惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
博客园_首页
博客园 - 聂微东
V
V2EX
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
J
Java Code Geeks
Last Week in AI
Last Week in AI
The Cloudflare Blog
月光博客
月光博客
雷峰网
雷峰网
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Hugging Face - Blog
Hugging Face - Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
博客园 - Franky
腾讯CDC
Jina AI
Jina AI
博客园 - 叶小钗
大猫的无限游戏
大猫的无限游戏
阮一峰的网络日志
阮一峰的网络日志
量子位
爱范儿
爱范儿
美团技术团队
T
Tailwind CSS Blog
博客园 - 【当耐特】
D
Docker
IT之家
IT之家
V
Visual Studio Blog
P
Proofpoint News Feed
L
LangChain Blog
Engineering at Meta
Engineering at Meta
C
Check Point Blog
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
Recorded Future
Recorded Future

Security Latest

British Police Built a Sprawling Crime-Prediction Machine. Some Results Couldn’t Be Trusted Dialog Claims It Was Hacked. A Misconfigured Website Left Its Members Exposed OpenAI Launches Full-Scale Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos World Cup Scams Are Getting Harder to Spot A Critical Deadline Is Approaching for Windows and Linux Security Hackers Claim to Leak Stolen Madison Square Garden Data How the Peter Thiel-Linked Dialog Club Secretly Ranks Its Members How to Watch the Knicks Parade on NYC Traffic Surveillance Cameras The UK Will Scan Asylum-Seekers’ Faces for Age Checks—Despite Knowing the Tech Is Flawed Leak Exposes Members of Peter Thiel’s Secretive ‘Dialog’ Society ‘Dangerous’ AI Models Are Coming No Matter What Meta Tapped a Pentagon Supplier to Prototype Face Recognition for Its Glasses The FCC Wants to Kill Burner Phones Grok Is Still Hosting Sexualized Deepfakes of Famous Women Drug Sites Hijacked Spotify’s Search Ranking Through Fake Podcasts Signal Alums Reveal ‘Encrypted Spaces,’ a System for Making Private Collaboration Apps CISA Tells US Agencies to Fix Security Bugs in as Little as 3 Days Thanks to AI Threats Trump Risks Key Surveillance Authority Over ‘Unqualified’ Spy-Chief Pick Wrongful Arrest Exposes Failures in One of the Oldest Police Face-Recognition Tools in the US Soccer Fans, You’re Being Watched Mapping Every Flock License Plate Reader Near US World Cup Stadiums Amnesty International Warns That World Cup Fans Face Potential Human Rights Violations Anthropic Offers Mythos Upgrade for Cyber Partners and a ‘Safe’ Version for the Rest of You Meta Deletes Face-Recognition System From Its Smart Glasses App After WIRED Report All the Ways Europe Is Ditching American Technology Crypto-Funded Chinese Peptide Labs Are Booming Meta Silently Added Face-Recognition Code for Its Smart Glasses to Millions of Phones xAI Asks Court to Strip Alleged Grok Deepfake Nudes Victims of Anonymity Android Is Fighting Phone Scams With a New Feature to Prove Who’s Calling The Manhattan Institute Helped Kill DEI. Now It’s Coming for Protests The Romance Scammer Who Made a Small Fortune Posing as a WWE Superstar Websites Can Now Spy on You Through Your Hard Drive Cybercrime Crew Claims It Hacked Mike Lindell’s MyPillow The White House’s Aliens.gov Site Brags That ICE Arrested More Than 700 US Citizens The Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They Are Scammers Are Using Your Real Hotel Reservations to Trick You With Spear-Phishing Attacks Internet Starts to Return in Iran After 3-Month Blackout US Law Enforcement Warns of ‘Anti-Tech Extremism’ as AI Hatred Grows The AI Era Is Creating a Bug-Hunting Arms Race The FBI Wants ‘Near Real-Time’ Access to US License Plate Readers ‘Creepy’ Listening Tool for Targeted Ads Didn’t Actually Work, FTC Says A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale The EU Is Going Through a Trump-Fueled Breakup With Big Tech A Bipartisan Amendment Would End Police License Plate Tracking Nationwide Madison Square Garden Bans Lawyer Representing New York Cop Injured at a Boxing Match Data Brokers’ and AI Firms’ Opt-Out Forms Are Built to Fail, Report Finds You Can Get Some of Your Nudes Removed From the Internet Under a New Law An ICE Firearms Trainer Was Involved in At Least 4 Deadly Shootings Cybercriminal Twins Caught After They Forgot to Turn Off Microsoft Teams Recording Your iPhone Gets Stolen. Then the Hacking Begins DHS Plans Experiment Running ‘Reconnaissance’ Drones Along the US-Canada Border WhatsApp Adds Meta AI Chats That Are Built to Be Fully Private Foxconn Ransomware Attack Shows Nothing Is Safe Forever Iran Is Using Tiny ‘Mosquito’ Boats to Shut Down the Strait of Hormuz Hackable Robot Lawn Mower Unlocks a New Nightmare You Can Disable Gemini in Chrome if It’s Freaking You Out Cybercriminals Are Complaining About AI Slop Flooding Their Forums DHS Demanded Google Surrender Data on Canadian’s Activity, Location Over Anti-ICE Posts Disneyland Now Uses Face Recognition on Visitors OpenAI Rolls Out ‘Advanced’ Security Mode for At-Risk Accounts Exposed Data Illustrates the Nightmare Scenario for a Stalkerware Victim The Race Is on to Keep AI Agents From Running Wild With Your Credit Cards California Engineer Identified in Suspected Shooting at White House Correspondents Dinner Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program—and Predates Stuxnet AI Tools Are Helping Mediocre North Korean Hackers Steal Millions Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox Meta Is Sued Over Scam Ads on Facebook and Instagram They Built a Legendary Privacy Tool. Now They’re Sworn Enemies The Weird, Twisting Tale of How China Spied on Alysa Liu and Her Dad It Takes 2 Minutes to Hack the EU’s New Age-Verification App Republican Mutiny Sinks Trump's Push to Extend Warrantless Surveillance The Shocking Secrets of Madison Square Garden’s Surveillance Machine Europe’s Online Age Verification App Is Here The Deepfake Nudes Crisis in Schools Is Much Worse Than You Thought In the Wake of Anthropic’s Mythos, OpenAI Has a New Cybersecurity Model—and Strategy Telegram Is Still Hosting a Sanctioned $21 Billion Crypto Scammer Black Market The FCC Has a Fast Lane for Complaints About Trump’s Media Critics Meta Is Warned That Facial Recognition Glasses Will Arm Sexual Predators Your Push Notifications Aren’t Safe From the FBI How the Internet Broke Everyone’s Bullshit Detectors Anthropic’s Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think Politicians Are Spending More Money on Security as They Increasingly Become Targets ‘We Were Not Ready for This’: Lebanon's Emergency System Is Hanging by a Thread Men Are Buying Hacking Tools to Use Against Their Wives and Friends Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure Anthropic Teams Up With Its Rivals to Keep AI From Hacking Everything Border Patrol Agents Sold Challenge Coins With ‘Charlotte’s Web’ Characters in Riot Gear Hackers Are Posting the Claude Code Leak With Bonus Malware Meta Pauses Work With Mercor After Data Breach Puts AI Industry Secrets at Risk CBP Facility Codes Sure Seem to Have Leaked Via Online Flashcards ‘Uncanny Valley’: Iran’s Threats on US Tech, Trump’s Plans for Midterms, and Polymarket’s Pop-up Flop What Happens When a Nuclear Site Is Hit? Unmasking the Paramilitary Agents Behind Trump’s Violent Immigration Crackdown Apple Will Push Out Rare ‘Backported’ Patches to Protect iOS 18 Users From DarkSword Hacking Tool Iran Threatens to Start Attacking Major US Tech Firms on April 1 The US Military’s GPS Software Is an $8 Billion Mess The Broken System That Keeps Shipping Crews Stranded in the Strait of Hormuz Iranian Hackers Breached Kash Patel’s Email—but Not the FBI’s How Trump’s Plot to Grab Iran's Nuclear Fuel Would Actually Work
The Dumbest Hack of the Year Exposed a Very Real Problem
2026-04-13 · via Security Latest

In the wee hours of the night last April, someone stopped at roughly 20 street intersections across Silicon Valley and launched an unprecedented cyberattack that would eventually spread to multiple states, embarrassing local officials and prompting them to question their security practices. Authorities suspect the unknown culprit took advantage of weak and publicly available default passwords to wirelessly upload custom recordings that played whenever a pedestrian pressed a crosswalk button.

Instead of the normal recordings telling people to either wait or cross the street, pedestrians heard the spoofed voices of billionaire tech CEOs. A fake Mark Zuckerberg said at one Menlo Park intersection that people would not be able to stop AI from “forcefully” being inserted “into every facet of your conscious experience.” At another, he celebrated “undermining democracy.” At a different intersection, an altered Elon Musk described President Donald Trump as “actually really sweet and tender and loving,” while on a nearby street his faked voice whined about being “so alone.”

Government emails and text messages obtained by WIRED through public records requests show how the cities of Menlo Park, Redwood City, Palo Alto, and later Seattle and Denver scrambled to respond to the crosswalk button tampering. The communications, along with interviews with security experts and former employees of the button manufacturer, highlight how governments and the company had overlooked vulnerabilities in a widespread technology.

In Redwood City, then-city manager Melissa Diaz quizzed staff about who should be blamed for the incident. “We need to understand who should be accountable for the security of these systems and what we can do to hold either staff or the external responsible party accountable,” she wrote in an email to colleagues in the days after the hack.

Nick Mathiowdis, Redwood City’s current communications manager, tells WIRED that staff have been addressing the issue based on “lessons learned and evolving best practices,” but declines to share details to avoid encouraging further hacks.

Edward Fok, a veteran Federal Highway Administration cybersecurity official who briefly investigated the hacking before retiring as DOGE swept through the government, says cities need to do a better job ensuring that cybersecurity clauses are baked into contracts with suppliers and installers of technology, especially as AI tools and powerful sensors are increasingly integrated into transportation infrastructure.

Redwood City, for example, had contractually required its button installation and maintenance vendor to “use reasonable diligence and best judgment” at the time of the hack but had not specified anything about passwords or digital security.

In an unsigned statement to WIRED, the highway administration said that it previously issued a technical advisory outlining “security measures to make sure ideological idiots are not jeopardizing Americans' safety when utilizing our crosswalks."

The police investigation into the hacked buttons in Silicon Valley has run cold. Authorities couldn’t figure out who was behind the scheme because the buttons don’t track who uploads audio, and surveillance footage from the area wasn’t helpful, according to Redwood City police lieutenant Jeff Clements.

Public Warning

Greenville, Texas-based Polara Enterprises has been a leading supplier of crosswalk push buttons for decades. Some have the ability for cities to upload custom audioclips via Bluetooth to give pedestrians, including those who are blind or visually impaired, extra cues like the street and direction they are crossing.

Official online manuals and videos aimed at the thousands of technicians maintaining the buttons across the country describe how Bluetooth-enabled Polara models ship with a default password of “1234” and are configurable through a publicly available app. About eight months before last year’s button hacking spree, a physical security vlogger who goes by the name Deviant Ollam posted a YouTube video pointing out how easy it would be to tamper with the buttons. “I'm not encouraging anyone to try completely guessable passwords and upload their own content because, remember, that would be bad. That would probably be a crime or something. Talk to your lawyers,” he said in the video.

Ollam tells WIRED he hasn’t heard from the police or Polara. He credits the culprit for preserving the functionality of the buttons—it remained generally clear when it was safe to cross—though cities had to disable some of them until they could be resecured. “I personally consider this to be an ideal prank,” Ollam says. “They do not harm anyone. But they do capture people's attention and get the public talking about an important facet of society.”

Josh LittleSun, the chief technology officer of Synapse ITS, the company that now owns Polara, says the button hacks were the result of not the default passwords but instead installers using simple passwords that were shared too widely and not changed often enough.

Four former Synapse tech employees who spoke with WIRED say the company invests in making its products reliable but hasn’t prioritized security as much as it could. The buttons enjoy little competition and strong sales, so Synapse has dedicated only a small team to the product. “There isn’t a sufficient number of engineers. They have tight deadlines,” a former Synapse engineer claims. “And bosses don’t have far-sightedness to see all the possible problems that may occur in the future.”

Synapse’s LittleSun disputes the former employees’ characterization, saying that the company has expanded engineering investment in Polara products in recent years and that security is an ongoing focus. Since the hack, Synapse now requires stronger passwords and introduced additional verification steps for account changes and audio uploads. Unique default passwords or an additional PIN to further lock down buttons are under consideration.

“The security of these critical community assets is essential,” LitteSun says of the buttons. “Synapse ITS remains firmly committed to the ongoing advancement of secure, accessible infrastructure that supports the safety and independence of all users.”

A few days after the tampering in Silicon Valley, Seattle became the next victim. The recording there spoofed Amazon founder Jeff Bezos. “Please, please don’t tax the rich,” it said. “Otherwise all the other billionaires will move to Florida too. Wouldn’t it be terrible if all the rich people left Seattle—or got Luigi’d—and then the normal people could afford to live here again?"

Abel Pacheco, Seattle’s transit operations division director, tells WIRED the city responded by giving each of its buttons a unique password. It also established a list with Polara of city employees authorized to get help, aiming to make it more difficult for someone to impersonate a city official to gain information about the buttons.

Fok, the former highway administration official, says he had hoped to issue a nationwide alert warning local agencies about vulnerabilities associated with the Polara buttons but didn’t get to it before retiring. While the incident made global headlines, some cities apparently didn’t hear about it.

Last month, someone tampered with newly installed buttons in Denver to play anti-Trump messages. The city’s Department of Transportation and Infrastructure said the default password had still been in place because the buttons were not meant to be operational yet. A staffer told the department’s executive director in a text message obtained by WIRED, “In the future we will immediately change the factory default password to our own or will make sure that they are not powered up until we are ready to go.”