg, Meta, online advertising, Policy, Snapchat, social media ads, youtube / Ari B / March 27, 2024

“I can’t think of a good argument for why this is okay” —

Zuckerberg told execs to “figure out” how to spy on encrypted Snapchat traffic.

Ashley Belanger – Mar 27, 2024 8: 25 pm UTC

Unsealed court documents have revealed more details about a secret Facebook project initially called “Ghostbusters,” designed to sneakily access encrypted Snapchat usage data to give Facebook a leg up on its rival, just when Snapchat was experiencing rapid growth in 2016.

The documents were filed in a class-action lawsuit from consumers and advertisers, accusing Meta of anticompetitive behavior that blocks rivals from competing in the social media ads market.

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted, we have no analytics about them,” Facebook CEO Mark Zuckerberg (who has since rebranded his company as Meta) wrote in a 2016 email to Javier Olivan.

“Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them,” Zuckerberg continued. “Perhaps we need to do panels or write custom software. You should figure out how to do this.”

At the time, Olivan was Facebook’s head of growth, but now he’s Meta’s chief operating officer. He responded to Zuckerberg’s email saying that he would have the team from Onavo—a controversial traffic-analysis app acquired by Facebook in 2013—look into it.

Olivan told the Onavo team that he needed “out of the box thinking” to satisfy Zuckerberg’s request. He “suggested potentially paying users to ‘let us install a really heavy piece of software'” to intercept users’ Snapchat data, a court document shows.

What the Onavo team eventually came up with was a project internally known as “Ghostbusters,” an obvious reference to Snapchat’s logo featuring a white ghost. Later, as the project grew to include other Facebook rivals, including YouTube and Amazon, the project was called the “In-App Action Panel” (IAAP).

The IAAP program’s purpose was to gather granular insights into users’ engagement with rival apps to help Facebook develop products as needed to stay ahead of competitors. For example, two months after Zuckerberg’s 2016 email, Meta launched Stories, a Snapchat copycat feature, on Instagram, which the Motley Fool noted rapidly became a key ad revenue source for Meta.

In an email to Olivan, the Onavo team described the “technical solution” devised to help Zuckerberg figure out how to get reliable analytics about Snapchat users. It worked by “develop[ing] ‘kits’ that can be installed on iOS and Android that intercept traffic for specific sub-domains, allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” the Onavo team said.

Olivan was told that these so-called “kits” used a “man-in-the-middle” attack typically employed by hackers to secretly intercept data passed between two parties. Users were recruited by third parties who distributed the kits “under their own branding” so that they wouldn’t connect the kits to Onavo unless they used a specialized tool like Wireshark to analyze the kits. TechCrunch reported in 2019 that sometimes teens were paid to install these kits. After that report, Facebook promptly shut down the project.

This “man-in-the-middle” tactic, consumers and advertisers suing Meta have alleged, “was not merely anticompetitive, but criminal,” seemingly violating the Wiretap Act. It was used to snoop on Snapchat starting in 2016, on YouTube from 2017 to 2018, and on Amazon in 2018, relying on creating “fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.”

Ars could not reach Snapchat, Google, or Amazon for comment.

Facebook allegedly sought to confuse advertisers

Not everyone at Facebook supported the IAAP program. “The company’s highest-level engineering executives thought the IAAP Program was a legal, technical, and security nightmare,” another court document said.

Pedro Canahuati, then-head of security engineering, warned that incentivizing users to install the kits did not necessarily mean that users understood what they were consenting to.

“I can’t think of a good argument for why this is okay,” Canahuati said. “No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”

Mike Schroepfer, then-chief technology officer, argued that Facebook wouldn’t want rivals to employ a similar program analyzing their encrypted user data.

“If we ever found out that someone had figured out a way to break encryption on [WhatsApp] we would be really upset,” Schroepfer said.

While the unsealed emails detailing the project have recently raised eyebrows, Meta’s spokesperson told Ars that “there is nothing new here—this issue was reported on years ago. The plaintiffs’ claims are baseless and completely irrelevant to the case.”

According to Business Insider, advertisers suing said that Meta never disclosed its use of Onavo “kits” to “intercept rivals’ analytics traffic.” This is seemingly relevant to their case alleging anticompetitive behavior in the social media ads market, because Facebook’s conduct, allegedly breaking wiretapping laws, afforded Facebook an opportunity to raise its ad rates “beyond what it could have charged in a competitive market.”

Since the documents were unsealed, Meta has responded with a court filing that said: “Snapchat’s own witness on advertising confirmed that Snap cannot ‘identify a single ad sale that [it] lost from Meta’s use of user research products,’ does not know whether other competitors collected similar information, and does not know whether any of Meta’s research provided Meta with a competitive advantage.”

This conflicts with testimony from a Snapchat executive, who alleged that the project “hamper[ed] Snap’s ability to sell ads” by causing “advertisers to not have a clear narrative differentiating Snapchat from Facebook and Instagram.” Both internally and externally, “the intelligence Meta gleaned from this project was described” as “devastating to Snapchat’s ads business,” a court filing said.

Facebook secretly spied on Snapchat usage to confuse advertisers, court docs say Read More »

$30 doorbell cameras have multiple serious security flaws, says Consumer Reports

Amazon, doorbell camera, doorbell cameras, eken, Security, Tech, tuck, video doorbell, walmart / Blake Jones / February 29, 2024

Video doorbell security —

Models still widely available on e-commerce sites after issues reported.

Kevin Purdy – Feb 29, 2024 11: 00 am UTC

Image showing a delivery person saying — Enlarge / Consumer Reports’ investigation suggests that, should this delivery person press and hold the bell button and then pair using Eken’s app, he could see if other delivery people get such a perfunctory response.

Eken

Video doorbell cameras have been commoditized to the point where they’re available for $30–$40 on marketplaces like Amazon, Walmart, Temu, and Shein. The true cost of owning one might be much greater, however.

Consumer Reports (CR) has released the findings of a security investigation into two budget-minded doorbell brands, Eken and Tuck, which are largely the same hardware produced by the Eken Group in China, according to CR. The cameras are further resold under at least 10 more brands. The cameras are set up through a common mobile app, Aiwit. And the cameras share something else, CR claims: “troubling security vulnerabilities.”

The pairing procedure for one of Eken's doorbell cameras, which allows a malicious actor quite a bit of leeway. — Enlarge / The pairing procedure for one of Eken’s doorbell cameras, which allows a malicious actor quite a bit of leeway.

Eken

Among the camera’s vulnerabilities cited by CR:

Sending public IP addresses and Wi-Fi SSIDs (names) over the Internet without encryption
Takeover of the cameras by putting them into pairing mode (which you can do from a front-facing button on some models) and connecting through the Aiwit app
Access to still images from the video feed and other information by knowing the camera’s serial number.

CR also noted that Eken cameras lacked an FCC registration code. More than 4,200 were sold in January 2024, according to CR, and often held an Amazon “Overall Pick” label (as one model did when an Ars writer looked on Wednesday).

“These video doorbells from little known manufacturers have serious security and privacy vulnerabilities, and now they’ve found their way onto major digital marketplaces such as Amazon and Walmart,” said Justin Brookman, director of tech policy at Consumer Reports, in a statement. “Both the manufacturers and platforms that sell the doorbells have a responsibility to ensure that these products are not putting consumers in harm’s way.”

CR noted that it contacted vendors where it found the doorbells for sale. Temu told CR that it would halt sales of the doorbells, but “similar-looking if not identical doorbells remained on the site,” CR noted.

A Walmart representative told Ars that all cameras mentioned by Consumer Reports, sold by third parties, have been removed from Walmart by now. The representative added that customers may be eligible for refunds and that Walmart prohibits the selling of devices that require an FCC ID and lack one.

Ars contacted Amazon for comment and will update this post with new information. An email sent to the sole address that could be found on Eken’s website was returned undeliverable. The company’s social media accounts were last updated at least three years prior.

Consumer Reports' researchers claim to have found JPEG file references passed in plaintext over the network, which could later be viewed without authentication in a browser. — Consumer Reports’ researchers claim to have found JPEG file references passed in plaintext over the network, which could later be viewed without authentication in a browser.

Consumer Reports

CR issued vulnerability disclosures to Eken and Tuck regarding its findings. The disclosures note the amount of data that is sent over the network without authentication, including JPEG files, the local SSID, and external IP address. It notes that after a malicious user has re-paired a doorbell with a QR code generated by the Aiwit app, they have complete control over the device until a user sees an email from Eken and reclaims the doorbell.

With a few exceptions, video doorbells and other IoT cameras tend to rely on cloud connections to stream and store footage, as well as notify their owners about events. This has led to some notable privacy and security concerns. Ring doorbells were found to be pushing Wi-Fi credentials in plaintext in late 2019. Eufy, a company that marketed its “No clouds” offerings, was found to be uploading facial thumbnails to cloud servers to send push alerts and later apologized for that and other vulnerabilities. Camera provider Wyze recently disclosed that, for the second time in five months, images and video feeds were accidentally available to the wrong customers following a lengthy outage.

Listing image by Amazon/Eken

$30 doorbell cameras have multiple serious security flaws, says Consumer Reports Read More »