Plus: Google’s U-turn on creepy “fingerprint” tracking, the LockBit ransomware gang’s teased comeback, and a potential US ban on the most popular routers in America.
Photograph: Hiroshi Watanabe; Getty Images
It’s been a busy year in cybersecurity, but it’s not over yet. This week, we revealed how hackers figured out how to “jailbreak” digital license plates—which are legally issued in at least a couple of states and are valid across the US—allowing them to change the license plate number to basically anything. That means someone with this capability can avoid tolls and tickets, or even change their plate to be the same as their enemy.
While the company that makes the plates, Reviver, makes clear that doing this would be both illegal and a terms-of-service violation, we’re guessing that the people who want to hide their car’s credentials so they can speed all over town aren’t too concerned about that.
Staff at the Cybersecurity and Infrastructure Security Agency are preparing for an uncertain future. Several CISA employees told WIRED that they’re afraid the incoming Trump administration will scrap key programs that they say are keeping Americans safe from cyberattacks and other threats—or that the agency itself could be dismantled.
In recent years, financial scams that involve bilking people out of their cryptocurrency holdings have come to be known by an eye-catching, catch-all name: “pig butchering.” But it’s time for a rebrand, according to officials at Interpol. The term, which is a translation from Chinese and refers to the slow process of fattening up a pig before slaughtering it, was likely created by the scammers themselves. As such, its use could further degrade victims of these scams or shame them into not reporting a crime.
Doing crimes in public is, apparently, all the rage. We took a deep dive into the world of drug dealers who are advertising their goods on open web platforms like Instagram, X, and Snapchat. The practice isn’t new, but authorities in Europe say it’s growing more popular.
And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
FAA Bans Drones Over Parts of NJ and NY but “Has Not Identified Anything Anomalous”
The US Federal Aviation Administration said on Thursday that it was temporarily banning drone flights over dozens of critical infrastructure and utility sites in New Jersey and New York “at the request of federal security partners.” The restrictions are set to last 30 days. The announcement comes as panic over reported mysterious drone sightings in the two states has surged in recent weeks. The FAA said in a joint statement with the US Department of Homeland Security, Department of Defense, and FBI on Wednesday that the US government has not found evidence of malicious or unexplained aircraft.
"Having closely examined the technical data and tips from concerned citizens, we assess that the sightings to date include a combination of lawful commercial drones, hobbyist drones, and law enforcement drones, as well as manned fixed-wing aircraft, helicopters, and stars mistakenly reported as drones,” the agencies wrote. "We have not identified anything anomalous and do not assess the activity to date to present a national security or public safety risk over the civilian airspace in New Jersey or other states in the northeast.”
The agencies said that the FBI has received more than 5,000 tips about reported drone sightings in recent weeks that have generated about 100 leads investigated by local, state, and federal officials. None have proved to be problematic or concerning. The mass hysteria is itself creating dangerous conditions, though. The FAA warned on Wednesday that there has been a significant uptick in people pointing lasers at aircraft, which is illegal because it can be dangerous and distracting for pilots.
Google U-Turn Allows Creepy “Fingerprint” Tracking Next Year
Back in 2019, Google made its position on the online tracking method called fingerprinting pretty clear. “Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected,” the company said in a blog post. “We think this subverts user choice and is wrong.”
That viewpoint appears to have changed. This week, Google announced that, starting in February 2025, advertisers would be allowed to use fingerprinting. The method is largely hidden and allows online activity to be tracked by building up a profile using characteristics from your device—for instance, your phone type, language settings, timezone, can be combined with other information unique to your setup and identify you.
Google indicated the change in new advertising policies, which will go into force next year. The current version of the policy says fingerprinting is not allowed, while that reference has been scrubbed from the new version. The change drew instant criticism, with the UK’s data regulator, the Information Commissioner’s Office (ICO), saying that “fingerprinting is not a fair means of tracking users online” and it called the U-turn “irresponsible.” The ICO said it is talking to Google about the shift.
LockBit Teases Potential Comeback as Alleged Developer Faces US Extradition
Early this year, the notorious Lockbit ransomware group was thoroughly dismantled by a law enforcement operation, called Operation Cronos. The group’s website was taken over, details of its members and their cyberattacks extracted, decryption tools released, and its alleged Russian mastermind identified.
Now, the US government is attempting to extradite Rostislav Panev, an Israeli citizen who it suggested worked as a LockBit developer between 2019 and 2024. According to Ynet news, Panev was arrested in August and it is alleged that he received more than $230,000 in Bitcoin and developed ransomware tools from the gang. According to a complaint unsealed by US officials, Panev said he was regularly paid $10,000 per month for software development. Panev’s lawyers deny the claims.
At the same time, the organizers of the LockBit ransomware claim that they have created a new “4.0” version of their tools and will be “launching” them in February. A post on LockBit’s reincarnated dark-web sites urged potential hackers to sign up. As with many cybercrime groups, LockBit has lied about its activities in the past, and following the humiliation of its disruption, many other cybercriminals may not trust its tattered brand.
One of America’s Most Popular Router Manufacturers May Be Banned
Chinese technology company and router maker TP-Link could be banned in the US, a report from The Wall Street Journal this week claimed. Officials at the Defense, Commerce, and Justice departments have launched investigations into the company over potential cybersecurity and national security concerns around its routers. The Commerce Department has reportedly subpoenaed TP-Link, which has more than 60 percent of the US retail market for routers. A ban could reportedly happen next year.
While TP-Link is a Chinese company, its products are sold in the US by a separate California-based business. In October, Microsoft said that TP-Link routers “make up most” of a network of compromised devices that it has detected being used in Chinese hacking campaigns. The news of the potential ban follows the previous bans of Huawei and ZTE equipment and comes as TikTok will challenge its ban before the US Supreme Court in early January.
