Russians Hacked JFK Airport Taxi Dispatch in Line-Shopping Scheme
We at WIRED wraps up for the year and prepares for what is sure to be an eventful 2023. But 2022 won’t go without a fight.
This week, after another spike in chaos on Twitter, we delved into why the public needs real-time flight tracking, even though Elon Musk claims it’s the equivalent of doxing. The crucial transparency this publicly available data provides far outweighs the limited privacy value that censorship would provide to the world’s rich and powerful. Unfortunately, Musk’s threats of legal action against the developer of the @ElonJet tracker have broader chilling effects.
Meanwhile, Iran’s internet blackouts — a response to widespread civil rights protests — are sabotaging the country’s economy, according to a new assessment by the US State Department. Due to heavy sanctions against Iranian entities, the exact economic impact of Tehran’s internet breach is difficult to calculate. But experts agree that it is not good.
You may have met Flipper Zero in a recent viral TikTok video – but don’t believe everything you see. WIRED’s Dhruv Mehrotra got his hands on the palm-sized device, which packs an array of antennas that let you copy and broadcast signals from all kinds of devices, like RFID tags, NFC cards, and more. We found that while Flipper Zero can’t, for example, make an ATM spill money, it lets you do a lot of other things that can get you into trouble. But mostly, it lets you see the radio wave-filled world around you like never before.
But that’s not all. Each week we round up the security stories we didn’t cover in depth ourselves. Click on the headings to read the full cases. And be safe out there.
Between long hours, medallion costs and the rise of Uber and Lyft, the life of a taxi driver in New York is hard enough. Now it appears that Russian hackers—and a couple of their enterprising partners in Queens—tried to get their own cut of those drivers’ fares.
According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi system for JFK Airport in New York. Then they allegedly set up a group chat where drivers could secretly pay $10 to skip the sometimes hour-long line to be assigned a pickup — about a fifth of the $52 flat fee passengers pay for rides from the airport to other NYC locations. The indictment against the two men does not name the Russians or describe exactly how they gained access to JFK’s dispatch system. But it notes that since 2019, Abayev and Leyman allegedly planned to gain access to the system using several methods, including bribing someone to insert a USB drive containing malware into one of the expedition operators’ computers, and gaining unauthorized access to the systems their via Wi-Fi, and steal one of their tablets. “I know the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment. “So, we can’t hack the taxi industry[?]”
Before the scheme was shut down, prosecutors said it enabled as many as a thousand fraudulent line jumps a day for drivers,
It’s hardly a secret that Cyber Command, the more cyberattack-focused sister agency to the NSA, is often engaged in “hunting ahead,” as Cybercom director Paul Nakasone has described it. That means preemptively hacking foreign hackers to disrupt their operations, often ahead of an event like a US election. So maybe it’s no surprise, like Washington Post reports that Cybercom targeted Russian and Iranian hackers throughout the 2022 midterm elections. It’s not clear exactly how those hackers were disrupted, but an official said Mail that the operations usually go after the basic tools the hackers use to operate, including the computers, internet connections and malware. In some cases, foreign malware is discovered by Cybercom abroad and shared with potential targets in the United States to facilitate detection.
While foreign hacking of US elections has slowed since its peak in 2016 – when Russia hacked the Democratic National Committee, the Clinton campaign and many other targets – it has by no means disappeared. Cybersecurity firm Mandiant reported this week that the Russian military intelligence agency GRU appears to have targeted election websites with distributed denial-of-service attacks during the midterm elections, despite Cyber Command’s efforts.
On Monday, federal prosecutors charged two men — one from Wisconsin, the other from North Carolina — for allegedly participating in a weapons scheme that over a weeklong period targeted the owners of more than a dozen compromised Ring home security door cameras. According to the indictment, Kya Christian Nelson (21) and James Thomas Andrew McCarty (20) used login information from leaked Yahoo accounts to gain access to Ring accounts from individuals around the country. The defendants are said to have then called in false reports to the police and claimed to dispatchers that a violent incident took place at the victim’s home, and then live-streamed the police’s response to the fraud. In several of the incidents, the two men taunted responding police officers and victims through the microphone of the Ring device, according to the indictment.
Nelson, who went by the alias “ChumLul,” is currently jailed in Kentucky on an unrelated case. McCarty, who went by the alias “Aspertaine,” was arrested last week on federal charges filed in the District of Arizona. Nelson and McCarty are both charged with conspiring to intentionally gain access to computers without authorization. Nelson is also charged with two counts of willfully accessing a computer without authorization and two counts of aggravated identity theft. If convicted, they could each face up to five years in prison, while Nelson faces an additional seven years for the additional charges.
In March 2017, Netflix tweeted a simple message: “Love is sharing a password.” Now, five years later, this feeling is nearing the end of its life. According to a The Wall Street Journal report this week, the streaming service plans to crack down on password sharing in early 2023. Netflix has been testing ways to stop households in Latin America from sharing passwords through 2022, and the report suggests it is ready to expand its efforts. Netflix says more than 100 million viewers watch its TV shows and movies using other people’s passwords, and it wants to convert those views into cash. “Make no mistake, I don’t think consumers are going to love it right out of the gate,” it Journal reports Netflix co-CEO Ted Sarandos told investors earlier this year. Elsewhere, the UK government’s Intellectual Property Office said it believes sharing passwords for online streaming services could breach copyright law. However, it is unlikely that anyone will ever be prosecuted.
The Roomba J7 home robot uses “PrecisionVision Navigation” to avoid objects in your home – such as piles of clothes on the floor or random piles of dog poop. The robot is partially able to do this with the help of a built-in camera and computer vision. However, as MIT Technology Review reported this week, gig economy workers in Venezuela posted pictures of the robots online — including one of a woman on the toilet. The images and videos were taken by a development version of the J7 robot in 2020 and shared with a startup that contracts workers to label the images and help train computer vision systems. Those using the development machines had agreed to have their data shared. Roomba maker iRobot, which is being bought by Amazon, said it is ending its contract with the startup that leaked the images and is investigating what happened. However, the incident highlights some of the potential privacy risks with the vast datasets used to train artificial intelligence applications.
All Kelly Conlon wanted to do was watch the Rockettes with her daughter’s Girl Scout troop. But thanks to a facial recognition system operated by Madison Square Garden Entertainment, Conlon was summarily kicked out of Radio City Music Hall because she was unknowingly barred from the venue. The problem, according to MSG Entertainment, is that Conlon is an attorney at a law firm that is currently engaged in litigation against the company. (Conlon said she is not personally involved in that lawsuit.) “They knew my name before I told them. They knew the company I was affiliated with before I told them. And they told me I wasn’t allowed to be there,” Conlon told NBC New York. MSG Entertainment, meanwhile, defended the lawyer’s expulsion as necessary to avoid an “inherently unfavorable environment.” The episode raises concerns about the use of facial recognition technology, which remains so underregulated that a company could use it to punish its enemies. Good holiday!