FBI Warning on IoT Devices: How to Tell If You Are Impacted
On June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices.
One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to write an open letter to the FTC, urging them to take action on resellers.
The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.
The FBI lists these IoC:
- The presence of suspicious marketplaces where apps are downloaded.
- Requiring Google Play Protect settings to be disabled.
- Generic TV streaming devices advertised as unlocked or capable of accessing free content.
- IoT devices advertised from unrecognizable brands.
- Android devices that are not Play Protect certified.
- Unexplained or suspicious Internet traffic.
The following adds context to above, as well as some added IoCs we have seen from our research.
Play Protect Certified
“Android devices that are not Play Protect certified” refers to any device brand or partner not listed here: https://www.android.com/certified/partners/. Google subjects devices to compatibility and security tests in their criteria for inclusion in the Play Protect program, though the mentioned list’s criteria are not made completely transparent outside of Google. But this list does change, as we saw with the tablet brand we researched being de-listed. This encompasses “devices advertised from unrecognizable brands.” The list includes international brands and partners as well.
Outdated Operating Systems
Other issues we saw were really outdated Android versions. For posterity, Android 16 just started rolling out. Android 9-12 appeared to be the most common versions routinely used. This could be a result of “copied homework” from previous legitimate Android builds, and often come with their own update software that can present a problem on its own and deliver second-stage payloads for device infection in addition to what it is downloading and updating on the device.
You can check which version of Android you have by going to Settings and searching “Android version”.
Android App Marketplaces
We’ve previously argued how the availability of different app marketplaces leads to greater consumer choice, where users can choose alternatives even more secure than the Google Play Store. While this is true, the FBI’s warning about suspicious marketplaces is also prudent. Avoiding “downloading apps from unofficial marketplaces advertising free streaming content” is sound (if somewhat vague) advice for set-top boxes, yet this recommendation comes without further guidelines on how to identify which marketplaces might be suspicious for other Android IoT platforms. Best practice is to investigate any app stores used on Android devices separately, but to be aware that if a suspicious Android device is purchased, it can contain preloaded app stores that mimic the functionality of legitimate ones but also contain unwanted or malicious code.
Models Listed from the Badbox Report
We also recommend looking up device names and models that were listed in the BADBOX 2.0 report. We investigated the T95 models along with other independent researchers that initially found this malware present. A lot of model names could be grouped in families with the same letters but different numbers. These operations are iterating fast, but the naming conventions are often lazy in this respect. If you're not sure what model you own, you can usually find it listed on a sticker somewhere on the device. If that fails, you may be able to find it by pulling up the original receipt or looking through your order history.
A Note from Satori Researchers:
“Below is a list of device models known to be targeted by the threat actors. Not all devices of a given model are necessarily infected, but Satori researchers are confident that infections are present on some devices of the below device models:”
List of Potentially Impacted Models
Broader Picture: The Digital Divide
Unfortunately, the only way to be sure that an Android device from an unknown brand is safe is not to buy it in the first place. Though initiatives like the U.S. Cyber Trust Mark are welcome developments intended to encourage demand-side trust in vetted products, recent shake ups in federal regulatory bodies means the future of this assurance mark is unknown. This means those who face budget constraints and have trouble affording top-tier digital products for streaming content or other connected purposes may rely on cheaper imitation products that are rife with not only vulnerabilities, but even come out-of-the-box preloaded with malware. This puts these people disproportionately at legal risk when these devices are used to provide the buyers’ home internet connection as a proxy for nefarious or illegal purposes.
Cybersecurity and trust that the products we buy won’t be used against us is essential: not just for those that can afford name-brand digital devices, but for everyone. While we welcome the IoCs that the FBI has listed in its PSA, more must be done to protect consumers from a myriad of dangers that their devices expose them to.
Weekly Report: Apache Tomcatに複数の脆弱性
Apache Tomcatには、複数の脆弱性があります。この問題は、当該製品を修正済みのバージョンに更新することで解決します。詳細は、開発者が提供する情報を参照してください。
STOPトランプ・ネタニヤフ!米国はイラン攻撃をすぐやめろ! 6ゲ5米国大使館抗議行動へ
自治紛争処理委員令和7年第1号−第4回会議
自治紛争処理委員令和7年第1号−第4回会議
情報通信審議会 情報通信技術分科会 航空・海上無線通信委員会 AMRD作業班(第2回)
情報通信審議会 情報通信技術分科会 航空・海上無線通信委員会 AMRD作業班(第2回)
郵便局における点呼業務の不備に関する監督上の命令等
郵便局における点呼業務の不備に関する監督上の命令等
接続料の算定等に関する研究会(第98回)
接続料の算定等に関する研究会(第98回)
第19回 地方公共サービス小委員会(会議資料)
第19回 地方公共サービス小委員会(会議資料)
日・ケニアICTワークショップの開催結果
日・ケニアICTワークショップの開催結果
情報通信審議会 電気通信事業政策部会(第82回)開催案内
情報通信審議会 電気通信事業政策部会(第82回)開催案内
第27回参議院議員通常選挙における選挙啓発・イメージキャラクター
第27回参議院議員通常選挙における選挙啓発・イメージキャラクター
日本郵政株式会社の取締役の選任に係る決議に対する認可
日本郵政株式会社の取締役の選任に係る決議に対する認可
リチウムイオン電池等の回収・再資源化に関する調査 <結果に基づく通知>
リチウムイオン電池等の回収・再資源化に関する調査 <結果に基づく通知>
令和3年度地方財政審議会(9月21日)議事要旨
令和3年度地方財政審議会(9月21日)議事要旨
第43回政策評価審議会(第42回政策評価制度部会と合同)(令和7年6月24日開催)
第43回政策評価審議会(第42回政策評価制度部会と合同)(令和7年6月24日開催)
情報通信審議会 情報通信技術分科会 電波有効利用委員会(第3回)
情報通信審議会 情報通信技術分科会 電波有効利用委員会(第3回)
一般職技術系(情報通信行政)−官庁訪問情報を更新しました
一般職技術系(情報通信行政)−官庁訪問情報を更新しました
Why Are Hundreds of Data Brokers Not Registering with States?
Written in collaboration with Privacy Rights Clearinghouse
Hundreds of data brokers have not registered with state consumer protection agencies. These findings come as more states are passing data broker transparency laws that require brokers to provide information about their business and, in some cases, give consumers an easy way to opt out.
In recent years, California, Texas, Oregon, and Vermont have passed data broker registration laws that require brokers to identify themselves to state regulators and the public. A new analysis by Privacy Rights Clearinghouse (PRC) and the Electronic Frontier Foundation (EFF) reveals that many data brokers registered in one state aren’t registered in others.
Companies that registered in one state but did not register in another include: 291 companies that did not register in California, 524 in Texas, 475 in Oregon, and 309 in Vermont. These numbers come from data analyzed from early April 2025.
PRC and EFF sent letters to state enforcement agencies urging them to investigate these findings. More investigation by states is needed to determine whether these registration discrepancies reflect widespread noncompliance, gaps and definitional differences in the various state laws, or some other explanation.
New data broker transparency laws are an essential first step to reining in the data broker industry. This is an ecosystem in which your personal data taken from apps and other web services can be bought and sold largely without your knowledge. The data can be highly sensitive like location information, and can be used to target you with ads, discriminate against you, and even enhance government surveillance. The widespread sharing of this data also makes it more susceptible to data breaches. And its easy availability allows personal data to be obtained by bad actors for phishing, harassment, or stalking.
Consumers need robust deletion mechanisms to remove their data stored and sold by these companies. But the potential registration gaps we identified threaten to undermine such tools. California’s Delete Act will soon provide consumers with an easy tool to delete their data held by brokers—but it can only work if brokers register. California has already brought a handful of enforcement actions against brokers who failed to register under that law, and such compliance efforts are becoming even more critical as deletion mechanisms come online.
It is important to understand the scope of our analysis.
This analysis only includes companies that registered in at least one state. It does not capture data brokers that completely disregard state laws by failing to register in any state. A total of 750 data brokers have registered in at least one state. While harder to find, shady data brokers who have failed to register anywhere should remain a primary enforcement target.
This analysis also does not claim or prove that any of the data brokers we found broke the law. While the definition of “data broker” is similar across states, there are variations that could require a company to register in one state and not another. To take one example, a data broker registered in Texas that only brokers the data of Texas residents would not be legally required to register in California. To take another, a data broker that registered with Vermont in 2020 that then changed its business model and is no longer a broker, would not be required to register in 2025. More detail on variations in data broker laws is outlined in our letters to regulators.
States should investigate compliance with data broker registration requirements, enforce their laws, and plug any loopholes. Ultimately, consumers deserve protections regardless of where they reside, and Congress should also work to pass baseline federal data broker legislation that minimizes collection and includes strict use and disclosure limits, transparency obligations, and consumer rights.
Read more here:
【オピニオン】納得できない事例あれば記者が対処 ファクトチェックより早い=木下 寿国
その人がどういう人なのかは、その人の本棚を見ればわかる、という言い方がある。要するに、人がその人生で接してきた情報の総体が、その人の人格を形づくるということだろう。元の情報があやふやなものであれば、当然ながら形作られるものはいい加減なものにならざるを得ない。 では人々に日々大量の情報を発信し続けているマスコミをめぐる状況はどうなっているか。私は機関紙「JCJ神奈川」の最新号に送った原稿で、その実態はかなり公正さに欠けるのではないかと書いた。ここで改めてその内容を引きつつ、も..