惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
J
Java Code Geeks
H
Help Net Security
B
Blog RSS Feed
G
Google Developers Blog
博客园 - 司徒正美
MongoDB | Blog
MongoDB | Blog
量子位
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
P
Proofpoint News Feed
小众软件
小众软件
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
V
V2EX
月光博客
月光博客
C
Check Point Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
Help Net Security
Help Net Security
Schneier on Security
Schneier on Security
D
DataBreaches.Net
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
T
Tenable Blog
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
F
Fortinet All Blogs
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
大猫的无限游戏
大猫的无限游戏
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Y
Y Combinator Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
NISL@THU
NISL@THU
GbyAI
GbyAI
博客园 - Franky
S
Secure Thoughts
有赞技术团队
有赞技术团队
PCI Perspectives
PCI Perspectives
U
Unit 42

WIRED

‘Avatar: Aang, The Last Airbender’ Leaked Online. Some Fans Say Paramount Deserves the Fallout NASA Wants to Put Nuclear Reactors on the Moon AI Could Democratize One of Tech's Most Valuable Resources Microsoft Surface PCs Are Getting Big Price Hikes, and the Cheaper Models Are Going Away Why Amazon Is Buying Globalstar—and What It Means for Your iPhone The US Government Will Ask Data Centers How Much Power They Use MAGA Is Starting to Look Beyond Trump Allbirds Is Pivoting to AI Compute. Sure, Why Not Best Smart Smoke Detector (and Why You Still Need a Dumb One) 12 Best Standing Desks of 2026, Tested and Reviewed Best Wi-Fi Routers of 2026 for Working, Gaming, and Streaming Best GoPro Camera (2026): Compact, Budget, Accessories The Caves That Could Help Us Find, or Become, Aliens AI Slop Is Making the Internet Fake-Happy X’s Big Bot Purge Wiped Out a Lot of People’s Secret Porn Feeds The Deepfake Nudes Crisis in Schools Is Much Worse Than You Thought In the Wake of Anthropic’s Mythos, OpenAI Has a New Cybersecurity Model—and Strategy Telegram Is Still Hosting a Sanctioned $21 Billion Crypto Scammer Black Market The FCC Has a Fast Lane for Complaints About Trump’s Media Critics Top iRestore Deals for Hair Growth and LED Therapy Devices Meta Is Warned That Facial Recognition Glasses Will Arm Sexual Predators You Should Be More Freaked Out by Shingles BYD’s Fastest-Charging Car in the World Is Astonishing—in Good and Bad Ways The 4 Best Water Filter Pitchers (2026): PFAS, Microplastics The Internet's Most Powerful Archiving Tool Is in Peril AI Agents Are Coming for Your Dating Life ‘The Audacity’ Is the Broligarchy Takedown You Were Waiting For Why Is It So Hard to Fix an Electric Bike? (2026) Best 2-in-1 Laptops (2026): Microsoft, Lenovo, and the iPad There’s a Secret Ingredient to Making Luxury Ice at Home The Screen Time Legends Who Won't Put Down Their Phones Mammotion’s Spino E1 Is Affordable but Doesn’t Quite Deliver You Don’t Have to Drink Lukewarm Coffee Ever Again. Get a Warmer Zuvi ColorBox Review: Please Just Go to a Professional MacBook Neo vs. MacBook Air: Which One Should You Buy? Best Electric Cargo Bikes (2026): Urban Arrow, Lectric, Tern, and More ‘Crimson Desert’ Is a Cat Dad Simulator Your Push Notifications Aren’t Safe From the FBI Flight Path Data Shows How Mosquitoes Target Humans How the Internet Broke Everyone’s Bullshit Detectors The All-Clad Factory Seconds Sale Is Back—for Now (2026) Artemis II Astronauts Safely Return to Earth After Historic Flight Around the Moon Home Depot Spring Black Friday (2026): Best Tool and Grill Deals Motorola’s Souped-Up Folding Phone Is Almost Half Off Anthropic’s Mythos Will Force a Cybersecurity Reckoning—Just Not the One You Think The Future of the Artemis Program Is Riding on Reentry Suspect Arrested for Allegedly Throwing Molotov Cocktail at Sam Altman’s Home "Uncanny Valley": OpenAI and Musk Fight Again; DOJ Mishandles Voter Data; Artemis II Comes Home This Clever Bike Bell Can Even Be Heard by People Wearing Noise-Canceling Headphones This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts I Did Not Catch Air on the Aventon Current Electric Mountain Bike, but I Could Have Best Smart Shades, Blinds, and Curtains (2026): Motorized, Tailor-Made, and More How 'Democracy Now!' Became the Blueprint for Indie Media AI Podcasters Really Want to Tell You How to Keep a Man Happy Irrigreen's New Smart Irrigation System Promises Smart Watering Without the Hassle—Almost No One Knows Where US Vaccine Policy Goes Next I Tried Asus' First Open Earbuds for Gamers Meta’s New AI Asked for My Raw Health Data—and Gave Me Terrible Advice How and When to Watch the Artemis II Mission’s Return to Earth Naturepedic Promo Codes: Get 20% Off Plus Free Pillows Hungryroot Coupon Codes: 30% Off This April Govee Discount Codes and Deals: 30% Off We-Vibe Coupon Offers: Couples’ Toys and Gift Set Discounts Sealy Promo Code: Save $200 on Mattresses This Month OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters China Is Cracking Down on Scams. Just Not the Ones Hitting Americans The 70-Person AI Image Startup Taking on Silicon Valley's Giants Save $20 on This Already Inexpensive Wireless Mic Set John Deere Is Paying Farmers $99 Million for Allegedly Monopolizing Repair The Iran War Is Tearing MAGA Influencers Apart The FBI Didn’t Answer Texts From Minnesota Investigators for Days After Renee Good’s Killing The Pro-Iran Meme Machine Trolling Trump With AI Lego Cartoons Ridge Wallet Review: A Beacon for the Overencumbered How Meta Cafeteria Workers Took on ICE—and Won Get Peace of Mind With This GPS and Activity Tracker for Pets I Asked Netflix’s Reality TV Boss Why So Many Men On Dating Shows Are Terrible I Tried TCL’s Samsung Frame Competitor and It Didn’t Compare Politicians Are Spending More Money on Security as They Increasingly Become Targets This AI Wearable From Ex-Apple Engineers Looks Like an iPod Shuffle Artemis II Astronauts Witnessed 6 Meteorites Colliding With the Moon Medicube Coupon Code: 40% Off for April 2026 Top Instacart Promo Code: $15 Off for July 2026 Vivid Seats Promo Codes and Deals: Get 10% Off Birdfy Discount Codes: 15% Off Sitewide Google Workspace Promo Codes: 14% Off for June Paramount+ Coupon Codes and Deals for June 2026 NZXT Discount Codes: 50% Off in June 2026 LG Promo Codes and Coupons for June 2026 AT&T Promo Codes: $50 Off This June 2026 TurboTax Full Service Coupons This June Top Peacock Promo Codes: 40% Off June 2026 Therabody Promo Codes: 15% Off June 2026 Surfshark Promo Codes: 87% Off | June 2026 Nomad Goods Promo Codes: Get 25% Off in June 2026 20% Off Sephora Promo Code | June 2026 30% Off Canon Promo Codes | June 2026 Factor Promo Codes for July 2026 Top Dell Coupon Codes: 20% Off for June 2026 Walmart Promo Codes: Up to 65% Off for June 2026 What Is the Best Fitness Tracker in 2026? Garmin, Oura, More
The Dumbest Hack of the Year Exposed a Very Real Problem
2026-04-13 · via WIRED

In the wee hours of the night last April, someone stopped at roughly 20 street intersections across Silicon Valley and launched an unprecedented cyberattack that would eventually spread to multiple states, embarrassing local officials and prompting them to question their security practices. Authorities suspect the unknown culprit took advantage of weak and publicly available default passwords to wirelessly upload custom recordings that played whenever a pedestrian pressed a crosswalk button.

Instead of the normal recordings telling people to either wait or cross the street, pedestrians heard the spoofed voices of billionaire tech CEOs. A fake Mark Zuckerberg said at one Menlo Park intersection that people would not be able to stop AI from “forcefully” being inserted “into every facet of your conscious experience.” At another, he celebrated “undermining democracy.” At a different intersection, an altered Elon Musk described President Donald Trump as “actually really sweet and tender and loving,” while on a nearby street his faked voice whined about being “so alone.”

Government emails and text messages obtained by WIRED through public records requests show how the cities of Menlo Park, Redwood City, Palo Alto, and later Seattle and Denver scrambled to respond to the crosswalk button tampering. The communications, along with interviews with security experts and former employees of the button manufacturer, highlight how governments and the company had overlooked vulnerabilities in a widespread technology.

In Redwood City, then-city manager Melissa Diaz quizzed staff about who should be blamed for the incident. “We need to understand who should be accountable for the security of these systems and what we can do to hold either staff or the external responsible party accountable,” she wrote in an email to colleagues in the days after the hack.

Nick Mathiowdis, Redwood City’s current communications manager, tells WIRED that staff have been addressing the issue based on “lessons learned and evolving best practices,” but declines to share details to avoid encouraging further hacks.

Edward Fok, a veteran Federal Highway Administration cybersecurity official who briefly investigated the hacking before retiring as DOGE swept through the government, says cities need to do a better job ensuring that cybersecurity clauses are baked into contracts with suppliers and installers of technology, especially as AI tools and powerful sensors are increasingly integrated into transportation infrastructure.

Redwood City, for example, had contractually required its button installation and maintenance vendor to “use reasonable diligence and best judgment” at the time of the hack but had not specified anything about passwords or digital security.

In an unsigned statement to WIRED, the highway administration said that it previously issued a technical advisory outlining “security measures to make sure ideological idiots are not jeopardizing Americans' safety when utilizing our crosswalks."

The police investigation into the hacked buttons in Silicon Valley has run cold. Authorities couldn’t figure out who was behind the scheme because the buttons don’t track who uploads audio, and surveillance footage from the area wasn’t helpful, according to Redwood City police lieutenant Jeff Clements.

Public Warning

Greenville, Texas-based Polara Enterprises has been a leading supplier of crosswalk push buttons for decades. Some have the ability for cities to upload custom audioclips via Bluetooth to give pedestrians, including those who are blind or visually impaired, extra cues like the street and direction they are crossing.

Official online manuals and videos aimed at the thousands of technicians maintaining the buttons across the country describe how Bluetooth-enabled Polara models ship with a default password of “1234” and are configurable through a publicly available app. About eight months before last year’s button hacking spree, a physical security vlogger who goes by the name Deviant Ollam posted a YouTube video pointing out how easy it would be to tamper with the buttons. “I'm not encouraging anyone to try completely guessable passwords and upload their own content because, remember, that would be bad. That would probably be a crime or something. Talk to your lawyers,” he said in the video.

Ollam tells WIRED he hasn’t heard from the police or Polara. He credits the culprit for preserving the functionality of the buttons—it remained generally clear when it was safe to cross—though cities had to disable some of them until they could be resecured. “I personally consider this to be an ideal prank,” Ollam says. “They do not harm anyone. But they do capture people's attention and get the public talking about an important facet of society.”

Josh LittleSun, the chief technology officer of Synapse ITS, the company that now owns Polara, says the button hacks were the result of not the default passwords but instead installers using simple passwords that were shared too widely and not changed often enough.

Four former Synapse tech employees who spoke with WIRED say the company invests in making its products reliable but hasn’t prioritized security as much as it could. The buttons enjoy little competition and strong sales, so Synapse has dedicated only a small team to the product. “There isn’t a sufficient number of engineers. They have tight deadlines,” a former Synapse engineer claims. “And bosses don’t have far-sightedness to see all the possible problems that may occur in the future.”

Synapse’s LittleSun disputes the former employees’ characterization, saying that the company has expanded engineering investment in Polara products in recent years and that security is an ongoing focus. Since the hack, Synapse now requires stronger passwords and introduced additional verification steps for account changes and audio uploads. Unique default passwords or an additional PIN to further lock down buttons are under consideration.

“The security of these critical community assets is essential,” LitteSun says of the buttons. “Synapse ITS remains firmly committed to the ongoing advancement of secure, accessible infrastructure that supports the safety and independence of all users.”

A few days after the tampering in Silicon Valley, Seattle became the next victim. The recording there spoofed Amazon founder Jeff Bezos. “Please, please don’t tax the rich,” it said. “Otherwise all the other billionaires will move to Florida too. Wouldn’t it be terrible if all the rich people left Seattle—or got Luigi’d—and then the normal people could afford to live here again?"

Abel Pacheco, Seattle’s transit operations division director, tells WIRED the city responded by giving each of its buttons a unique password. It also established a list with Polara of city employees authorized to get help, aiming to make it more difficult for someone to impersonate a city official to gain information about the buttons.

Fok, the former highway administration official, says he had hoped to issue a nationwide alert warning local agencies about vulnerabilities associated with the Polara buttons but didn’t get to it before retiring. While the incident made global headlines, some cities apparently didn’t hear about it.

Last month, someone tampered with newly installed buttons in Denver to play anti-Trump messages. The city’s Department of Transportation and Infrastructure said the default password had still been in place because the buttons were not meant to be operational yet. A staffer told the department’s executive director in a text message obtained by WIRED, “In the future we will immediately change the factory default password to our own or will make sure that they are not powered up until we are ready to go.”