Researchers discovered a series of vulnerabilities in the Airoha Bluetooth SoCs used in many true wireless earbuds, including those from Sony
TLDR Information Security 2026-01-05
Attacks & Vulnerabilities
Critical vulnerability in IBM API Connect could allow authentication bypass (5 minute read)
IBM has disclosed CVE-2025-13915, a critical authentication bypass vulnerability with a CVSS score of 9.8 affecting API Connect versions 10.0.8.0 through 10.0.8.5 and 10.0.11.0, that allows remote attackers to gain unauthorized access without user interaction. The flaw, classified as CWE-305, breaks the architectural assumption that API gateways enforce identity and trust, causing downstream services to inherit unvalidated trust and enabling silent exposure propagation across connected systems. Organizations should immediately apply IBM’s interim fixes or disable self-service sign-up on the Developer Portal while conducting inventory assessments of API dependencies and monitoring for abnormal behavior to identify which services implicitly trust the gateway.
Tokyo FM Data Breach: Hacker Claims Over 3 Million Records Stolen (3 minute read)
A threat actor using the alias “victim” claimed to have breached Tokyo FM Broadcasting Co., LTD. on January 1, allegedly exfiltrating over 3 million records containing names, email addresses, dates of birth, IP addresses, user agents, job-related information, and login IDs from multiple internal systems. The breach claims remain pending verification by security experts, though if validated, the exposed credentials and personal information pose significant risks for phishing attacks and credential stuffing. Potentially affected listeners should monitor their email for suspicious messages, implement unique passwords across services, and exercise heightened vigilance given the scope of compromised personally identifiable information.
Bluetooth Headphone Jacking: Full Disclosure of Airoha RACE Vulnerabilities (10 minute read)
Researchers discovered a series of vulnerabilities in the Airoha Bluetooth SoCs used in many true wireless earbuds, including those from Sony, Bose, and Marshall. The vulnerabilities include a lack of authentication when connecting a device over Bluetooth Classic or BLE, as well as the devices implementing a custom protocol, called RACE, which allows for reading and writing RAM. An attacker could chain these vulnerabilities to impersonate a user’s headphones and then issue commands via a device’s virtual assistant or eavesdrop on calls.
Strategies & Tactics
The ROI Problem in Attack Surface Management (9 minute read)
Attack Surface Management programs struggle to demonstrate ROI because they optimize for coverage metrics like asset counts and alerts generated rather than measuring actual risk reduction, creating a gap between effort and security outcomes. Traditional ASM implementations focus on discovery inputs while teams experience alert fatigue, long backlogs of unresolved assets, ownership confusion, and exposures that persist for months without clear evidence of improved security posture. Organizations should shift to outcome-based metrics, including mean time to asset ownership, reduction in unauthenticated state-changing endpoints, and time to decommission abandoned assets—measurements that directly correlate with exposure duration and demonstrate whether the attack surface is actually shrinking over time.
Palo Alto Networks security-intel boss calls AI agents 2026’s biggest insider threat (5 minute read)
AI agents are increasingly embedded deep within corporate systems, automating tasks such as code review, alert triage, approvals, and even financial decisions, effectively acting with human-like privileges at machine speed. This makes misconfigurations and over-permissive “superuser” access especially dangerous, because a single prompt injection or tool-misuse bug can turn an agent into a silent insider capable of approving fraudulent transactions, exfiltrating data, or deleting backups. At the same time, these tools help defenders scale, triage noise, and think more strategically, so security leaders must strike a balance: apply least-privilege access, robust monitoring, and strong controls around internal LLMs and task-specific agents to harness benefits without enabling catastrophic abuse.
Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks (9 minute read)
Smart pet feeders from Petlibro had several serious security flaws that allowed attackers to log in to any account via a broken social-login flow, because the backend trusted client-supplied Google IDs rather than validating OAuth tokens. Attackers could then pull detailed pet profiles, enumerate devices, hijack feeders and cameras, and even harvest owners’ recorded mealtime audio messages through poorly authorized APIs. The researcher disclosed six issues, received a small bounty and a post‑hoc NDA request, and criticized Petlibro for leaving the legacy authentication bypass live for weeks in the name of “compatibility” despite the risk to users and their pets.
Launches & Tools
Certgrep is a Certificate Transparency Log search tool that allows you to search by regular expressions, wildcards, as well as suffix and prefix terms.
APISec is a dynamic, AI-powered API red team that continuously scans APIs for vulnerabilities. It includes a browser extension called Bolt that dynamically discovers APIs during user browsing without requiring a MitM proxy.
Web Check is an all-in-one OSINT tool for analyzing websites. This repository includes information for deploying the tool on Netlify or Vercel, building from source, or using Docker. A live demo is also included.
Miscellaneous
Two US cybersecurity professionals plead guilty in BlackCat/Alphv ransomware case (5 minute read)
Cybersecurity professionals Ryan Goldberg (former Sygnia incident response manager) and Kevin Martin (DigitalMint ransomware negotiator) pleaded guilty to deploying BlackCat/ALPHV ransomware against multiple US victims from April to December 2023, extorting approximately $1.2M in Bitcoin from a medical device company while sharing 20% of ransoms with operators. The defendants leveraged their cybersecurity expertise to conduct attacks against five companies, with Goldberg later fleeing to Paris after learning of FBI raids on co-conspirators and both facing potential 50-year sentences. The case highlights insider threat risks and the FBI’s recommendation for organizations to exercise due diligence when engaging third-party incident response providers.
On Apples, Oranges, and Classical ML versus LLM Security Performance (4 minute read)
When classical ML-based security tools are compared against LLM-based security tools, the classical ML tools often have several advantages that skew the results. Classical ML tools are frequently trained on a portion of the dataset and then tested on the same data, whereas LLM tools are tested in a one-shot fashion. The ground truth may contain labeling errors that classical ML models replicate, and classical ML models require continuous retraining to maintain accuracy. Moving forward, we should develop security-focused foundational models to help overcome scalability issues and hallucinations.
Prediction: AI Will Make Formal Verification Go Mainstream (5 minute read)
Formal verification is a highly specialized and time-consuming process of mathematically validating a system’s behavior. The 8,700-line seL4 microkernel required 20 person-years and 200,000 lines of code in the Isabelle proof language, underscoring why formal verification remains largely an academic discipline at present. If we instead train users to write proper specifications for formal verification, it may be possible to use LLMs to generate proofs and reduce the barrier to formal verification.
Quick Links
Resecurity Says ShinyHunters Fell for Honeypot After Breach Claim (3 minute read)
Resecurity has refuted ShinyHunters’ breach claims, revealing that the threat actor interacted with a honeypot containing synthetic employee accounts and fake infrastructure rather than production systems.
California residents can use new tool to demand brokers delete their personal data (3 minute read)
California’s new Delete Requests and Opt-Out Platform (DROP) lets residents file a single verified request to force over 500 registered data brokers to delete their personal data and stop selling it.
Covenant Health Data Breach Impacts 478,000 Individuals (2 minute read)
Qilin ransomware actors breached Covenant Health’s systems in May 2025, exfiltrating roughly 850 GB of data, including over 1.3 million files containing names, addresses, Social Security numbers, insurance details, and treatment information for 478,188 people across multiple US states.