Kohler has launched the Dekoda, a $599 smart toilet camera that analyzes users' waste to track hydration, gut health, and detect potential issues like blood. "It also comes with a rechargeable battery, a USB connection, and a fingerprint sensor to identify who's using the toilet," reports TechCrunch. From the report: The Dekoda is currently available for preorder, with shipments scheduled to begin on October 21. In addition to the hardware purchase fee, customers will need to pay between $70 and $156 per year for a subscription. If you're uneasy about the privacy implications of putting a camera right below your private parts, the company says, "Dekoda's sensors see down into your toilet and nowhere else." It also notes that the resulting data is secured via end-to-end encryption.

Google's September Pixel drop brings the new Material 3 Expressive UI, AI-powered Gboard writing tools, and Bluetooth Auracast upgrades to older Pixel devices, including the Pixel 6 and Pixel Tablet. "Among other tweaks, Google made it possible to add 'Live Effects,' including a few that cover the weather, to your phone's lock screen wallpaper," notes Engadget. "Material 3 Expressive also gives you more control over how the contact cards your phone displays when your friends and family call you look. Even if you're not one to endlessly tweak Android's appearance, as part of the redesign Google has once again reworked the Quick Settings pane in hopes of making it easier to use."

On the audio front, Pixel Buds Pro 2 gain intuitive nod-and-shake gesture controls, Adaptive Audio for balanced awareness, and Loud Noise Protection to guard against sudden sound spikes. Voice clarity has also been improved with Gemini Live in noisy environments.

A full breakdown of what's new can be found here.

A new review of nearly 700 studies on portable air cleaners found that over 90% of them were tested in empty spaces, not on people, leaving major gaps in evidence about whether these devices actually prevent infections or if they might even cause harm by releasing chemicals like ozone or formaldehyde. The Conversation reports: Many respiratory viruses, such as COVID-19 and influenza, can spread through indoor air. Technologies such as HEPA filters, ultraviolet light and special ventilation designs -- collectively known as engineering infection controls -- are intended to clean indoor air and prevent viruses and other disease-causing pathogens from spreading. Along with our colleagues across three academic institutions and two government science agencies, we identified and analyzed every research study evaluating the effectiveness of these technologies published from the 1920s through 2023 -- 672 of them in total.

These studies assessed performance in three main ways: Some measured whether the interventions reduced infections in people; others used animals such as guinea pigs or mice; and the rest took air samples to determine whether the devices reduced the number of small particles or microbes in the air. Only about 8% of the studies tested effectiveness on people, while over 90% tested the devices in unoccupied spaces.

We found substantial variation across different technologies. For example, 44 studies examined an air cleaning process called photocatalytic oxidation, which produces chemicals that kill microbes, but only one of those tested whether the technology prevented infections in people. Another 35 studies evaluated plasma-based technologies for killing microbes, and none involved human participants. We also found 43 studies on filters incorporating nanomaterials designed to both capture and kill microbes -- again, none included human testing.

Two Harvard dropouts are launching Halo X, a $249 pair of AI-powered smart glasses that continuously listen, record, and transcribe conversations while displaying real-time information to the wearer. "Our goal is to make glasses that make you super intelligent the moment you put them on," said AnhPhu Nguyen, co-founder of Halo. Co-founder Caine Ardayfio said the glasses "give you infinite memory."

"The AI listens to every conversation you have and uses that knowledge to tell you what to say ... kinda like IRL Cluely," Ardayfio told TechCrunch. "If somebody says a complex word or asks you a question, like, 'What's 37 to the third power?' or something like that, then it'll pop up on the glasses." From the report: Ardayfio and Nguyen have raised $1 million to develop the glasses, led by Pillar VC, with support from Soma Capital, Village Global, and Morningside Venture. The glasses will be priced at $249 and will be available for preorder starting Wednesday. Ardayfio called the glasses "the first real step towards vibe thinking."

The two Ivy League dropouts, who have since moved into their own version of the Hacker Hostel in the San Francisco Bay Area, recently caused a stir after developing a facial-recognition app for Meta's smart Ray-Ban glasses to prove that the tech could be used to dox people. As a potential early competitor to Meta's smart glasses, Ardayfio said Meta, given its history of security and privacy scandals, had to rein in its product in ways that Halo can ultimately capitalize on. [...]

For now, Halo X glasses only have a display and a microphone, but no camera, although the two are exploring the possibility of adding it to a future model. Users still need to have their smartphones handy to help power the glasses and get "real time info prompts and answers to questions," per Nguyen. The glasses, which are manufactured by another company that the startup didn't name, are tethered to an accompanying app on the owner's phone, where the glasses essentially outsource the computing since they don't have enough power to do it on the device itself. Under the hood, the smart glasses use Google's Gemini and Perplexity as its chatbot engine, according to the two co-founders. Gemini is better for math and reasoning, whereas they use Perplexity to scrape the internet, they said.

An anonymous reader quotes a report from ScientificAmerican: After a brain stem stroke left him almost entirely paralyzed in the 1990s, French journalist Jean-Dominique Bauby wrote a book about his experiences -- letter by letter, blinking his left eye in response to a helper who repeatedly recited the alphabet. Today people with similar conditions often have far more communication options. Some devices, for example, track eye movements or other small muscle twitches to let users select words from a screen. And on the cutting edge of this field, neuroscientists have more recently developed brain implants that can turn neural signals directly into whole words. These brain-computer interfaces (BCIs) largely require users to physically attempt to speak, however -- and that can be a slow and tiring process. But now a new development in neural prosthetics changes that, allowing users to communicate by simply thinking what they want to say.

The new system relies on much of the same technology as the more common "attempted speech" devices. Both use sensors implanted in a part of the brain called the motor cortex, which sends motion commands to the vocal tract. The brain activation detected by these sensors is then fed into a machine-learning model to interpret which brain signals correspond to which sounds for an individual user. It then uses those data to predict which word the user is attempting to say. But the motor cortex doesn't only light up when we attempt to speak; it's also involved, to a lesser extent, in imagined speech. The researchers took advantage of this to develop their "inner speech" decoding device and published the results on Thursday in Cell. The team studied three people with amyotrophic lateral sclerosis (ALS) and one with a brain stem stroke, all of whom had previously had the sensors implanted. Using this new "inner speech" system, the participants needed only to think a sentence they wanted to say and it would appear on a screen in real time. While previous inner speech decoders were limited to only a handful of words, the new device allowed participants to draw from a dictionary of 125,000 words. To help keep private thoughts private, the researchers implemented a code phrase "chitty chitty bang bang" that participants could use to prompt the BCI to start or stop transcribing.

Google DeepMind has launched Gemini Robotics On-Device, a new language model that enables robots to perform complex tasks locally without internet connectivity. TechCrunch reports: Building on the company's previous Gemini Robotics model that was released in March, Gemini Robotics On-Device can control a robot's movements. Developers can control and fine-tune the model to suit various needs using natural language prompts. In benchmarks, Google claims the model performs at a level close to the cloud-based Gemini Robotics model. The company says it outperforms other on-device models in general benchmarks, though it didn't name those models.

In a demo, the company showed robots running this local model doing things like unzipping bags and folding clothes. Google says that while the model was trained for ALOHA robots, it later adapted it to work on a bi-arm Franka FR3 robot and the Apollo humanoid robot by Apptronik. Google claims the bi-arm Franka FR3 was successful in tackling scenarios and objects it hadn't "seen" before, like doing assembly on an industrial belt. Google DeepMind is also releasing a Gemini Robotics SDK. The company said developers can show robots 50 to 100 demonstrations of tasks to train them on new tasks using these models on the MuJoCo physics simulator.

An anonymous reader quotes a report from SC Media: Thousands of ASUS routers have been compromised with malware-free backdoors in an ongoing campaign to potentially build a future botnet, GreyNoise reported Wednesday. The threat actors abuse security vulnerabilities and legitimate router features to establish persistent access without the use of malware, and these backdoors survive both reboots and firmware updates, making them difficult to remove.

The attacks, which researchers suspect are conducted by highly sophisticated threat actors, were first detected by GreyNoise's AI-powered Sift tool in mid-March and disclosed Thursday after coordination with government officials and industry partners. Sekoia.io also reported the compromise of thousands of ASUS routers in their investigation of a broader campaign, dubbed ViciousTrap, in which edge devices from other brands were also compromised to create a honeypot network. Sekoia.io found that the ASUS routers were not used to create honeypots, and that the threat actors gained SSH access using the same port, TCP/53282, identified by GreyNoise in their report. The backdoor campaign affects multiple ASUS router models, including the RT-AC3200, RT-AC3100, GT-AC2900, and Lyra Mini.

GreyNoise advises users to perform a full factory reset and manually reconfigure any potentially compromised device. To identify a breach, users should check for SSH access on TCP port 53282 and inspect the authorized_keys file for unauthorized entries.

OpenAI on Wednesday announced that it was paying $6.5 billion to buy io, a one-year-old start-up created by Jony Ive. While the company remains tightlipped about the futuristic AI device(s) it has in the works, Apple supply chain analyst Ming-Chi Kuo shared some alleged details about its design. MacRumors reports: In a social media post today, Kuo said the device will be "slightly larger" than Humane's discontinued AI Pin. He said the device will look "as compact and elegant as an iPod Shuffle," which was Apple's lowest-priced, screen-less iPod. The design of the iPod shuffle varied over the years, going from a compact rectangle to a square. Like the iPod shuffle, Kuo said OpenAI's device will not have a screen, but it would connect to smartphones and computers. The device will be equipped with microphones for voice control, and it will have cameras that can analyze the user's surroundings.

He said that users will be able to wear the device around their necks, like a necklace, whereas the AI Pin can be attached to clothing with a clip. Kuo expects OpenAI's device to enter mass production in 2027, and the final design and specifications might change before then. Kuo expects OpenAI's device to enter mass production in 2027, and the final design and specifications might change before then.

An anonymous reader quotes a report from the Washington Post: Virginia is set to become the first state in the country to require some reckless drivers to put devices on their cars that make it impossible to drive too fast. D.C. passed similar legislation last year. Several other states, including Maryland, are considering joining them. It's an embrace of a technological solution to a human problem: Speeding contributes to more than 10,000 deaths a year. Under the Virginia legislation, a judge can decide to order drivers to install the speed limiters in their vehicles in lieu of taking away their driving privileges or sending them to jail. It takes effect in July 2026.

Del. Patrick A. Hope (D-Arlington) said various advocacy groups, including Mothers Against Drunk Driving and the National Safety Council, gave him the idea. He drove a car outfitted with the technology and was impressed. "It was easy to use, and once you're engaged it's impossible to go over the speed limit," he said. "It will make our streets safer." He thinks the device is preferable to suspending drivers' licenses, a punishment that people frequently ignore because they have no other way of getting to work or the store or taking their children to school. It's an approach similar to using an interlock device that requires a person convicted of drunken driving to pass a Breathalyzer test to start their car.

Hope wanted anyone convicted of reckless driving after going 100 mph or more to be required to use a limiter for two to six months, but Gov. Glenn Youngkin (R) struck that part of the bill, leaving all use of the limiting technology up to the state courts. Hope expressed concern about the governor's amendment but will urge the General Assembly to accept it, as the legislature typically does when the bill's sponsor signals support. Drivers must pay for the speed limiters themselves. (As in D.C., indigent defendants are exempt from paying.) The limiters won't be used in Virginia on commercial vehicles. Attempting to evade the speed limiter by tampering with it or driving a different car is a misdemeanor punishable by up to a year in jail.

Google Play on Android devices is being updated to include a new search filter for widgets, widget badges on app detail pages, and a curated editorial page dedicated to widgets. The Verge reports: With the search filter, users will be able to more easily search for apps with widgets. The badge "eliminates guesswork for users and highlights your widget offerings, encouraging them to explore and utilize this capability," Taiwo-Peters says. And the curated editorial page will show off "collections of excellent widgets." The updated widget discoverability tools will be "coming soon," Taiwo-Peters says. "Historically, one of the challenges with investing in widget development has been discoverability and user understanding," product manager Yinka Taiwo-Peters says in the post. "You've asked for better ways for users to find and utilize your widgets, and we're delivering." Yinka Taiwo-Peters also acknowledges that "we understand that the effort required to build and maintain widgets needs to be justified by user adoption."

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

Asus has introduced the Fragrance Mouse, a hybrid wireless mouse that features a removable container for fragrance oils. Despite not being a gaming mouse, it includes premium features like PTFE pads, low-noise clicks rated for up to 10 million presses, and three fixed DPI settings (1200, 1600, 2400). Tom's Hardware reports: The selling point of the new mouse is its fragrance-producing capabilities. Under the mouse (right behind the AA battery housing) is a small semi-translucent container designed to house oils that give the mouse a pleasing aroma. There's no limit to what scents can be used; the container can be washed and refilled with different scents. Last year, the peripheral maker debuted an aroma-dispensing laptop that featured a fragrance dispenser at the center of the lid.

An anonymous reader quotes a report from Ars Technica: Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail. The vulnerabilities, affecting the CPUs in later generations of Apple A- and M-series chip sets, open them to side channel attacks, a class of exploit that infers secrets by measuring manifestations such as timing, sound, and power consumption. Both side channels are the result of the chips' use of speculative execution, a performance optimization that improves speed by predicting the control flow the CPUs should take and following that path, rather than the instruction order in the program. [...]

The researchers published a list of mitigations they believe will address the vulnerabilities allowing both the FLOP and SLAP attacks. They said that Apple officials have indicated privately to them that they plan to release patches. In an email, an Apple representative declined to say if any such plans exist. "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats," the spokesperson wrote. "Based on our analysis, we do not believe this issue poses an immediate risk to our users." FLOP, short for Faulty Load Operation Predictor, exploits a vulnerability in the Load Value Predictor (LVP) found in Apple's A- and M-series chipsets. By inducing the LVP to predict incorrect memory values during speculative execution, attackers can access sensitive information such as location history, email content, calendar events, and credit card details. This attack works on both Safari and Chrome browsers and affects devices including Macs (2022 onward), iPads, and iPhones (September 2021 onward). FLOP requires the victim to interact with an attacker's page while logged into sensitive websites, making it highly dangerous due to its broad data access capabilities.

SLAP, on the other hand, stands for Speculative Load Address Predictor and targets the Load Address Predictor (LAP) in Apple silicon, exploiting its ability to predict memory locations. By forcing LAP to mispredict, attackers can access sensitive data from other browser tabs, such as Gmail content, Amazon purchase details, and Reddit comments. Unlike FLOP, SLAP is limited to Safari and can only read memory strings adjacent to the attacker's own data. It affects the same range of devices as FLOP but is less severe due to its narrower scope and browser-specific nature. SLAP demonstrates how speculative execution can compromise browser process isolation.

In his latest Power On! newsletter, Apple analyst Mark Gurman called the company's new smart device "Apple's most significant release of the year because it's the first step toward a bigger role in the smart home." The device in question is rumored to be a new smart hub that could look like a HomePod with a seven-inch screen. Digital Trends reports: Gurman calls the new smart device a "smaller and cheaper iPad that lets users control appliances, conduct FaceTime chats and handle other tasks." It doesn't sound like the new hub will stand alone, though; Gurman goes on to say that it "should be followed by a higher-end version in a few years." That version should be able to pan and tilt to keep users in-frame during video calls, or just to keep the display visible as someone moves around the home.

[...] Other details are still known, like whether the device will use an original operating system. The overall plan is to make the new smart device the center of an Apple-based smart home and open the doors to a more conversational Siri.

BleepingComputer's Sergiu Gatlan reports: "Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year, will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST.

Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. These criteria include using unique and strong default passwords, software updates, data protection, and incident detection capabilities. Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product's minimum support period, and a notification if the manufacturer does not offer updates for the device. "Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations," the Biden administration said on Tuesday.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.

The OnePlus 13 launched in the North American market today, making it the first flagship smartphone of 2025. As the smartphone market continues to consolidate, it has become increasingly difficult for non-Samsung, Google, and Apple devices to gain significant traction in the competitive U.S. market. Nevertheless, OnePlus has continually released premium flagship-tier devices at relatively modest price points, hoping to pry users away from the Big Tech monoliths.

The OnePlus 13 features Qualcomm's latest Snapdragon 8 Elite chipset, up to 16GB of RAM, a 6.82" QHD+ OLED display, a triple Hasselblad-branded camera system, a massive 6,000mAh battery, and support for 5G networks across all major carriers in the U.S. and Canada. A full list of specifications can be found here.

Based on the early reviews, the OnePlus 13 appears to set the bar high with not a lot of faults to highlight among reviewers. Here are some of our favorite reviews published today:

OnePlus 13 review: finally, a flagship that can hang (The Verge)
OnePlus 13 review: I'm dumbfounded, I can't find anything wrong with this phone (TechRadar)
OnePlus 13 Review: Ship Shape? (Michael Fisher)
OnePlus 13 Review: The Bar Has Been Set! (Marques Brownlee)
The OnePlus 13 is finally a OnePlus flagship I trust to do it all (Android Authority)
OnePlus 13 Review: 2025's First Flagship Finds Success (Forbes)
OnePlus 13 review: The complete package (BGR)
The OnePlus 13 sets a new bar for smartphone performance (Business Insider)

This is not a Slashvertisement. We just like shiny, new tech.

Cornell Tech researchers have developed a portable device called SoilScanner that uses radio frequency signals and machine learning to detect lead contamination in soil. It offers a cost-effective alternative to traditional methods of testing that "generally involves either sending samples to a lab for analysis, which relies upon harsh chemicals and can be expensive, or using a portable X-ray fluorescence device," notes Phys.org. From the report: "In recent years, especially during COVID, a lot of us got excited about having our own backyard garden, or spending more time at home," said [Rajalakshmi Nandakumar, assistant professor at the Jacobs Technion-Cornell Institute at Cornell Tech] who's also a member of the Department of Information Science in the Cornell Ann S. Bowers College of Computing and Information Science. "But if you look at instructions for how to grow tomatoes, no one actually tells you that you have to check your soil for lead," she said. "It's all about pH levels. A lot of us, even though we interact very often with soils, are totally unaware of possible lead contamination."

[Yixuan Gao, a doctoral candidate in computer science] said the group was motivated by a map of lead contamination in New York City that Cheng's Urban Soils Lab (USL) had produced over the course of several years of testing for hundreds of soil samples throughout the five boroughs. The testing revealed dangerously high levels of lead in many locations, most notably in northern Brooklyn. About 45% of the soil samples tested by USL had lead levels above 400 parts per million (ppm), the previous EPA recommended screening level (revised a year ago to 200 ppm for residential soils). "This means there is a significant risk when gardening in these urban soils," Gao said. You can learn more about the device here (PDF).

Windows 11 24H2 continues to experience issues with multifunction devices using the eSCL scan protocol, despite Microsoft marking the problem as resolved. According to a Register reader, "It works on a Windows 10 machine, but not on Windows 11, unless both the computer and the scanner are on wired Ethernet." From the report: Microsoft issued a compatibility safeguard hold on USB-connected devices using the Scanner Communication Language (eSCL) protocol in November after users who installed the Windows update experienced glitches with device discovery. The issue was reported resolved by Microsoft in December. However, it seems that KB5048667 might not have fixed all the problems for Canon owners. According to our reader: "Canon support tells me that the 24H2 eSCL issue still is not fixed." We asked Microsoft about the situation, but despite telling us it was looking into the problem on Friday, December 20, the company has yet to provide any further details. Canon was more forthcoming. A spokesperson told The Register it was aware of a problem impacting devices using ScanGear MF.

ScanGear MF is a scanner driver provided by Canon and allows customers to configure advanced settings for scanning. Canon does not appear to be changing its code to rectify whatever problems had been brought on by the Windows 11 update. The spokesperson said: "Microsoft is currently working on an OS amendment to resolve this and we are keeping in close contact with them. The timing for resolving this is yet to be confirmed by Microsoft, however we expect to receive the plan to fix in January 2025." Customers affected by the issue, which manifests itself with a communications error message, according to Canon's support forum, are advised to use either native Microsoft software solutions or go fully wired via USB.

The UK's Information Commissioner's Office (ICO) warns that while most adults recognize the importance of wiping personal data from old devices, nearly 30% don't know how, and a significant number of young people either don't care or find it too cumbersome. The Register reports: Clearing personal data off an old device is an important step before ditching it or handing it on to another user. However, almost three in ten (29 percent) of adults don't know how to remove the information, according to a survey of 2,170 members of the UK public. Seventy-one percent agreed that wiping a device was important, but almost a quarter (24 percent) reckoned it was too arduous. This means that the drawer of dusty devices is set to swell -- three-quarters of respondents reported hanging on to at least one old device, and a fifth did so because they were worried about their personal information. [...]

More than one in five (21 percent) of young people in the survey didn't think it was important to wipe personal data, while 23 percent said they didn't care about what might happen to that data. Fourteen percent of people aged 18-34 said they wouldn't bother wiping their devices at all, compared to just 4 percent of people over 55. On the plus side, the majority (84 percent) of respondents said they would ensure data was erased before disposing of a device. Alternatively, some might not worry about it and stick it in that special drawer alongside all the cables that might be needed one day. The survey also found that more than a quarter (27 percent) of UK adults were planning to treat themselves to a new device over the festive season [...].

An anonymous reader quotes a report from PCWorld: Smart home devices compatible with the Matter standard have garnered most of our attention lately, but the compelling features in the latest generation of Z-Wave chips convinced the IoT developer Shelly Group to build no fewer than 11 new products powered by Z-Wave technology. The new collection includes a smart plug, in-wall dimmers, relays, and various sensors aimed at DIYers, installers, and commercial builders. Citing the ability of Z-Wave 800 (aka Z-Wave Long Range or LR) chips to operate IoT devices over extremely long range -- up to 1 mile, line of sight -- while running on battery power for up to 10 years, Shelly Group CTO Leon Kralj said "Shelly is helping break down smart home connectivity barriers, empowering homeowners, security installers, and commercial property owners and managers with unmatched range, scalability, and energy efficiency to redefine their automation experience."

[...] While most homeowners won't need to worry about the number of IoT devices their networks can support, commercial builders will appreciate the scalability of Z-Wave 800-powered devices -- namely, you can deploy as many as 4,000 nodes on a single mesh network. That's a 20x increase over what was possible with previous generations of the chip. And since Z-Wave LR is backward compatible with those previous generations, there should be no worries about integrating the new devices into existing networks. Shelly says all 11 of its new Z-Wave 800-powered IoT devices will be available in the first half of 2025. The new Shelly devices will be available in the U.S. in the first half of 2025.

Here's a list of the devices enhanced with the new long-range capabilities:
- Shelly Wave Plug US
- Shelly Wave Door/Window
- Shelly Wave H&T
- Shelly Wave Motion
- Shelly Wave Dimmer
- Shelly Wave Pro Dimmer 1 PM
- Shelly Wave Pro Dimmer 2 PM
- Shelly Wave 1
- Shelly Wave 1 PM
- Shelly Wave 2 PM
- Shelly Wave Shutter

D-Link confirmed no fix will be issued for the over 60,000 D-Link NAS devices that are vulnerable to a critical command injection flaw (CVE-2024-10914), allowing unauthenticated attackers to execute arbitrary commands through unsanitized HTTP requests. The networking company advises users to retire or isolate the affected devices from public internet access. BleepingComputer reports: The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses: DNS-320 Version 1.00; DNS-320LW Version 1.01.0914.2012; DNS-325 Version 1.01, Version 1.02; and DNS-340L Version 1.08. [...] A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.

In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions. The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.

Longtime Slashdot reader AmiMoJo shares a report from The Verge: It's been two long years since the launch of Matter -- the one smart home standard designed to rule them all -- and there's been a fair amount of disappointment around a sometimes buggy rollout, slow adoption by companies like Apple, Amazon, and Google, and frustrating setup experiences. However, the launch of the Matter 1.4 specification this week shows some signs that the Connectivity Standards Alliance (CSA, the organization behind Matter) is using more sticks and fewer carrots to get the smart home industry coalition to cooperate.

The new spec introduces 'enhanced multi-admin,' an improvement on multi-admin -- the much-touted interoperability feature that means your Matter smart light can work in multiple ecosystems simultaneously. It brings a solution for making Thread border routers from different companies play nicely together and introduces a potentially easier way to add Matter infrastructure to homes through Wi-Fi routers and access points. Matter 1.4 also brings some big updates to energy management support, including adding heat pumps, home batteries, and solar panels as Matter device types.

After a couple of years of regular use, Samsung's $400 Galaxy Ring will end up contributing to the growing e-waste problem. "The Galaxy Ring -- and all smart rings like it -- comes with a huge string attached," writes iFixit in a blog post. "It's 100% disposable, just like the AirPod-style Buds3 that Samsung just released. The culprit? The lithium ion batteries." ZDNet reports: The problem is the battery, and how they have a finite lifespan. Usually that's about 400 recharge cycles, and after that the batteries are finished. And if you can't replace it, then it's the end of the line for the gadget, and it's tossed onto the e-waste pile. [...]

iFixit is damning about this sort of tech. "There's nothing wrong with simple but there is something wrong with unrepairable. Just like the Galaxy Buds3, the Galaxy Ring is a disposable tech accessory that isn't designed to last more than two years." And the bottom line is simple: "We can't recommend buying disposable tech like this." Here's what iFixit's Shahram Mokhtari had to say about the Galaxy Ring's battery, after putting it through a CT scanner: On the right hand side of the ring is the faint outline of a lithium polymer battery pouch. There's an inductive coil sitting right on top of the battery (the lines that look like a rectangular track) and another very similar inductive coil that's parallel and slightly separated from the first. That second inductive coil is inside the charging case and works together with the inductive coil in the ring to recharge the battery inside the Galaxy Ring. Inductive charging is the only practical way to deliver power to a device that doesn't have any ports. But there's something else here that sticks out like a sore thumb ... that is a press connector joining the battery to the rest of the board! This is a surprising use of space, why isn't this directly soldered? Nobody is getting back in there to disconnect this thing!

We love press connectors, they're easy to work with and make replacing batteries a sight easier than desoldering a half dozen wires. But this one is sealed into the device and serves no purpose in replacement or repair. Our best guess as to why it's in the Galaxy Ring: The battery and wireless charging coil were made in one place, the circuit board somewhere else, and it all comes to a production line somewhere where the two need to be connected together quickly and cheaply. Hence the press connector. It's not for your benefit, it's for the manufacturers.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon..., and it's not clear when it was taken down. The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one. The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST." These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren't clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret. Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here. "It's a big problem," said Martin Smolar, a malware analyst specializing in rootkits who reviewed the Binarly research. "It's basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically... execute any malware or untrusted code during system boot. Of course, privileged access is required, but that's not a problem in many cases."

Binarly founder and CEO Alex Matrosov added: "Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?"

Arm is launching its Arm Accuracy Super Resolution (ASR) upscaler that "can make games look better, while lowering power consumption on your phone," according to The Verge. "It's also making the upscaling technology available to developers under an MIT open-source license." From the reprot: Arm based its technology on AMD's FidelityFX Super Resolution 2 (FSR 2), which uses temporal upscaling to make PC games look better and boost frame rates. Unlike spatial upscaling, which upscales an image based on a single frame, temporal upscaling involves using multiple frames to generate a higher-quality image.

You can see just how Arm ASR stacks up to AMD's FSR 2 and Qualcomm's GSR tech in [this chart] created by Arm. Arm claims ASR produced 53 percent higher frame rates than rendering at native resolution on a device with an Arm Immortalis-G720 GPU and 2800 x 1260 display, beating AMD FSR 2. It also tested ASR on a device using MediaTek's Dimensity 9300 chip and found that rendering at 540p and upscaling with ASR used much less power than running a game at native 1080p resolution.

storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.

According to Bloomberg's Mark Gurman, Apple appears ready to embrace a thinner design language with the upcoming MacBook Pro, Apple Watch, and iPhone. MacRumors reports: When the M4 iPad Pro was unveiled last month, Apple touted it as the company's thinnest product ever, and even compared it to the 2012 iPod nano to emphasize its slim dimensions. Writing in the latest edition of his Power On newsletter, Gurman says that like the iPad Pro, Apple is now focused on delivering the thinnest possible devices across its lineups without compromising on battery life or major new features. Gurman writes that the new iPad Pro is the "beginning of a new class of Apple devices," and that Apple's aim is to offer "the thinnest and lightest products in their categories across the whole tech industry." Apple now reportedly has its sights on making thinner versions of iPhone, Apple Watch, and MacBook Pro over the next couple of years.

Gurman's sources tell him Apple is now focused on developing a significantly skinnier iPhone in time for the iPhone 17 line in 2025, corroborating a May report by The Information. According to the latter report, Apple is planning to launch an all-new thinner iPhone 17 model next year that will allegedly feature a "major redesign" akin to the iPhone X. Gurman previously reported that Apple is planning a complete revamp of the Apple Watch for the device's tenth anniversary, dubbed "Apple Watch X." Since the original Apple Watch was unveiled in 2014 and launched in 2015, Gurman is unsure whether the Apple Watch X will be released in 2024 or 2025. However, Apple analyst Ming-Chi Kuo today claimed that this year's upcoming Apple Watch will have a larger screen and thinner design, which sounds like the sort of major overhaul and design signature that Gurman has suggested.

Following in the European Union's footsteps, Japan's parliament has enacted a law on Wednesday that will prohibit big tech from blocking third-party app stores. AppleInsider reports: The intention of the bill is that it will facilitate competition and reduce app prices. Japan's government reportedly believes that Apple and Google are a duopoly, and that they charge developers high fees that are then passed on to users. Big tech companies with App Stores will also prohibit companies from prioritizing their own services. Google is likely to be hit hardest by this. Violators will initially be fined up to 20% of the domestic revenue of the specific service that broke the law. The fee can increase to 30%, if the behavior continues.

The Japanese government's Fair Trade Commission (FTC) will choose which firms to apply it to. Companies that will be regulated will be required to submit compliance reports annually. While it hasn't been explicitly said that Apple and Google must comply, It seems certain that the announcement that they'll be held to the provisions is imminent. The Japan FTC isn't expected to add any Japanese firms to the list. The law likely won't take effect until the end of 2025.

Apple has quietly added a Thread radio to nearly all of its newest iPads, MacBooks, and iMacs. The Verge reports: While the company doesn't list Thread on the specs of any of these products, FCC reports indicate that many of Apple's latest devices have had Thread radios tested for compliance. Generally, you don't test a radio that's not there. We found evidence of Thread testing in the following models: iPad Pro 13-inch (M4) (Wi-Fi + Cellular), iPad Pro 11-inch (M4) (Wi-Fi + Cellular), iPad Pro 11-inch (M4) (Wi-Fi), iPad Air 11-inch (M2) (Wi-Fi + Cellular), iPad Air 13-inch (M2) Wi-Fi, MacBook Air 15-inch (M3), MacBook Pro 14-inch (M3), MacBook Pro 14-inch (M3 Pro or M3 Max), MacBook Pro 16-inch (M3 Pro or M3 Max), iMac (M3, two ports), and iMac (M3, four ports).

The FCC requires manufacturers to list every radio contained in a device and to test them in every possible scenario to make sure they comply with its transmission regulations. Tom Sciorilli, director of certification for Thread Group, told The Verge that the FCC reports reference FCC 15.247, "which confirms the device will essentially 'stay in its lane' and not interfere with other radios when operating." The reports we found are tests of the IEEE 802.15.4 transmitter functionality -- 802.15.4 is the radio standard Thread runs on. While it supports a number of technologies, the reports mention Thread explicitly.

Thread is the primary wireless protocol for the new smart home standard Matter, which Apple helped develop and that is now the underlying architecture for its Apple Home smart home platform. A low-power, low-bandwidth, mesh networking protocol specifically designed for IoT devices, Thread is shown to be faster than Bluetooth and offers better range, making it ideal for connecting products like smart lights, locks, thermostats, and sensors. [...] So why is it there? The Apple Home app runs on Macs and iPads, and Thread radios could allow them to communicate directly with smart home devices and act as Thread border routers. It's possible Apple is planning to turn your Mac or iPad into a home hub, but iPads used to be home hubs, and the company discontinued that capability for its new Apple Home architecture. Those iPads didn't have Thread radios, though.

If you contact Spotify's customer service with a valid receipt, the company will refund your Car Thing purchase. That's the latest development reported by Engadget. When Spotify first announced that it would brick every Car Thing device on December 9, 2024, it said that it wouldn't offer owners any subscription credit or automatic refund. From the report: Spotify has taken some heat for its announcement last week that it will brick every Car Thing device on December 9, 2024. The company described its decision as "part of our ongoing efforts to streamline our product offerings" (read: cut costs) and that it lets Spotify "focus on developing new features and enhancements that will ultimately provide a better experience to all Spotify users."

TechCrunch reports that Gen Z users on TikTok have expressed their frustration in videos, while others have complained directed toward Spotify in DMs on X (Twitter) and directly through customer support. Some users claimed Spotify's customer service agents only offered several months of free Premium access, while others were told nobody was receiving refunds. It isn't clear if any of them contacted them after last Friday when it shifted gears on refunds.

Others went much further. Billboard first reported on a class-action lawsuit filed in the US District Court for the Southern District of New York on May 28. The suit accuses Spotify of misleading Car Thing customers by selling a $90 product that would soon be obsolete without offering refunds, which sounds like a fair enough point. It's worth noting that, according to Spotify, it began offering the refunds last week, while the lawsuit was only filed on Tuesday. If the company's statement about refunds starting on May 24 is accurate, the refunds aren't a direct response to the legal action. (Although it's possible the company began offering them in anticipation of lawsuits.) Editor's note: As a disgruntled Car Thing owner myself, I can confirm that Spotify is approving refund requests. You'll just have to play the waiting game to get through to a Spotify Advisor and their "team" that approves these requests. You may have better luck emailing customer service directly at support@spotify.com.

Spotify is about to render its Car Thing dashboard accessory inoperable on December 9th. Not only is the company refusing to open-source the device, it won't offer owners any subscription credit or automatic refund. "Rather, it's just canning the project and telling people to (responsibly) dispose of Car Thing," reports The Verge. From the report: "We're discontinuing Car Thing as part of our ongoing efforts to streamline our product offerings," Spotify wrote in an FAQ on its website. "We understand it may be disappointing, but this decision allows us to focus on developing new features and enhancements that will ultimately provide a better experience to all Spotify users."

The company is recommending that customers do a factory reset on the product and find some way of responsibly recycling the hardware. Spotify is also being direct and confirming that there's little reason to ever expect a sequel. "As of now, there are no plans to release a replacement or new version of Car Thing," the FAQ reads. Car Thing went on sale to the public in early 2022 for $90. Spotify halted production several months later "based on several factors, including product demand and supply chain issues."

At the time, the company said: "Existing devices will perform as intended."

UPDATE 5/30/24: Spotify Says It Will Refund Car Thing Purchases

An anonymous reader quotes a report from Ars Technica: In a major shake-up of its chip roadmap, Apple has announced a new M4 processor for today's iPad Pro refresh, barely six months after releasing the first MacBook Pros with the M3 and not even two months after updating the MacBook Air with the M3. Apple says the M4 includes "up to" four high-performance CPU cores, six high-efficiency cores, and a 10-core GPU. Apple's high-level performance estimates say that the M4 has 50 percent faster CPU performance and four times as much graphics performance. Like the GPU in the M3, the M4 also supports hardware-accelerated ray-tracing to enable more advanced lighting effects in games and other apps. Due partly to its "second-generation" 3 nm manufacturing process, Apple says the M4 can match the performance of the M2 while using just half the power.

As with so much else in the tech industry right now, the M4 also has an AI focus; Apple says it's beefing up the 16-core Neural Engine (Apple's equivalent of the Neural Processing Unit that companies like Qualcomm, Intel, AMD, and Microsoft have been pushing lately). Apple says the M4 runs up to 38 trillion operations per second (TOPS), considerably ahead of Intel's Meteor Lake platform, though a bit short of the 45 TOPS that Qualcomm is promising with the Snapdragon X Elite and Plus series. The M3's Neural Engine is only capable of 18 TOPS, so that's a major step up for Apple's hardware. Apple's chips since 2017 have included some version of the Neural Engine, though to date, those have mostly been used to enhance and categorize photos, perform optical character recognition, enable offline dictation, and do other oddities. But it may be that Apple needs something faster for the kinds of on-device large language model-backed generative AI that it's expected to introduce in iOS and iPadOS 18 at WWDC next month. A separate report from the Wall Street Journal says Apple is developing a custom chip to run AI software in datacenters. "Apple's server chip will likely be focused on running AI models, also known as inference, rather than in training AI models, where Nvidia is dominant," reports Reuters.

Further reading: Apple Quietly Kills the Old-school iPad and Its Headphone Jack

According to Bloomberg's Mark Gurman, Apple's initial set of AI-related features in iOS 18 "will work entirely on device," and won't connect to cloud services. AppleInsider reports: In practice, these AI features would be able to function without an internet connection or any form of cloud-based processing. AppleInsider has received information from individuals familiar with the matter that suggest the report's claims are accurate. Apple is working on an in-house large language model, or LLM, known internally as "Ajax." While more advanced features will ultimately require an internet connection, basic text analysis and response generation features should be available offline. [...] Apple will reveal its AI plans during WWDC, which starts on June 10.

An anonymous reader quotes a report from Ars Technica: Former Apple design lead Jony Ive and current OpenAI CEO Sam Altman are seeking funding for a new company that will produce an "artificial intelligence-powered personal device," according to The Information's sources, who are said to be familiar with the plans. The exact nature of the device is unknown, but it will not look anything like a smartphone, according to the sources. We first heard tell of this venture in the fall of 2023, but The Information's story reveals that talks are moving forward to get the company off the ground.

Ive and Altman hope to raise at least $1 billion for the new company. The complete list of potential funding sources they've spoken with is unknown, but The Information's sources say they are in talks with frequent OpenAI investor Thrive Capital as well as Emerson Collective, a venture capital firm founded by Laurene Powell Jobs. SoftBank CEO and super-investor Masayoshi Son is also said to have spoken with Altman and Ive about the venture. Financial Times previously reported that Son wanted Arm (another company he has backed) to be involved in the project. [...] Altman already has his hands in several other AI ventures besides OpenAI. The Information reports that there is no indication yet that OpenAI would be directly involved in the new hardware company.

An anonymous reader quotes a report from Android Police, written by Dhruv Bhutani: As someone who is an early adopter of all things smart and has invested a significant amount of money in building a fancy smart home, it saddens me to say that I feel cheated by the thousands of dollars I've spent on smart devices. And it's not a one-off. Amazon's recent move to block off local ADB connections on Fire TV devices is the latest example in a long line of grievances. A brand busy wrestling away control from the consumer after they've bought the product, the software update gimps a feature that has been present on the hardware ever since it launched back in 2014. ADB-based commands let users take deep control of the hardware, and in the case of the Fire TV hardware, it can drastically improve the user experience. [...] A few years ago, I decided to invest in the NVIDIA Shield. The premium streamer was marketed as a utopia for streaming online and offline sources with the ability to plug in hard drives, connect to NAS drives, and more. At launch, it did precisely that while presenting a beautiful, clean interface that was a joy to interact with. However, subsequent updates have converted what was otherwise a clean and elegant solution to an ad-infested overlay that I zoom past to jump into my streaming app of choice. This problem isn't restricted to just the Shield. Even my Google TV running Chromecast has a home screen that's more of an advertising space for Google than an easy way to get to my content.

But why stop at streaming boxes? Google's Nest Hubs are equal victims of feature deterioration. I've spent hundreds of dollars on Nest Hubs and outfitted them in most of my rooms and washrooms. However, Google's consistent degradation of the user experience means I use these speakers for little more than casting music from the Spotify app. The voice recognition barely works on the best of days, and when it does, the answers tend to be wildly inconsistent. It wasn't always the case. In fact, at launch, Google's Nest speakers were some of the best smart home interfaces you could buy. You'd imagine that the experience would only improve from there. That's decidedly not the case. I had high hopes that the Fuchsia update would fix the broken command detection, but that's also not the case. And good luck to you if you decided to invest in Google Assistant-compatible displays. Google's announcement that it would no longer issue software or security updates to third-party displays like the excellent Lenovo Smart Display, right after killing the built-in web browser, is pretty wild. It boggles my mind that a company can get away with such behavior.

Now imagine the plight of Nest Secure owners. A home security system isn't something one expects to switch out for many many years. And yet, Google decided to kill the Nest Secure home monitoring solution merely three years after launching the product range. While I made an initial investment in the Nest ecosystem, I've since switched over to a completely local solution that is entirely under my control, stores data locally, and won't be going out of action because of bad decision-making by another company. "It's clear to me that smart home devices, as they stand, are proving to be very poor investments for consumers," Bhutani writes in closing. "Suffice it to say that I've paused any future investments in smart devices, and I'll be taking a long and hard look at a company's treatment of its current portfolio before splurging out more cash. I'd recommend you do the same."

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.

Google said it will allow businesses to install ChromeOS Flex on their Windows devices, "potentially preventing millions of PCs from hitting landfills after Microsoft ends support for Windows 10 next year," reports Reuters. The Chrome operating system will ultimately allow users to keep using their Windows 10 systems, while also providing regular security updates and features like data encryption. From the report: ChromeOS is significantly less popular than other operating systems. In January 2024, it held a 1.8% share of the worldwide desktop OS market, far behind Windows' share of about 73%, according to data from research firm Statcounter. ChromeOS has struggled with wider adaptability due to its incompatibility with legacy Windows applications and productivity suites used by businesses. Google said that ChromeOS would allow users to stream legacy Windows and productivity applications, which will help deliver them to devices by running the apps on a data center.

An anonymous reader quotes a report from ProPublica: Reeling from one of the most catastrophic recalls in decades, Philips Respironics said it will stop selling sleep apnea machines and other respiratory devices in the United States under a settlement with the federal government that will all but end the company's reign as one of the top makers of breathing machines in the country. The agreement, announced by Philips early Monday, comes more than two years after the company pulled millions of its popular breathing devices off the shelves after admitting that an industrial foam fitted in the machines to reduce noise could break apart and release potentially toxic particles and fumes into the masks worn by patients.

It could be years before Philips can resume sales of the devices, made in two factories outside Pittsburgh. The company said all the conditions of the multiyear consent decree -- negotiated in the wake of the recall with the Department of Justice on behalf of the Food and Drug Administration -- must be met first. The move by a company that aggressively promoted its machines in ad campaigns and health conferences -- in one case with the help of an Elvis impersonator -- follows relentless criticism about the safety of the machines. A ProPublica and Pittsburgh Post-Gazette investigation found the company held back thousands of complaints about the crumbling foam for more than a decade before warning customers about the dangers. Those using the machines included some of the most fragile people in the country, including infants, the elderly, veterans and patients with chronic conditions.

"It's about time," said Richard Callender, a former mayor in Pennsylvania who spent years using one of the recalled machines. "How many people have to suffer and get sick and die?" Philips said the agreement includes other requirements the company must meet before it can start selling the machines again, including the marquee DreamStation 2, a continuous positive airway pressure, or CPAP, device heralded by Philips when it was unveiled in 2021 for the treatment of sleep apnea. The settlement, which is still being finalized, has to be approved by a court and has not yet been released by the government. It remains unclear how the halt in sales will impact patients and doctors. The company's U.S. market share for sleep apnea devices in 2020 was about 37% -- behind only one competitor, medical device maker ResMed, according to an analysis by iData Research. Philips has dominated the market in ventilator sales, the data shows.

An anonymous reader quotes a report from Motherboard: [A] new tech startup, Prophetic, aims to bring lucid dreams to a much wider audience by developing a wearable device designed to spark the experience when desired. Prophetic is the brainchild of Eric Wollberg, its chief executive officer, and Wesley Louis Berry III, its chief technology officer. The pair co-founded the company earlier this year with the goal of combining technologies, such as ultrasound and machine learning models, "to detect when dreamers are in REM to induce and stabilize lucid dreams" with a device called the Halo according to the company's website. [...]

Prophetic does not make any medical claims about its forthcoming products -- Halo is tentatively slated for a 2025 release -- though Wollberg and Berry both expressed optimism about broader scientific research that suggests lucid dreams can reduce PTSD-related nightmares, promote mindfulness, and open new windows into the mysterious nature of consciousness. To explore those links further, Prophetic has partnered with the Donders Institute, a research center at Radboud University in the Netherlands that is focused on neuroscience and cognition, to generate the largest dataset of electroencephalogram (EEG) and functional magnetic resonance imaging (fMRI) observations of lucid dreamers, according to the company. The collaboration will also explore one of central technologies behind Prophetic's vision, known as transcranial focused ultrasound (TUS). This non-invasive technique uses low-intensity ultrasound pulses to probe the brain, and interact with neural activity, with a depth and precision that cannot be achieved with previous methods, such as transcranial electrical stimulation or transcranial magnetic stimulation.

At this point, both the possibilities and limits of Prophetic's concept remain unclear. While ultrasound devices have been widely used in medicine for decades, the process of stimulating parts of the brain with TUS is a relatively new development. Within the past few years, scientists have shown that TUS "has the potential to be used both as a scientific instrument to investigate brain function and as a therapeutic modality to modulate brain activity," according to a 2019 study, and "could be a useful tool in the treatment of clinical disorders characterized by negative mood states, like depression and anxiety disorders," according to a 2020 study. What is not known, yet, is whether TUS can induce or stabilize lucid dreams, though the Prophetic team is banking on a positive answer to this open question. Its wearable headband prototype, the Halo, was developed with the company Card79 and can currently read EEG data of users. Over the next year, Prophetic aims to use the dataset from their partnership with the Donders Institute to train machine learning models that will stimulate targeted neural activity in users with ultrasound transducers as a means of inducing lucid dreams.

Citing an "unacceptable level of risk to privacy and security," Canada banned Chinese messaging application WeChat and Russian antivirus program Kaspersky on government-issued mobile devices. Reuters reports: The ban was announced after an assessment by Canada's chief information officer that Tencent-owned WeChat and applications made by Moscow-based Kaspersky "present an unacceptable level of risk to privacy and security," the Treasury Board of Canada, which oversees public administration, said in a statement. Kaspersky said it was surprised and disappointed, and that the decision was made without warning or an opportunity for the firm to address the government's concerns. "As there has been no evidence or due process to otherwise justify these actions, they are highly unsupported and a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky's products and services," the company said in a statement.

The Treasury Board said it has no evidence that government information has been compromised, but the collection methods of the applications provide considerable access to a device's contents, and risks of using them were "clear." "The decision to remove and block the WeChat and the Kaspersky applications was made to ensure that government of Canada networks and data remain secure and protected and are in line with the approach of our international partners," the statement said. The applications will be removed from government-issued mobile devices on Monday, and users will be blocked from downloading them in the future.

Paul Kunert writes via The Register: Talking on stage at the Canalys EMEA Forum 2023, Luca Rossi, senior vice resident at Lenovo and president of its Intelligent Devices Group, said the company has committed to a net zero emission policy by 2050, and analyzing the components used in its hardware is part of the equation. "On repairability, we have a plan that by 2025 more than 80 percent of the repair parts will be repaired again so that they they enter into the circular economy to reduce the impact to the environment." He added: "More than 80 percent of our devices will be able to be repaired at the customer, by the customer or by the channel and we are enabling this with a design for serviceability kind of approach." This means that "batteries, SSD, many things, will not any longer be sealed into the product but will be available for the customer to be to repaired on site and then save a lot of waste."

Liam Proven writes via The Register: Steam OS is the Arch-based distro for a handheld Linux games console, and Valve is aggressively pushing Linux's usability and Windows interoperability for the device. Two unusual companies, Valve Software and Igalia, are working together to improve the Linux-based OS of the Steam Deck handheld games console. The device runs a Linux distro called Steam OS 3.0, but this is a totally different distro from the original Steam OS it announced a decade ago. Steam OS 1 and 2 were based on Debian, but Steam OS 3 is based on Arch Linux, as Igalia developer Alberto Garcia described in a talk entitled How SteamOS is contributing to the Linux ecosystem.

He explained that although Steam OS is built from some fairly standard components -- the normal filesystem hierarchy, GNU user space, systemd and dbus -- Steam OS has quite a few unique features. It has two distinct user interfaces: by default, it starts with the Steam games launcher, but users can also choose an option called Switch to Desktop, which results in a regular KDE Plasma desktop, with the ability to install anything: a web browser, normal Linux tools, and non-Steam games.

Obviously, though, Steam OS's raison d'etre is to run Steam games, and most of those are Windows games which will never get native Linux versions. Valve's solution is Proton, an open-source tool to run Windows games on Linux. It's formed from a collection of different FOSS packages, notably: [Wine, DXVK, VKD3D-Proton, and GStreamer]. The result is a remarkable degree of compatibility for some of the most demanding Windows apps around [...]. You can view Garcia's 49-page presentation here (PDF).

The Philips Hue ecosystem of home automation devices is "collapsing into stupidity," writes Rachel Kroll, veteran sysadmin and former production engineer at Facebook. "Unfortunately, the idiot C-suite phenomenon has happened here too, and they have been slowly walking down the road to full-on enshittification." From her blog post: I figured something was up a few years ago when their iOS app would block entry until you pushed an upgrade to the hub box. That kind of behavior would never fly with any product team that gives a damn about their users -- want to control something, so you start up the app? Forget it, we are making you placate us first! How is that user-focused, you ask? It isn't.

Their latest round of stupidity pops up a new EULA and forces you to take it or, again, you can't access your stuff. But that's just more unenforceable garbage, so who cares, right? Well, it's getting worse.

It seems they are planning on dropping an update which will force you to log in. Yep, no longer will your stuff Just Work across the local network. Now it will have yet another garbage "cloud" "integration" involved, and they certainly will find a way to make things suck even worse for you. If you have just the lights and smart outlets, Kroll recommends deleting the units from the Hue Hub and adding them to an IKEA Dirigera hub. "It'll run them just fine, and will also export them to HomeKit so that much will keep working as well." That said, it's not a perfect solution. You will lose motion sensor data, the light level, the temperature of that room, and the ability to set custom behaviors with those buttons.

"Also, there's no guarantee that IKEA won't hop on the train to sketchville and start screwing over their users as well," adds Kroll.

What has your experience been with the Philips Hue ecosystem? Do you have any alternatives you recommend?

An anonymous reader quotes a report from Ars Technica: When Google announced that trackers would be able to tie in to its 3 billion-device Bluetooth tracking network at its Google I/O 2023 conference, it also said that it would make it easier for people to avoid being tracked by trackers they don't know about, like Apple AirTags. Now Android users will soon get these "Unknown Tracker Alerts." Based on the joint specification developed by Google and Apple, and incorporating feedback from tracker-makers like Tile and Chipolo, the alerts currently work only with AirTags, but Google says it will work with tag manufacturers to expand its coverage.

For now, if an AirTag you don't own "is separated from its owner and determined to be traveling with you," a notification will tell you this and that "the owner of the tracker can see its location." Tapping the notification brings up a map tracing back to where it was first seen traveling with you. Google notes that this location data "is always encrypted and never shared with Google." Further into the prompts, you can make the tracker play a sound, "without the owner of the tracker knowing," Google says. If you bring the tracker to the back of your phone (presumably within NFC range), some trackers may provide their serial number and information about their owner, "like the last four digits of their phone number." Google indicates it will also link to information about how to physically disable a tracker. Finally, Google is offering a manual scan feature, if you're suspicious that your Android phone isn't catching a tracker or want to see what's nearby. The alerts are rolling out through a Google Play services update to devices on Android 6.0 and above over the coming weeks. Google is working to finish the joint tracking specification "by the end of this year."

The company added: "At this time, we've made the decision to hold the rollout of the Find My Device network until Apple has implemented protections for iOS."

What Iran's military called "the first product of the quantum processing algorithm" of the Naval university appears to be a stock development board, available widely online for around $600. Motherboard reports: According to multiple state-linked news agencies in Iran, the computer will help Iran detect disturbances on the surface of water using algorithms. Iranian Rear Admiral Habibollah Sayyari showed off the board during the ceremony and spoke of Iran's recent breakthroughs in the world of quantum technology. The touted quantum device appears to be a development board manufactured by a company called Diligent. The brand "ZedBoard" appears clearly in pictures. According to the company's website, the ZedBoard has everything the beginning developer needs to get started working in Android, Linux, and Windows. It does not appear to come with any of the advanced qubits that make up a quantum computer, and suggested uses include "video processing, reconfigurable computing, motor control, software acceleration," among others.

"I'm sure this board can work perfectly for people with more advanced [Field Programmable Gate Arrays] experience, however, I am a beginner and I can say that this is also a good beginner-friendly board," said one review on Diligent's website. Those interested in the board can buy one on Amazon for $589. It's impossible to know if Iran has figured out how to use off-the-shelf dev boards to make quantum algorithms, but it's not likely.

An anonymous reader quotes a report from Smithsonian: With a new technique, scientists have essentially figured out how to create power from thin air. Their tiny device generates electricity from the air's humidity, and it can be made from nearly any substance, scientists reported this month in the journal Advanced Materials. The invention involves two electrodes and a thin layer of material, which must be covered with tiny holes less than 100 nanometers in diameter -- thinner than one-thousandth the width of a human hair, according to a statement from the University of Massachusetts, Amherst, where the researchers work.

As water molecules pass through the device, from an upper chamber to a lower chamber, they knock against the tiny holes' edges, creating an electric charge imbalance between the layered chambers. In effect, it makes the device run like a battery. The whole process resembles the way clouds make electricity, which we see in the form of lightning bolts, according to Inverse's Molly Glick. [...] Currently, the fingernail-sized device can only create continuous electricity equivalent to a fraction of a volt, writes Vice's Becky Ferreira. But the researchers hope it can someday become a practical, sustainable source of power.

Scientists have previously tried harnessing humidity to generate electricity, but their attempts have often only worked for a short amount of time or relied on expensive materials, per Vice. In 2020, Yao and other researchers found a way to continuously collect electricity from humidity using a material grown from bacteria. But now, the new paper shows that such a specific material isn't necessary -- just about any material works, such as wood or silicon, as long as it can be punctured with the ultra-small holes. This finding makes the device much more practical; it "turns an initially narrow window to a wide-open door for broad potential," Yao tells Vice.

According to The Verge, Amazon is shuttering its health-focused Halo division. All three Halo products will be discontinued and portions of the Halo team will be laid off. From the report: "We have made the difficult decision to wind down the Halo program, which will result in role reductions," Melissa Cha, Amazon's VP of smart home and health, told staffers in an email obtained by The Verge. "More recently, Halo has faced significant headwinds, including an increasingly crowded segment and an uncertain economic environment. Although our customers love many aspects of Halo, we must prioritize resources and maximize benefits to customers and the long-term health of the business."

"We continually evaluate the progress and potential of our products to deliver customer value, and we regularly make adjustments based on those assessments," Amazon spokesperson Kristy Schmidt told The Verge in an email. "We recently made the difficult decision to stop supporting Amazon Halo effective July 31, 2023. We are incredibly proud of the invention and hard work that went into building Halo on behalf of our customers, and our priorities are taking care of our customers and supporting our employees." The company says it will refund customers who bought a Halo devices or accessory band in the last 12 months. "All unused prepaid Halo subscription fees will be refunded, and users will no longer be charged," adds The Verge. Early adopters, like myself, are out of luck.

In related news, Amazon kicked off another round of layoffs today, impacting its cloud computing and human resources divisions.

An anonymous reader quotes a report from Ars Technica: Like in other parts of the world, Canada is working out what the right to repair means for its people. The federal government said in its 2023 budget released Tuesday that it will bring the right to repair to Canada. At the same time, it's considering a universal charging port mandate like the European Union (EU) is implementing with USB-C. The Canadian federal government's 2023 budget introduces the right to repair under the chapter "Making Life More Affordable and Supporting the Middle Class." It says that the "government will work to implement a right to repair, with the aim of introducing a targeted framework for home appliances and electronics in 2024." The government plans to hold consultations on the matter and claimed it will "work closely with provinces and territories" to implement the right to repair in Canada:

"When it comes to broken appliances or devices, high repair fees and a lack of access to specific parts often mean Canadians are pushed to buy new products rather than repairing the ones they have. This is expensive for people and creates harmful waste. Devices and appliances should be easy to repair, spare parts should be readily accessible, and companies should not be able to prevent repairs with complex programming or hard-to-obtain bespoke parts. By cutting down on the number of devices and appliances that are thrown out, we will be able to make life more affordable for Canadians and protect our environment."

The budget also insinuates that right-to-repair legislation can make third-party repairs cheaper than getting a phone, for example, repaired by the manufacturer, where it could cost "far more than it should." Canada's 2023 budget also revealed the government's interest in introducing a standard charging port for electronics. The budget says the government "will work with international partners and other stakeholders to explore implementing a standard charging port in Canada." It says a universal charging port could help residents save money and e-waste. "Every time Canadians purchase new devices, they need to buy new chargers to go along with them, which drives up costs and increases electronic waste," the budget says.

In its quarterly earnings report today, Apple said the company passed the 2 billion device milestone while Services have hit a new revenue record. 9to5Mac reports: Apple saw a dip for its Q1 2023 fiscal quarter with just over $117 billion in revenue. That's down 5% YoY -- with the compare being its all-time record for fiscal Q1 in 2022 which saw $123.95 billion in revenue. However, the company pointed out two bright spots with 2 billion of its devices now in use and a fresh revenue record for its Services.

Last year at this time Apple shared it hit 1.8 billion active devices. That means it added more than 200 million Apple devices in the last 12 months to surpass the 2 billion mark. That's impressive since its installed base was growing by around 100-150 million new devices per year since 2019. And active devices doubled from 1 to 2 billion in just seven years. As for the Services, it saw a record $20.8 billion in revenue for the quarter, slightly beating the $19.5 billion estimate.

According to the latest official Android distribution numbers from Google, Android 13 is running on 5.2% of all devices less than six months after launch. 9to5Google reports: According to Android Studio, devices running Android 13 now account for 5.2% of all devices. Meanwhile Android 12 and 12L now account for 18.9% of the total, a significant increase from August's 13.5% figure. Notably, while Google's chart does include details about Android 13, it doesn't make a distinction between Android 12 and 12L. Looking at the older versions, we see that usage of Android Oreo has finally dropped below 10%, with similar drops in percentage down the line. Android Jelly Bean, which previously weighed in at 0.3%, is no longer listed, while KitKat has dropped from 0.9% to 0.7%. Android 13's 5.2% distribution number "is better than it sounds," writes Ryan Whitwam via ExtremeTech: These numbers show an accelerating pickup for Google's new platform versions. If you look back at stats from the era of Android KitKat and Lollipop, the latest version would only have a fraction of this usage share after half a year. That's because the only phones running the new software would be Google's Nexus phones, plus maybe one or two new devices from OEMs that worked with Google to deploy the latest software as a marketing gimmick.

The improvements are thanks largely to structural changes in how Android is developed and deployed. For example, Project Treble was launched in 2017 to re-architect the platform, separating the OS framework from the low-level vendor code. This made it easier to update devices without waiting on vendors to provide updated drivers. We saw evidence of improvement that very year, and it's gotten better ever since.