Chairman Ajit Pai is pressing for a public auction of wireless frequencies in the C-band spectrum (the 4GHz to 8GHz range often used by satellite companies) for the sake of 5G service. Engadget reports: This would help the FCC clear up "significant" frequency space in a quick fashion, generate money for the government and "ensure continued delivery" of existing services, Pai argued. He hoped to auction off a 280MHz slice while leaving the upper 200MHz available. An FCC official told the Wall Street Journal that the regulator hoped to bring the C-band auction up for a vote in 2020 and start the auction by the end of that year.

Satellite companies, however, might not be so happy. Industry giants like Intelsat and SES haven't been averse to selling their spectrum, but they've wanted a private auction to share the money they make and have claimed the FCC isn't allowed to take in-use spectrum without paying them. A public auction flies in the face of that. The C-Band Alliance, a group representing the satellite firms, has hinted at "protracted litigation" if the FCC pushes forward. Carriers are also of mixed opinions. AT&T, which owns DirecTV, has called C-band an "opportunity" but also wanted compensation and a "reasonable transition plan" to avoid disruptions. Verizon (Engadget's parent company and Pai's former employer) likewise wanted "appropriate incentives and protections" to ensure a quick process.

It's not yet prime time for 5G networks, which still face logistical and technical hurdles, but they're increasingly coming online in major cities worldwide. Which is why it's especially worrying that new 5G vulnerabilities are being discovered almost by the dozen. From a report: At the Association for Computing Machinery's Conference on Computer and Communications Security in London today researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws. The researchers from Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.

One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G, or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars. The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.

AT&T is adding $10 to the monthly bills of customers with certain grandfathered mobile-data plans and not letting them switch back to their older packages. AT&T is pitching the change as a "bonus" because it's also adding 15GB to the customers' monthly data allotments. Ars Technica reports: "Enjoy more data," AT&T says in a support document. "Starting with your October 2019 bill, you'll get an additional 15GB of data on your Mobile Share plan. This bonus data comes with a $10 price increase." Paying an extra $10 for another 15GB isn't a bad deal as far as U.S. wireless prices go, but that's only true if you actually need the extra data. The plans getting the data-and-price increases already had between 20GB and 60GB of data per month at prices that ranged from $100 to $225. Now those plans have 35GB to 75GB and cost $110 to $235. (The data allotments can be shared among multiple people on the same family plan.)

These Mobile Share Value plans were introduced in December 2013 and are apparently no longer offered to new customers. This is at least the second time this year that AT&T has added $10 and extra data to customer bills; a previous increase took effect between March and May and mostly affected a different set of Mobile Share Value plans, according to another AT&T support document. AT&T confirmed that there's no way to opt out of the new $10 increase, The Verge reported yesterday.

The T-Mobile and Sprint merger hasn't been officially completed yet, but that hasn't stopped the "Un-carrier" from talking about what it will do with its newfound resources. T-Mobile announced today that it plans to launch the company's cheapest phone plan ever and roll out its 5G network starting December 6th. Gizmodo reports: Starting at just $15 a month, the new T-Mobile Connect plan offers unlimited talk and text plus 2GB of 4G or 5G data. Now admittedly, 2GB of data per month isn't all that much, but considering the T-Mobile's current least expensive plans start at $30 a month (and that's including a discount for having four lines), T-Mobile Connect could provide some much-needed savings for low-income families -- at least temporarily while it gathers all the goodwill it can muster in the merger process. Additionally, T-Mobile also teased two other new programs with its Connecting Heroes Initiative, which promises to give unlimited talk, text and 5G access to every first responder in the U.S. for the next 10 years. This includes public and non-profit fire, police, and EMS personnel. Then there's T-Mobile's Project 10 Million, which promises to handout 10 million hotspots to students across the country that will provide up to 100GB of free mobile data per year. With Project 10 Million, T-Mobile is hoping to give children and students greater access to broadband internet in order to make completing homework just a bit easier.

Also, next month T-Mobile says it will turn on its nationwide 5G network on December 6th, which promises to bring 5G coverage to over 200 million Americans in more than 5,000 cities. That said, this 5G network won't have the combined resources of both T-Mobile and Sprint until sometime in 2020 when T-Mobile can integrate its mmWave and sub-6GHz spectrum with Sprint's mid-brand spectrum. Looking even further ahead, T-Mobile claims its new 5G network will offer 14 times more capacity than it could on its own, and that the combined T-Mobile/Sprint network will cover 85 percent of the rural U.S. within three years, and 90 percent coverage after six years.

An anonymous reader quotes a report from TechCrunch: Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected. Bitdefender said the Amazon-owned doorbell was sending owners' Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network to launch larger attacks or conduct surveillance.

"When first configuring the device, the smartphone app must send the wireless network credentials. This takes place in an unsecure manner, through an unprotected access point," said Bitdefender. "Once this network is up, the app connects to it automatically, queries the device, then sends the credentials to the local network." But all of this is carried out over an unencrypted connection, exposing the Wi-Fi password that is sent over the air. Amazon fixed the vulnerability in all Ring devices in September, but the vulnerability was only disclosed today.

Saritha Rai, writing for Bloomberg: A payments platform created by India's largest retail banks surpassed a billion transactions in October, a milestone that affirms the tremendous growth of services offered by U.S. giants from Walmart to Amazon.com and Google. Indian digital payments took off when the government pushed demonetization in 2016, invalidating most of the country's high-value currency notes in a move to curb corruption and push Indians away from cash. The Unified Payments Interface or UPI has now surpassed a 100 million users three-and-a-half years after its launch, thanks to booming smartphone use and wireless data rates among the lowest in the world. Amazon and Google now vie with local startup Paytm, Walmart-PhonePe and a host of other players in a digital payments market forecast to quintuple to $1 trillion by 2023. "UPI has had the fastest acceptance rate not just among payment platforms but digital platforms of any kind," said Dilip Asbe, chief executive officer of the National Payments Corporation of India, which groups the lenders that developed the system. "We aim to expand the UPI base to 500 million users in the next three years."

UPI sports an open architecture allowing digital wallet apps, payment banks and startups to link freely to its platform. That's a contrast to the closed systems of China's dominant services, WeChat and Alipay. It simplifies transactions between apps and banks linked through a biometric ID system called Aadhaar. Regulated by the central bank, it allows the instant transfer of funds between bank accounts through a mobile device using a simple virtual handle, without sharing bank or personal details. UPI's creators now want to take the platform beyond the country's borders and allow payments in places like Singapore or the Middle East with a dense population of Indian expatriates.

Google's Pixel smartphones have always been defined by iPhone-beating cameras, backed by the know-how of its software coders. With the release of the Pixel 4, however, the company has lost its lead -- through a combination of Apple's iPhone 11 camera improvements and its own lack of progress. From a report: Alphabet's Google is selling the Pixel 4 through all four major U.S. wireless carriers for the first time. And it's priced like a premium device: the 5.7-inch Pixel 4 starts at $799 and the 6.3-inch Pixel 4 XL costs $899. That's at least $100 more than the iPhone 11 but without software like iMessage that many Apple users consider a social imperative in the U.S.

With the iPhone 11 and 11 Pro, Apple closed the photography gap with better low-light image quality. Its camera software also makes those photos easier to take by automatically enabling night mode when required. Apple remains way ahead of any other phone maker when it comes to video quality. Deprived of its signature advantage, the Pixel 4 struggles to stand out in a crowded smartphone market. The design -- including materials, proportions and screen bezels -- is utilitarian. When compared with more polished handsets from Apple and Samsung, the Pixel 4 is unremarkable. With a single-digit slice of the smartphone market, Google also lacks the user loyalty and inertia to keep selling without a killer feature.

Apple today announced that it is releasing new AirPods Pro earbuds on October 30. Priced at $249, the premium version of its true wireless earbuds includes noise-cancellation feature to block out external sound. From a report: The new Pro model is available for pre-order starting today and will hit the shelves Wednesday, Oct. 30 - but, some hopeful buyers are finding they're already sold out online. The buds have ear tips that could fit deeper inside ears. The larger charging case also has a bigger, longer-lasting battery. Apple says the AirPods Pro can last "up to 5 hours" on a single charge and "over 24 hours" with the case. AirPods Pro cost $249 compared to $159 AirPods and $199 AirPods (with wireless charging case). Pre-orders start today at Apple.com. They deliver on Oct. 30 and will be available in Apple Stores the same day. Apple was widely expected to hold another event where it would have supposedly unveiled the refreshed AirPods and a 16-inch MacBook Pro, but the announcement today was made through a press release. The company has not clarified in that press release what kind of battery improvement the AirPods Pro offer. As it has been documented several times, AirPods' in-built battery becomes useless after a year of use, keeping the accessory on for just a few minutes at best. So unless Apple has somehow made a breakthrough here, it is likely the new AirPods, too, will die after a year of usage. Which means you're effectively paying Apple more than $20 a month for using their wireless earpieces.

A California man is suing AT&T after he says one of its employees allowed a hacker to access his cell phone number that resulted in his data being compromised and more than $1.8 million in cryptocurrency stolen from his accounts. ABC News reports: Seth Shapiro says that an AT&T employee allowed a hacker to swap his phone number from his phone to a separate device, which resulted in "the compromise of highly sensitive personal and financial information and the theft of more than $1.8 million," according to court documents. The process of so-called "SIM swapping" allows hackers a way to gain access to all the information tied to a phone number potentially giving them access to every email, photo, app and more on the phone.

The complaint filed on Oct. 17 claims that while third parties had control over his AT&T wireless number, "they used that control to access and reset the passwords for Mr. Shapiro's accounts on cryptocurrency exchange platforms, including KuCoin, Bittrex, Wax, Coinbase, Huobi, Crytopia, LiveCoin, HitBTC, Coss.io, Liqui, and Bitfinex." The digital currency "was accessed by the hackers utilizing their control over Mr. Shapiro's AT&T wireless number," the court documents added. The lawsuit alleges that hackers were able to access "accounts on various cryptocurrency exchange platforms, including the accounts he controlled on behalf of his business venture. The hackers then transferred Mr. Shapiro's currency from Mr. Shapiro's accounts into accounts that they controlled." "In all, they stole more than $1.8 million from Mr. Shapiro in the two consecutive SIM swap attacks on May 16, 2018," the complaint added. AT&T told ABC News in a statement that they dispute the Shapiro's allegations and shared information on how customers can help keep themselves safe from SIM swaps.

"We dispute these allegations and look forward to presenting our case in court," the statement said. "Customers can learn how to help protect themselves from this scam by going here -- https://about.att.com/sites/cyberaware/ni/blog/sim_swap."

Ever wondered what would manifest if you mixed 1990s nostalgia with a clever name and some futuristic hacking tech? The answer is the Pwnagotchi: a DIY, open source gadget for hacking Wi-Fi that gets smarter the more networks it gets exposed to using machine learning. From a report: It also has an adorable interface that reflects different "moods" depending on what it's doing, and echoes the Tamagotchi digital pets of the 90s. The idea is for its user to take it around the city and "feed" it with Wi-Fi handshakes, the process that allows phones or laptops to communicate with other wireless devices like a router or a smart TV. In theory, these handshakes can then be cracked to reveal the Wi-Fi network's password, which would be useful if the Pwnagotchi user wanted to hack into the Wi-Fi network at a later time. Hackers, of course, love it. The software for the Pwnagotchi was publicly released on September 19. Barely a month later, and with little promotion other than on Twitter, there's already an enthusiastic community of hundreds of security researchers and hackers all over the world who are playing with it, modding it, writing plugins to improve it, and helping each other out on a Slack channel.

IEEE Spectrum describes how the U.S. Defense Advanced Research Projects Agency (DARPA) partnered with Pivot Technology Services to help them relocate their massive radio-frequency emulation testbed, called "Colosseum." The testbed was built for the agency's Spectrum Collaboration Challenge (SC2) -- a three-year competition to demonstrate the validity of using AI to work together in order to use wireless spectrum more efficiently than operating on pre-allocated bands. Slashdot reader Wave723 shares an excerpt from the report: Colosseum was originally built and housed at Johns Hopkins University Applied Physics Laboratory. That changed at the beginning of October, when the testbed was dismantled and later trucked to Los Angeles for the competition's finale, scheduled to begin at 3:30pm PDT today at MWC Los Angeles. [...] There may have been some molehills during the checks, but moving Colosseum definitely qualifies as a mountain. The testbed uses 3 Peta-Ops per second of computing power and 52 terabytes per second of data to emulate 65,000 channel operations between 256 wireless devices. It can draw up to 92 kilowatts of power and requires 200 gallons of water per minute to cycle through its cooling system to keep it from overheating.

Colosseum is housed within a space twice of the size of a cargo container -- in fact, its housing is literally built from two converted cargo containers put side by side. The halves arrived at the Los Angeles Convention Center during the set-up for MWC Los Angeles, and were hauled into the building and onto the convention floor by two 18-wheelers. We're going to move right past the crazy fact that DARPA and its hired logistics companies drove two semi-trucks into the Los Angeles Convention Center, because it gets better. To actually lower Colosseum's halves onto the ground, the next step involved something that both Tilghman and Gabel referred to as a "forklift ballet." As it turned out, the convention center didn't have a forklift strong enough to lift either half, so everyone improvised and used four smaller forklifts simultaneously by carefully arranging them around each half of Colosseum. It worked, but Gabel, in showing me a video of the forklift ballet, pointed out a moment where one of the forklift's rear wheels lifted off the ground as the machine and its operator grappled with Colosseum's weight...

SpaceX president Gwynne Shotwell said the goal is to complete six to eight Starlink launches to get sufficient coverage to start offering the service to consumers in 2020. SpaceNews reports: SpaceX is confident it can start offering broadband service in the United States via its Starlink constellation in mid-2020, the company's president and chief operating officer Gwynne Shotwell said Oct. 22. Getting there will require the company to launch six to eight batches of satellites, Shotwell told reporters during a media roundtable. SpaceX also has to finish the design and engineering of the user terminals, which is not a minor challenge, Shotwell acknowledged.

SpaceX CEO Elon Musk has a Starlink terminal at his house and he used it to send a tweet early on Oct. 22. "Sending this tweet through space via Starlink satellite," he tweeted to his 29 million followers. "Whoa, it worked!!" Shotwell said SpaceX will need to complete six to eight Starlink launches -- including the one that already took place in May -- to ensure continuous service in upper and lower latitude bands. "We need 24 launches to get global coverage," she said. "Every launch after that gives you more capacity." SpaceX wants to offer the service to the U.S. government but is now focused on how it will serve the consumer market. Many of the details of how the service will be rolled out remain to be worked out, she said. When possible it will be offered directly to consumers following Musk's Tesla model for selling cars. In many countries the company will be required to partner with local telecom firms to offer the service. Last week, the company requested the International Telecommunication Union to approve spectrum for 30,000 Starlink satellites that would be in addition to the 12,000 already approved by the U.S. FCC.

An anonymous reader quotes a report from TechSpot: 5G wireless technology is the next big thing in the mobile industry, and ISPs are pushing it quite heavily. Unfortunately for Verizon, the company's efforts to promote its implementation of 5G have not been perfect lately. The ISP announced that its 5G network would be available in three NBA arenas (with seven more planned to receive it) in the coming months -- however, even in that relatively small area, the 5G coverage is not strong enough to support the entire arena. According to Ars Technica, the network will only cover "certain seating areas." NFL stadiums are in a similar boat -- Verizon is bringing 5G to those arenas, too, but only select seats will have access. Of course, the average football stadium is considerably bigger than most basketball stadiums, so that's a bit more understandable. Verizon's 5G coverage will first extend to three NBA arenas -- Chase Center in San Francisco, Phoenix's Talking Stick Resort Arena, and the Pepsi Center In Denver -- and then to seven more by the end of the 2019-2020 basketball season.

In the latest swirl of T-Mobile-Sprint merger drama, Colorado is exiting a lawsuit challenging the deal after Dish Network agreed to house its new wireless headquarters in the state. The Verge reports: The Colorado Attorney General's Office announced its decision on Monday after Dish promised that the state would be one of the first in the nation to receive 5G services and become the home of its new wireless headquarters, creating thousands of jobs. The DOJ approved the T-Mobile-Sprint merger back in July after it was able to piece together a new wireless competitor by allocating some of Sprint's spectrum to Dish. The Federal Communications Commission formally voted to approve the merger late last week. Dish is positioned to become the third largest wireless competitor after negotiations with the Justice Department to approve the merger.

Dish won't be building out a new headquarters, however. The company already houses its call center employees at the "Riverfront" facility in Littleton, Colorado and any new wireless HQ employees will work in that building (which looks eerily like a Cabela's location) as well. Colorado was formerly part of a multistate lawsuit spearheaded by the New York State Attorney General's office aimed at blocking the merger. Colorado is now the second state to drop out of the suit along with Mississippi. A trial date is set for December 9th. In a press release, Dish said that it "expects to employ 2,000 full-time employees" at the Colorado headquarters over the next three years. "The agreements we are announcing today address those concerns by guaranteeing jobs in Colorado, a statewide buildout of a fast 5G network that will especially benefit rural communities, and low-cost mobile plans," Chief Deputy Attorney General Natalie Hanlon Leh said in a statement to The Colorado Sun. "Our announcement today ensures Coloradans will benefit from Dish's success as a nationwide wireless competitor."

Long-time Slashdot reader Kekke shared this article from Ars Technica: A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013...

The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.

Nico Waisman, who is a principal security engineer at Github [and discovered the bug] said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine. "I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
The article notes that the flaw "can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer."

hcs_$reboot writes: Everyone in California will now receive earthquake alerts on their phones seconds before the ground begins to shake, giving residents up to 20 seconds of warning before shaking begins. Developed by seismologists at the University of California, Berkeley, the MyShake application (residents will need to download the app to receive the alerts in areas without cell phone coverage) is designed to alert the public when a magnitude 4.5 earthquake or greater has been detected and has been shown to be faster than other alert delivery methods. The wireless emergency alerts will be sent in the event of a more significant quake, magnitude 5.0 or greater. The system does not predict earthquakes. Rather, it uses numerous seismic stations to detect the start of an earthquake and light-speed communications to send the data to computers that instantly calculate location, magnitude, intensity of shaking and create alerts to be distributed to areas that will be affected. When the MyShake app was released back in 2016 it already detected over 200 earthquakes in more than ten countries.

A paper describing the early results gives a general idea of the app's success: "On a typical day about 8,000 phones provide acceleration waveform data to the MyShake archive. The on-phone app can detect and trigger on P waves and is capable of recording magnitude 2.5 and larger events. The largest number of waveforms from a single earthquake to date comes from the M5.2 Borrego Springs earthquake in Southern California, for which MyShake collected 103 useful three-component waveforms. The network continues to grow with new downloads from the Google Play store everyday and expands rapidly when public interest in earthquakes peaks such as during an earthquake sequence."

An anonymous reader quotes a report from Ars Technica: AT&T and other mobile carriers are trying to hide detailed 5G maps from the public despite constantly touting the supposed pace and breadth of their 5G rollouts. With the Federal Communications Commission planning to require carriers to submit more accurate data about broadband deployment, AT&T and the mobile industry's top lobby group are urging the FCC to exclude 5G from the upgraded data collection. "There is broad agreement that it is not yet time to require reporting on 5G coverage," AT&T told the FCC in a filing this week.

As evidence of that "broad agreement," AT&T cited comments by CTIA -- the mobile industry lobby group that represents AT&T, Verizon, T-Mobile, and Sprint. "[A]s CTIA points out, service standards for 5G are still emerging, precluding reporting of service-level coverage for 5G networks (other than the 5G-NR submissions already required)," AT&T wrote. That's a reference to 5G New Radio, the global standard for 5G. CTIA told the FCC in September that it doesn't object to the 5G-NR requirement because "the 5G-NR standards are technical ones; they do not establish what service level consumers should be able to expect when using 5G." But CTIA said requiring more than that would be "premature" because "industry consensus is still emerging around how best to measure the deployment of this still-nascent technology." Verizon also told the FCC in September that "adoption of standardized parameters is premature" for 5G. "Calling 5G a 'still-nascent technology' that can't properly be measured yet raises the question of why carriers have been telling the FCC and public that 5G is guaranteed to revolutionize modern life and that carriers need regulatory favors to speed its rollout," adds Ars Technica. "The mobile industry didn't think it was 'premature' for the U.S. government to preempt local regulation of 5G deployments, an action FCC Chairman Ajit Pai took more than a year ago."

According to The Wall Street Journal, AT&T has agreed to sell its Puerto Rican and U.S. Virgin Islands businesses to Liberty Latin America for $1.95 billion in cash (Warning: source paywalled, alternative source), "allowing the telecommunications giant to shave its debt load and move closer to repurchasing shares." From the report: AT&T's operation in Puerto Rico provides cellular, landline and internet connections. It had 1.1 million wireless subscribers. As part of the deal, about 1,300 AT&T employees will be transferred to Liberty Latin America. The two companies said they expect the deal to close within six to nine months. Puerto Rico and the U.S. Virgin Islands account for a small sliver of AT&T's domestic operations, but shedding the unit will help it work down a large debt load accumulated through its $80 billion-plus acquisition of Time Warner last year. The deal signals progress on AT&T's goal of selling noncore assets, something activist investor Elliott Management Corp., which recently disclosed a stake in the company, is also pushing. AT&T has also sold its stake in streaming service Hulu.

Almost 30 years after the World Wide Web was first invented, there are still billions of people that don't have access to any sort of internet connectivity. Microsoft wants to change that by using its 2017 Airband Initiative to streamline efforts to build out internet access across Africa, Latin America and Asia. "Moving forward, the company plans to connect 40 million people across the world to the internet by 2022," reports Engadget. From the report: Initially, Microsoft will focus on rural and remote communities in Latin America and Sub-Saharan Africa, with other regions to follow. The company adds that it plans to employ a four-part approach that will focus on working with local ISPs and communities to build out affordable and reliable internet access. Microsoft is pushing regulators for access to TV White Space (TVWS), which are wireless frequencies that can be repurposed to deliver internet access across a wide area. Microsoft is also working to build out internet access in rural communities across the U.S. The company currently aims to bring high-speed internet access to more than 9 million people in Iowa, Illinois, Kansas, Nebraska, Oklahoma and Texas.

D-Link won't patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code. Threatpost reports: The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. D-Link last week told Fortinet's FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers). The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function. Fortinet describes this as a "typical security pitfall suffered by many firmware manufacturers." With no patch available, affected users should upgrade their devices as soon as possible.