Cops use all sorts of tech to track individuals — facial recognition comes to mind, as does mimicking cell phone towers to get pings or mobile data tracking. But some people are finding ways to use technology to listen back. Bluetooth signals might reveal where police are and when they are and when devices like body cams or Tasers are activated.

“It’s be really weird if you had your volume turned all the way up and all of your devices are just screaming, right?,” Alan “Nullagent” Meekins, cofounder of Bluetooth tracking platform RFParty, said. “But that’s really what you’re doing in these wireless spectrums, they’re just constantly shouting.”

All Bluetooth devices have a unique 64 bit identifier called a MAC address. Often a chunk of that address is composed of an Organizational Unique Identifier (OUI), essentially a way for a device to say who it's made by. A look at the IoT devices that are used by many police forces led Meekins and his cofounder Roger “RekcahDam” Hicks to Axon, a company best known for Tasers. Modern police kits are overflowing with Bluetooth-enabled tech (often also made by Axon), from the aforementioned Tasers and body cams, to in-vehicle laptops. Even the gun holsters supplied to some cops send a Bluetooth ping when a sidearm is unholstered. By just reading company documentation, they were able to find the OUI.

A Bluetooth identifier seems trivial, but it could reveal a lot of information about where cops are and what they’re up to, like when their body cams are recording or they turn on the sirens to respond to a call. “There's the signal that is sent when a police officer basically thinks something's recording worthy, if that's the case, people can document that, detect that and there won't be any question whether or not hey, there's a body cam or there wasn't body cam,” Meekins told Engadget. It’s a way to potentially determine whether certain evidence exists so that it can be produced more quickly in a records request — something police often "slow walk" Meekins said. As people run RFParty, the app will collect historical data. In the case of body cams, if the device begins recording, it typically sends a Bluetooth signal out to other devices. If a cop turns on a camera (or Taser or other IoT device), someone running the app could collect this data to record details about the incident.

It's similar to radio waves: if you have the equipment to get past the music and news stations into the bands used by emergency response personnel (and once you know the language and codes to make sense of whats being broadcast there) you can listen in on cop radios to hear about arrests and where police might be patrolling.

An Axon spokesperson confirmed that the company uses Bluetooth capabilities for pairing in-car systems with mobile apps, and for its camera recording devices. Using Bluetooth connectivity helps with "ensuring that incidents are captured and that devices are connected to maximize visibility," the spokesperson said. "Axon is working on additional measures and improvements to address concerns of tracking our devices over time. Specifically, rotation of unique BLE device addresses (known as MAC addresses) that can specifically identify our devices, and removing the need for including serial numbers in Bluetooth broadcasts to reduce the ability to track a specific device over time."

No features in RFParty are designed specifically to track police, it’s a general Bluetooth scanning service, similar to existing services like Wigle.net or nRF Connect. But some of what's displayed on its maps includes common Internet of Things devices used by police, including body cams. Anecdotally, users are already using RFParty for police tracking purposes.

“We have all this technology that there's certain people who understand it, and can exploit it. But you know, most people can't and I think there needs to be more knowledge given out,” Hicks told Engadget. In a talk at DefCon 31 this past August, Meekins showed what the Axon OUI is and privately provided a live demo to me of how a knowledgeable RFParty user could leverage that information.

Of course, having that historical data handy for accountability purposes requires people to be running RFParty in the vicinity of potential abuses of police power, and it's unlikely the app will become popular on a scale where that data will be available for almost any such incident. Still, when cops have the power to use technology against nearly anyone, it's interesting to see the tables turned.

You may know NordVPN from its popular ambassador program, taking social media by storm as influencers sign up to make money advertising the virtual private network. But despite its popularity, it didn’t make the list of the nine top providers we published in June. After vigorous testing, I concluded it was a bit overhyped for the price, lacking features considered standard in lower cost options.

Geoblocking, streaming and gaming are the three main VPN use cases. So, to test out NordVPN and its competitors, I used them to watch Canadian Netflix from my US-based home, played an online game from a UK-based server and streamed a news channel on YouTube via a Hong Kong-based VPN.

NordVPN was easy to sign up for, offering options like opting in to automatic updates to keep the service running at the latest version. Depending on the tier you pick, you can also get access to NordPass, the company’s password manager, or NordLocker, a file encryption software. The “complete” package runs at $5.79 per month.

The best VPNs stay out of your way and you'll barely even notice they’re running. That was pretty much the case with NordVPN. It passed our basic privacy tests, like successfully masking the IP address, and the DNS and WebRTC leak tests.It was also easy to access geo-blocked content, stream on YouTube and game using NordVPN, with little-to-no buffering. We ran a ping test, which measures internet latency. It took 75 milliseconds with NordVPN on, which isn't a lot slower than 62 ms with it off.

NordVPN supports up to six devices at once, which means I could conduct all tests simultaneously and still had no slowdown. That’s great for sharing it with a family, or folks that like to game, watch TV and scroll on their phone at the same time. Those connectivity options come with a caveat: the devices have to run on different VPN protocols if they’re connected to the same server. NordVPN has more than 5,000 servers in 60 countries, and offers a variety of device support from gaming systems to Raspberry Pi devices to streaming services.

Still, NordVPN’s security history is less than ideal. NordVPN is based in Panama, a country with limited data sharing laws. It uses industry-standard AES 256-bit encryption and a modification on the WireGuard protocol to avoid temporarily collecting IP addresses. It does third-party security audits and has a vulnerability disclosure program, two indicators of taking privacy basics seriously. But it’s not open source, and when it comes to data privacy, it falls short because of its patterns of collecting and storing unnecessary user information. Notably, NordVPN also failed to disclose a 2018 data breach in a timely manner. It wasn’t until a security researcher discussed it publicly, over a year after the incident, that NordVPN owned up to it.

NordVPN’s history of loaded terms and deceptive advertising also just didn’t sit well with me. The UK-based Advertising Standards Authority ruled a 2019 NordVPN ad as misleading, by exaggerating the risk from data theft. It makes sweeping claims about what’s possible with its VPN that are impossible to prove.

For an option so highly talked about, the experience using NordVPN was just… fine. It didn’t stand out, unlike ProtonVPN that offered a more comprehensive suite of products alongside the VPN and higher security measures. That’s why Nord didn’t make the cut as one of the top choices I’d recommend.

The alleged Sony data breach just got messier. On Monday, relatively new hacking group Ransomed.vc made the lofty claim that it had successfully compromised "all" of the company's systems, as reported by Cybersecurity Connect. Now a second threat actor has leaked the data believed to be in Ransomed.vc's possession, claiming the former are "scammers" trying to "chase influence." How either group obtained this data, or the extent of the breach, remain unknown but Sony has confirmed to Engadget it's investigating the situation.

Ransomed.vc said it wouldn't ransom Sony, and instead would be selling the data "due to Sony not wanting to pay." It posted a sampling of files as "proof" of their claims. Ransomed.vc gave a deadline of September 28. On Tuesday, a threat actor under the name "MajorNelson," claimed that Ransomed.vc lied about the breach, and leaked the data that Ransomed.vc claimed to have, according to malware repository vx-underground. Engadget could not independently verify the claims.

"We are currently investigating the situation," a Sony spokesperson told Engadget. 

Ransomed.vc emerged as attackers and a ransomware-as-a-service organization that lets others pay to launch attacks. The group threatens victims with data protection fines under laws like the GDPR if they do not pay the ransom. In other words, pay us a few hundred thousand dollar ransom, or we'll report you to pay up a million dollar fine. MajorNelson appears to be an independent threat actor motivated by a disdain for Ransomed.vc, calling the reports about their efforts lies.

"RansomedVCs are scammers who are just trying to scam you and chase influence," MajorNelson wrote. "Enjoy the leak." According to MajorNelson, the leak includes credentials for internal systems, incident response policies and more. 

In 2011, a threat actor exposed personally identifiable information from 77 million PlayStation network accounts. Sony took the network offline for 23 days as it mitigated the damage, and in 2019, it agreed to pay a £250K fine in the UK for its failure to adequately prepare for the attack. 

Microsoft announced Copilot for shopping at its 2023 Surface event on Thursday. The company plans to make Copilot a part of all its flagship products like Windows, Edge and more. Copilot for shopping will help you decide on a style, locate a specific item and buy it, according to the company. 

But the new launch may be more about playing catch up with its competitors than innovating product. Google Lens, for example, lets you find products to buy by just snapping a picture of them. That means you can find results that fit what you're looking for, even if you don't have the right words to type it in the search bar. Google even started using your data across the company's apps, including Lens, to help its Bard AI chatbot provide more relevant and actionable chatbot responses.

Copilot AI will start coming to devices on September 26. Microsoft spent a huge portion of its event on Thursday talking about updates to the AI product. While its currently a disparate software, with different iterations on across Microsoft platforms, an update to Copilot will create a single generative AI assistant that spans across products. 

Follow all of the news live from Microsoft’s 2023 Surface event right here.

This is a developing story. Please check back for updates.

All MGM Resorts hotels and casinos are back up and running as normal, nine days after a cyberattack shut down systems across the company, the company said in an X post on Wednesday. MGM Rewards accounts will be updated "at a later date," and some promotional offers could still be unavailable. This is the biggest system wide restoration the company has experienced since websites went offline, slot machines went down and some transactions became cash only on September 11. 

The ALPHV ransomware group took credit for the attack shortly after systems went offline. The group claimed it used social engineering tactics, or gaining trust from employees to get information, to access systems. Once a group gains access, they usually demand a sum of money in exchange for access or information. 

After the MGM attack went public, reports started surfacing that competitor Caesars Entertainment, which also owns casinos across the Las Vegas strip, recently suffered a similar attack. But unlike MGM, Caesars reportedly paid "tens of millions of dollars" to the hackers that threatened to release company data to avoid damage. Another ransomware group, Scattered Spider, took credit for that attack. Scattered Spider also took credit for the MGM attack, but responsibility is notoriously difficult to verify without security researchers because hackers are motivated to claim as much damage as they can. 

The attacks both started through identity management vendor Okta. MGM and Caesars both use the service, and the company confirmed hackers were able to use its tech as an access vector. The full extent of the damage remains unclear. At least three other Okta clients have been hit by cyberattacks, David Bradbury, chief security officer of the company, told Reuters. 

MGM did not respond to a request for comment on any data leak implications possibly stemming from the attack or whether backend systems such as employee accounts are back up and running. 

Amazon announced Eero Max 7, the WiFi device that combines a router, a range extender and a repeater, at its devices event on Wednesday. The device promises 10 gigabit Ethernet connections, with speeds that let users download a 4K movie in just 10 seconds, according to Amazon. It'll cost $599.99.

"It’ll be great for large homes or high-demand networks, and businesses with densely packed devices where multiple applications are being run," Mimi Swain, vice president of Ring, said at the event. 

Eero devices can be connected to each other to create a mesh network, or a WiFi setup that spreads the system across multiple points for better range and performance. Amazon calls the Eero Max 7 its fastest yet.

Amazon acquired Eero in 2019 as a part of its connected devices strategy. Most notably, Amazon connected Eero to its Echo Dot speakers double as Eero WiFi extenders.

Follow all of the news live from Amazon’s 2023 Devices event right here.

This is a developing story. Please check back for updates.

Last week, MGM Resorts disclosed a massive systems issue that reportedly rendered slot machines, room keys and other critical devices inoperable. What elaborate methods were required to crack a nearly $34 billion casino and hotel empire? According to the hackers themselves (and seemingly confirmed by a source speaking with Bloomberg), all it took was a ten minute phone call.

The alleged hackers behind the MGM issue, by all appearances, gained access through one of the most ubiquitous and low-tech vectors: a social engineering attack. Social engineering psychologically manipulates a target into doing what the attacker wants, or giving up information that they shouldn’t — in this case, apparently, by pulling a fast one on an unsuspecting IT help desk worker. The consequences range from taking down global corporations to devastating the personal finances of unfortunate individual victims. But what makes social engineering attacks so effective, and why are they so hard to prevent?

It seems counterintuitive to hand over sensitive information to a complete stranger, but attackers have developed ways to trick you into feeling comfortable doing just that. Those could include building trust over time, gathering information about you to seem like they know you or using a sense of urgency to get you to act quickly without thinking through what you’re giving up. That’s why common personality traits among cyber victims include being extroverted, agreeable and open to new experiences, according to Erik Huffman, a researcher who studies the psychology behind cybersecurity trends.

“Fear is an attack vector. Helpfulness is an attack vector,” Huffman said. “The more comfortable you are, the more hackable you become.”

Plus, digital environments have fewer social cues versus being face to face, so a potential victim is not as good at sensing potentially suspicious signs, Huffman said. We read messages in our own voice, projecting our own good will onto them, which normally doesn’t happen in person. There’s less information like social cues or body language to guide us or give us a gut feeling that something’s off.

A social engineering attack could be as simple as a faux-urgent phone call from a scammer to get your credit card information for low level theft. But there are increasingly complicated “Rube Goldberg attacks” that layer multiple approaches to fool you, according to principal researcher at SophosLab Andrew Brandt. In an example of such an attack, Brandt observed scammers first operating over the phone to get a target to click an email also sent by the scammer. Once clicked, the email would activate an attack chain that included malware and remote access software.

More likely, you’ll encounter it on a much simpler level. You might get a text from someone pretending to be your boss asking for gift cards or be tricked into clicking a malicious link that phishes your credentials. But one way or another you’ll probably run into it eventually, as an estimated 98 percent of cyberattacks rely to some extent on social engineering tactics, according to research from Splunk.

There are some other warning signs people can look out for. Having to download an unusually big file, a password protected zip file that can’t be scanned for malware or a suspicious shortcut file are all signs of a potential attack, according to Brandt. But a lot of it’s a gut feeling — and taking time to step back before proceeding to consider what could go wrong.

“It is a practice that takes repetition and rehearsal over and over again to reflexively distrust what people say to you who you don’t know,” Brandt said.

Huffman said people can try to avoid falling victim by acknowledging the limitations of a digital environment, and asking questions like: Does it make sense for this person to reach out to me? Does this person behave in a trustworthy manner? Does this person have the authority or position of power to give these directions? Does this person truly understand the topic we’re discussing?

Social engineering attacks happen constantly, to huge corporations as well as everyday people. Knowing that our good-natured traits can be our greatest weakness when faced with this variety of bad actors, it can be tempting to stop being nice altogether for safety's sake. The key is balancing our social instincts with healthy skepticism. “You can be helpful," said Huffman, "but be cautious.”

The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, according to a post by malware archive vx-underground. The group claims to have used common social engineering tactics, or gaining trust from employees to get inside information, to try and get a ransom out of MGM Resorts, but the company reportedly refuses to pay. The conversation that granted initial access took just 10 minutes, according to the group. 

"All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk," the organization wrote in a post on X. Those details came from ALPHV, but have not been independently confirmed by security researchers.

The international resort chain started experiencing outages earlier this week, as customers noticed slot machines at casinos owned by MGM Resorts shut down on the Las Vegas strip. As of Wednesday morning, MGM Resorts still shows signs that it's experiencing downtime, like continued website disruptions. MGM Resorts has not responded to a request for comment, but said in a statement on Tuesday that "Our resorts, including dining, entertainment and gaming are currently operational."

Katie Malone for Engadget

ALPHV has a reputation in the cybersecurity community as being "remarkably gifted at social engineering for initial access," according to vx-underground. From there, it usually uses ransomware ploys to extort a target into paying up, and it's been going after huge corporate targets. In July, ALPHV and another threat actor Clop listed beauty giant Estée Lauder on their data leak sites. 

MGM Resorts confirmed on Monday that it was hit by a cybersecurity issue, shutting down systems across its suite of casinos. The hotel giant owns a notable swath of casinos along the Las Vegas Strip, where some gamblers reported slot machines being taken offline because of the incident. At MGM Resorts' international properties, hotels are currently taking reservations via phone because of website shutdowns. 

"MGM Resorts recently identified a cybersecurity issue affecting some of the company's systems," the company wrote in a statement. It said the company "took prompt action to protect our systems and data, including shutting down certain systems" in response to the attack. MGM Resorts has not confirmed how widespread the shut down is, what systems have been affected or other details about the incident. 

Customer anecdotes report issues making reservations, using ATM machines, playing certain games and mobile key entry into hotel rooms, but Engadget has not independently confirmed these reports. While MGM Resorts informed the Las Vegas Metropolitan Police Department about the incident, the department said in a statement that these types of incidents are typically passed along to federal agencies. 

The non-profit Mozilla Foundation deemed cars the "worst product category" ever reviewed for data privacy, according to research released Wednesday. Its Privacy Not Included Research division reviews everything from smart home devices to health and wellness apps. But of the 25 car brands the research team studied, not a single one passed the reviews, with top brands like Tesla, Nissan and Hyundai landing at the top of the worst-of-the-worst list. 

Tesla earned a mark against it for untrustworthy use of AI, making it the second product reviewed by Mozilla to fail every privacy test conducted. That's because its AI-powered autopilot feature caused several deaths and hundreds of crashes. Meanwhile, companies like Nissan and Kia say they can collect information about your sexual activity and sex life, and Hyundai promises to comply with “lawful requests, whether formal or informal" to share your information with government and law enforcement. 

That left Renault, Dacia and BMW as the "least creepy" car options. Researchers couldn't confirm whether Renault, which also owns Dacia, encrypts the data it collects, and it doesn't go much beyond what's required by data privacy law, but compared to others it's not the worst. The reason for BMW landing higher on the list was also marginal, as researchers based it on the fact that the car maker doesn't explicitly say they sell data to third parties for advertising purposes, while other manufacturers explicitly claim to do so. "From our reading of BMW's privacy policy, they might not do this. But we're also not 100% sure they don't," the researchers wrote. 

Still, every brand of car collected too much personal data, and most of them share or sell that information to a third party. The researchers spent 600 hours analyzing privacy policies, investigating app features and working directly with the car companies themselves to determine privacy rankings, but still concluded it was one of the more confusing categories they've tested. 

"Sorting through the large and confusing ecosystem of privacy policies for cars, car apps, car connected services, and more isn’t something most people have the time or experience to do," members of Mozilla's Privacy Not Included team wrote in a blog post. That leaves little for car buyers to do if they're looking for an option that takes data privacy seriously because, at least according to Mozilla, they really are all that bad.