Enlarge / The Akuvox E11 (credit: Akuvox)

The Akuvox E11 is billed as a video door phone, but it’s actually much more than that. The network-connected device opens building doors, provides live video and microphone feeds, takes a picture and uploads it each time someone walks by, and logs each entry and exit in real time. The Censys device search engine shows that roughly 5,000 such devices are exposed to the Internet, but there are likely many more that Censys can’t see for various reasons.

It turns out that this omnipotent, all-knowing device is riddled with holes that provide multiple avenues for putting sensitive data and powerful capabilities into the hands of threat actors who take the time to analyze its inner workings. That’s precisely what researchers from security firm Claroty did. The findings are serious enough that anyone who uses one of these devices in a home or building should pause reading this article, disconnect their E11 from the Internet, and assess where to go from there.

The 13 vulnerabilities found by Claroty include a missing authentication for critical functions, missing or improper authorization, hard-coded keys that are encrypted using accessible rather than cryptographically hashed keys, and the exposure of sensitive information to unauthorized users. As bad as the vulnerabilities are, their threat is made worse by the failure of Akuvox —a China-based leading supplier of smart intercom and door entry systems—to respond to multiple messages from Claroty, the CERT coordination Center, and Cybersecurity and Infrastructure Security Agency over a span of six weeks. Claroty and CISA publicly published their findings on Thursday here and here .

Enlarge / An AI-generated image of a cyborg duck. (credit: Ars Technica)

Not to be left out of the rush to integrate generative AI into search, on Wednesday DuckDuckGo announced DuckAssist , an AI-powered factual summary service powered by technology from Anthropic and OpenAI. It is available for free today as a wide beta test for users of DuckDuckGo’s browser extensions and browsing apps. Being powered by an AI model, the company admits that DuckAssist might make stuff up but hopes it will happen rarely.

Here's how it works: If a DuckDuckGo user searches a question that can be answered by Wikipedia, DuckAssist may appear and use AI natural language technology to generate a brief summary of what it finds in Wikipedia, with source links listed below. The summary appears above DuckDuckGo's regular search results in a special box.

The company positions DuckAssist as a new form of "Instant Answer"—a feature that prevents users from having to dig through web search results to find quick information on topics like news, maps, and weather. Instead, the search engine presents the Instant Answer results above the usual list of websites.

Enlarge / A robotic arm controlled by PaLM-E reaches for a bag of chips in a demonstration video. (credit: Google Research)

On Monday, a group of AI researchers from Google and the Technical University of Berlin unveiled PaLM-E , a multimodal embodied visual-language model (VLM) with 562 billion parameters that integrates vision and language for robotic control. They claim it is the largest VLM ever developed and that it can perform a variety of tasks without the need for retraining.

According to Google, when given a high-level command, such as "bring me the rice chips from the drawer," PaLM-E can generate a plan of action for a mobile robot platform with an arm (developed by Google Robotics) and execute the actions by itself.

PaLM-E does this by analyzing data from the robot's camera without needing a pre-processed scene representation. This eliminates the need for a human to pre-process or annotate the data and allows for more autonomous robotic control.

Enlarge / The current Outlook for Mac email client. (credit: Microsoft)

Microsoft is making the Outlook for Mac app free to use, the company announced this week . Previously available with a Microsoft 365 account or as part of the Office for Mac app suite, the Outlook app is downloadable from the Mac App Store and works with Outlook.com, Gmail, iCloud, Yahoo, and plain old IMAP and POP email accounts.

Microsoft already offers a free version of the Outlook client for iOS and Android , and it's currently testing a preview of a redesigned Outlook app that will replace the built-in Mail and Calendar apps that ship with Windows 11.

The Mac version of the app doesn't use that new design—it's the same Outlook for Mac app that Microsoft rolled out back in late 2020—but the company's blog post says the company is working on "rebuilding Outlook for Mac from the ground up." This will presumably be the same client that Microsoft is testing in Windows, part of the company's "One Outlook" project (also called Project Monarch) that aims to offer a single unified mail client that looks and works the same way across all supported platforms.

Enlarge (credit: Getty Images )

Researchers have uncovered advanced malware that’s turning business-grade routers into attacker-controlled listening posts that can sniff email and steal files in an ongoing campaign hitting North and South America and Europe.

Besides passively capturing IMAP, SMTP, and POP email, the malware also backdoors routers with a remote access Trojan that allows the attackers to download files and run commands of their choice. The backdoor also enables attackers to funnel data from other servers through the router, turning the device into a covert proxy for concealing the true origin of malicious activity.

(credit: Black Lotus Labs)

“This type of agent demonstrates that anyone with a router who uses the Internet can potentially be a target—and they can be used as proxy for another campaign—even if the entity that owns the router does not view themselves as an intelligence target,” researchers from security firm Lumen’s Black Lotus Labs wrote . “We suspect that threat actors are going to continue to utilize multiple compromised assets in conjunction with one another to avoid detection.”

Enlarge / An AI-generated illustration of a GPT-powered robot worker. (credit: Ars Technica)

On Monday, Microsoft bundled ChatGPT-style AI technology into its Power Platform developer tool and Dynamics 365, Reuters reports . Affected tools include Power Virtual Agent and AI Builder, both of which have been updated to include GPT large language model (LLM) technology created by OpenAI.

The move follows the trend among tech giants such as Alphabet and Baidu to incorporate generative AI technology into their offerings—and of course, the multi-billion dollar partnership between OpenAI and Microsoft announced in January.

Microsoft's Power Platform is a development tool that allows the creation of apps with minimal coding. Its updated Power Virtual Agent allows businesses to point an AI bot at a company website or knowledge base and then ask it questions, which it calls Conversation Booster . "With the conversation booster feature, you can use the data source that holds your single source of truth across many channels through the chat experience, and the bot responses are filtered and moderated to adhere to Microsoft’s responsible AI principles," writes Microsoft in a blog post.

Enlarge (credit: Getty Images | NurPhoto )

Twitter's revenue and adjusted earnings reportedly fell about 40 percent year over year in December 2022 amid an advertiser exodus following Elon Musk's takeover.

Twitter no longer reports earnings publicly since Musk bought the company and took it private in late October. But Twitter reported the December 2022 revenue and earnings declines in an update to investors, according to "people familiar with the matter" cited in a Wall Street Journal report on Friday.

Many big companies cut advertising spending on Twitter shortly after Musk's acquisition, largely over concerns about content moderation. Twitter offered special deals to advertisers throughout December 2022, but it wasn't enough to prevent the 40 percent revenue and earnings declines.

Enlarge (credit: Getty Images | NurPhoto )

Twitter suffered an embarrassing technology failure today that temporarily broke links to outside websites and even to Twitter's own webpages. The problem lasted for about 45 minutes or so.

In our tests, clicking any link brought up this error message:

{"errors":[{"message":"Your current API plan does not include access to this endpoint, please see https://developer.twitter.com/en/docs/twitter-api for more information","code":467}]}

Clicking that developer link didn't clear anything up while the problem was still happening because it brought up the same API error message. In addition to news articles and other outbound links, the error message appeared when we tried to click Twitter's terms of service, privacy policy, cookie policy, and other similar pages. Some images embedded in tweets were broken, and there were reports of TweetDeck being broken too.

Enlarge (credit: Aurich Lawson | Getty Images)

Researchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Dubbed BlackLotus, the malware is what’s known as a UEFI bootkit. These sophisticated pieces of malware infect the UEFI—short for Unified Extensible Firmware Interface —the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC’s device firmware with its operating system, the UEFI is an OS in its own right. It’s located in an SPI -connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to run malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.