Employees of the US Immigration and Customs Enforcement agency (ICE) abused law enforcement databases to snoop on their romantic partners, neighbors, and business associates, WIRED exclusively revealed this week. New data obtained through record requests show that hundreds of ICE staffers and contractors have faced investigations since 2016 for attempting to access medical, biometric, and location data without permission. The revelations raise further questions about the protections ICE places on people’s sensitive information.

Security researchers at ESET found old enterprise routers are filled with company secrets. After purchasing and analyzing old routers, the firm found many contained login details for company VPNs, hashed root administrator passwords, and details of who the previous owners were. The information would make it easy to impersonate the business that owned the router originally. Sticking with account security: The race to replace all your passwords with passkeys is entering a messy new phase. Adoption of the new technology faces challenges getting off the ground.

The supply chain breach of 3CX, a VoIP provider that was compromised by North Korean hackers, is coming into focus, and the attack appears to be more complex than initially believed. Google-owned security firm Mandiant said 3CX was initially compromised by a supply chain attack before its software was used to further spread malware.

Also this week, it emerged that the notorious LockBit ransomware gang is developing malware that aims to encrypt Macs. To date, most ransomware has focused on machines running Windows or Linux, not devices made by Apple. If LockBit is successful, it could open up a new ransomware frontier—however, at the moment, the ransomware doesn’t appear to work.

With the rise of generative AI models, like ChatGPT and Midjourney, we’ve also looked at how you can guard against AI-powered scams. And a hacker who compromised the Twitter account of right-wing commentator Matt Walsh said they did so because they were “bored.”

But that’s not all. Each week, we round up the stories we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Car thieves are using a series of small hacking tools—sometimes hidden in Nokia 3310 phones or Bluetooth speakers—to break into and steal vehicles. This week, a report from Motherboard detailed how criminals are using controller area network (CAN) injection attacks to steal cars without having access to their keys. Security researchers say criminals first have to detach a car's headlights and then connect the hacking tool with two cables. Once connected, it can send fake messages to the car that look like they are originating from the car's wireless keys, and allow it to be unlocked and started.

Motherboard reports the hacking devices are being sold online and in Telegram channels for between $2,700 and $19,600, a potentially small price when trying to steal luxury cars. Security researchers at Canis Labs first detailed the issue after one car was stolen using the technique. Advertisements claim the tools can work on vehicles made by Toyota, BMW, and Lexus. The security researchers say encrypting traffic sent in CAN messages would help to stop the attacks.

In recent years, NSO Group’s Pegasus spyware has been used to target political leaders, activists, and journalists around the world, with experts describing the technology as being as powerful as the capabilities of the most elite hackers. In response to the sophisticated spyware, Apple released Lockdown Mode last year, which adds extra security protections to iPhones and limits how successful spyware could be. Now, new research from the University of Toronto’s Citizen Lab has found that Apple’s security measures are working. Cases reviewed by Citizen Lab showed that iPhones running Lockdown Mode have blocked hacking attempts linked to NSO’s software and sent notifications to the phones’ owners. The research found three new “zero-click” exploits that could impact iOS 15 and iOS 16, which had been targeted at members of Mexico’s civil society. Lockdown mode detected one of these attacks in real time.

Since OpenAI released GPT-4 in March, people have clamored to get their hands on the text-generating system. This, perhaps unsurprisingly, includes cybercriminals. Analysts at security firm Check Point have discovered a burgeoning market for the sale of login details for GPT-4. The company says that since the start of March, it has seen an “increase in discussion and trade of stolen ChatGPT accounts.” This includes criminals swapping premium ChatGPT accounts and brute-forcing their way into accounts by guessing email logins and passwords. The efforts could in theory help people in Russia, Iran, and China to access OpenAI’s system, which is currently blocked in those nations.

Russia has been trying to control Ukraine's internet access and media since Vladimir Putin launched his full-scale invasion in February 2022. Sensitive US documents leaked on Discord now show that Russian forces have been experimenting with an electronic warfare system, called Tobol, to disrupt internet connections from Elon Musk's Starlink satellite system. According to the The Washington Post, the Russian Tobol system appears to be more advanced than previously thought, although it is not clear if it has actually disrupted internet connections. Analysts initially believed Tobol was designed for defensive purposes but have since concluded it could also be used for offensive purposes, disrupting signals as they are sent from the ground to satellites orbiting the Earth.

For the last four years, politicians in the UK have been drafting laws designed to regulate the internet—first in the guise of an online harms law, which has since morphed into the Online Safety Bill. It's been a particularly messy process—often trying to deal with a dizzying range of online activities—but its impact on end-to-end encryption is alarming technology firms. This week, WhatsApp, Signal, and the companies behind five other encrypted chat apps signed an open letter saying the UK’s plans could effectively ban encryption, which keeps billions of people's conversations private and secure. (Only the sender and receiver can view end-to-end encrypted messages; the companies that own the messengers don't have access). “The Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws,” the companies say in the letter.