Plus: Apple's Lockdown mode keeps the FBI out of a reporter's phone, Elon Musk's Starlink cuts off Russian forces, and more. An analysis by WIRED this week found that ICE and CBP's face recognition app Mobile Fortify, which is being used to identify people across the United States, isn't actually designed to verify who people are and was only approved for Department of Homeland Security use by relaxing some of the agency's own privacy rules. WIRED took a close look at highly militarized ICE and CBP units that use extreme tactics typically seen only in active combat. Two agents involved in the shooting deaths of US citizens in Minneapolis are reportedly members of these paramilitary units. And a new report from the Public Service Alliance this week found that data brokers can fuel violence against public servants, who are facing more and more threats but have few ways to protect their personal information under state privacy laws.

As software development practices increasingly adopt AI-powered tools, ensuring that such tools can support secure coding has become critical. This study evaluates the effectiveness of GitHub Copilot's recently introduced code review feature in detecting security vulnerabilities. Using a curated set of labeled vulnerable code samples drawn from diverse open-source projects spanning multiple programming languages and application domains, we systematically assessed Copilot's ability to identify and provide feedback on common security flaws. Contrary to expectations, our results reveal that Copilot's code review frequently fails to detect critical vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure deserialization. Instead, its feedback primarily addresses low-severity issues, such as coding style and typographical errors. These findings expose a significant gap between the perceived capabilities of AI-assisted code review and its actual effectiveness in supporting secure development practices. Our results highlight the continued necessity of dedicated security tools and manual code audits to ensure robust software security.

Cybersecurity researchers have issued an urgent warning as almost 1.5 million private photos from dating apps are exposed. Affected apps include the kink dating sites BDSM People and CHICA, as well as LGBT dating services PINK, BRISH, and TRANSLOVE - all of which were developed by M.A.D Mobile. The leaked files include photos used for verification, photos removed by app moderators, and photos sent in direct messages between users - many of which were explicit. These sensitive snaps were being stored online without password protection, meaning anyone with the link could view and download them. Researchers from Cybernews, who discovered the vulnerability, say this easily exploited security flaw put up to 900,000 users at risk of further hacks or extortion.

Robot vacuums across the country were hacked in the space of several days, according to reporting by ABC News. This allowed the attackers to not only control the robovacs, but use their speakers to hurl racial slurs and abusive comments at anyone nearby. All of the affected robots were of the same make and model, the Chinese-made Ecovacs Deebot X2s. This particular robovac has developed a reputation for being easy to hack, thanks to a critical security flaw. ABC News, for instance, was able to get full control over one of the robots, including the camera.

The recent news exposing serious security flaws from the Anker-owned brand may have caused you some anxiety. I have been testing and reviewing security cameras for several years now. Revelations about data breaches and vulnerabilities are a regular occurrence. Arlo, Nest, Ring, Wyze--every major manufacturer you can think of has had its share of scandals. But it can be challenging to look beyond hyperbolic headlines, weigh the seriousness of each issue, and figure out whether you need to worry.

WiFi's friendliness to other devices might pose a significant threat in the wrong circumstances. University of Waterloo researchers have discovered a security flaw in the networking standard that lets attackers track devices through walls. The technique identifies the location of a device within 3.3ft just by exploiting WiFi devices' automatic contact responses (even on password-protected networks) and measuring the response times. You can identify all the connected hardware in a room, and even track people's movements if they have a phone or smartwatch. The scientists tested the exploit by modifying an off-the-shelf drone to create a flying scanning device, the Wi-Peep.

Servers that control robots working in hospitals were found to have major gaps in security coding. The robots perform menial tasks like delivering medications and transporting materials across hospitals but could be exploited to do harm. Aethon TUG smart autonomous robots are a cost-effective way for hospitals and other businesses to delegate simple tasks away from busy human employees. They can lift hundreds of pounds, clean floors and execute other maintenance-adjacent tasks. To navigate, the TUG robot uses radio waves to tap into a given hospital's network of motion sensor doors and elevators.

IoT security is a subset of information technology that focuses on securing connected devices and internet of things networks. When bad actors search for IoT security flaws, they have a high probability of hacking vulnerable devices. Industrial and equipment connected to them robots have also been hacked. Hackers can alter control-loop settings, interfere with manufacturing logic, and change the robot's status of those devices. While the Internet of Things revolution benefits manufacturers and consumers, it also comes with significant security concerns.

A major security flaw has been discovered in a piece of software called Log4j, which is used by millions of web servers. The bug leaves them vulnerable to attack, and teams around the world are scrambling to patch affected systems before hackers can exploit them. "The internet's on fire right now," said Adam Meyers at security company Crowdstrike. The problem with Log4j was first noticed in the video game Minecraft but it quickly became apparent that its impact was far larger. The software is used in millions of web applications, including Apple's iCloud.

Some software developers are now letting artificial intelligence help write their code. They're finding that AI is just as flawed as humans. Last June, GitHub, a subsidiary of Microsoft that provides tools for hosting and collaborating on code, released a beta version of a program that uses AI to assist programmers. Start typing a command, a database query, or a request to an API, and the program, called Copilot, will guess your intent and write the rest. Alex Naka, a data scientist at a biotech firm who signed up to test Copilot, says the program can be very helpful, and it has changed the way he works.