An anonymous reader quotes a report from Ars Technica: The broadband industry is suing Maine to stop a Web-browsing privacy law similar to the one killed by Congress and President Donald Trump in 2017. Industry groups claim the state law violates First Amendment protections on free speech and the Supremacy Clause of the US Constitution. The Maine law was signed by Democratic Gov. Janet Mills in June 2019 and is scheduled to take effect on July 1, 2020. It requires ISPs to get customers' opt-in consent before using or sharing sensitive data. As Mills' announcement in June said, the state law "prohibits a provider of broadband Internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The legislation also prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access of their personal information."

Customer data protected by this law includes Web-browsing history, application-usage history, precise geolocation data, the content of customers' communications, IP addresses, device identifiers, financial and health information, and personal details used for billing. Home Internet providers and wireless carriers don't want to seek customer permission before using Web-browsing histories and similar data for advertising or other purposes. On Friday, the four major lobby groups representing the cable, telco, and wireless industries sued the state in US District Court for the District of Maine, seeking an injunction that would prevent enforcement of the law. In the lawsuit, the groups said the state law "imposes unprecedented and unduly burdensome restrictions on ISPs', and only ISPs', protected speech," while imposing no requirements on other companies that deliver services over the internet. The plaintiffs are America's Communications Association, CTIA, NCTA, and USTelecom.

The law allegedly violates the First Amendment because it "limits ISPs from advertising or marketing non-communications-related services to their customers; and prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-saving benefits in exchange for a customer's consent to use their personal information," the lawsuit claims. As for how the Maine law violates the Supremacy Clause, the lawsuit says it's "because it allows consumers to dictate (by opting out or declining to opt in) when ISPs can use or disclose information that they must rely on to comply with federal law, rendering 'compliance with both' state and the foregoing federal laws 'impossible.'"

Samsung Electronics semiconductor manufacturing division has won a contract to make new Qualcomm 5G chips using its most advanced chip-making technology, Reuters reported Tuesday, citing sources familiar with the matter said, boosting the Korean firm's efforts to gain market share against rival Taiwan Semiconductor Manufacturing. From the report: Samsung will fabricate at least some of Qualcomm's X60 modem chips, which will connect devices such as smart phones to 5G wireless data networks. The X60 will be made on Samsung's 5-nanometer process, the sources said, which makes the chips smaller and more power-efficient than previous generations. One of the sources said TSMC is also expected to fabricate 5-nanometer modems for Qualcomm. Samsung and Qualcomm declined to comment, and TSMC did not immediately respond to a request for comment. Best known among consumers for its phones and other electronic devices, Samsung is the world's second-biggest chip manufacturer through its foundry division, self-supplying many of its own mobile phone parts and also fabricating chips for outside customers such as IBM and Nvidia, among others.

Google said on Monday that it is winding down Google Station, a program that rolled out free Wi-Fi in more than 400 railway stations in India and "thousands" of other public places in several additional pockets of the world. The company worked with a number of partners on the program. From a report: Caesar Sengupta, VP of Payments and Next Billion Users at Google, said the program, launched in 2015, helped millions of users surf the internet -- a first for many -- and not worry about the amount of data they consumed. But as mobile data prices got cheaper in many markets including India, Google Station was no longer as necessary, he said. The company plans to discontinue the program this year. Additionally, it had become difficult for Google to find a sustainable business model to scale the program, the company said, which in recent years expanded Station to Indonesia, Mexico, Thailand, Nigeria, Philippines, Brazil and Vietnam. The company launched the program in South Africa just three months ago.

An anonymous reader quotes a report from IEEE Spectrum: A test by Penumbra Brands to measure how much radiofrequency energy an iPhone 11 Pro gives off found that the phone emits more than twice the amount allowable by the U.S. Federal Communications Commission. The FCC measures exposure to RF energy as the amount of wireless power a person absorbs for each kilogram of their body. The agency calls this the specific absorption rate, or SAR. For a cellphone, the FCC's threshold of safe exposure is 1.6 watts per kilogram. Penumbra's test found that an iPhone 11 Pro emitted 3.8 W/kg.

Ryan McCaughey, Penumbra's chief technology officer, said the test was a follow up to an investigation conducted by the Chicago Tribune last year. The Tribune tested several generations of Apple, Samsung, and Motorola phones, and found that many exceeded the FCC's limit. Penumbra used RF Exposure Labs, an independent, accredited SAR testing lab for the tests (The Tribune also used the San Diego-based lab for its investigation). Penumbra was conducting the test, which also included testing an iPhone 7, to study its Alara phone cases, which the company says are designed to reduce RF exposure in a person. It's worth noting that when the FCC conducted a follow-up investigation they did not find evidence that any of the phones exceed SAR limits. "That said, while the Tribune and Penumbra both used off-the-shelf phones, the FCC largely tested phones supplied by the manufacturers, including Apple," adds IEEE Spectrum.

Joel Moskowitz, a researcher at UC Berkeley, says that could be because there's a systematic problem with RF Exposure Lab's testing methods, or Apple rigged the software in the provided test phones to ensure they didn't put out enough power to exceed the SAR limit. Either way, both McCaughey and Moskowitz agree that the FCC's RF exposure testing is woefully out of date, as the limits reflect what the FCC deemed safe 25 years ago.

The Wi-Fi Alliance announced the new Wi-Fi 6E terminology for 802.11ax operation in the 6 GHz band last month. At CES 2020, Broadcom announced a number of Wi-Fi 6E access point solutions. Today, Broadcom is announcing the BCM4389 client Wi-Fi 6E chipset. From a report: Consumers can expect to see the chipset in the next generation of high-end smartphones. We have already covered the advantages of Wi-Fi 6E in terms of lower latency, higher throughput, and the availability of more number of 160 MHz channels in our coverage of the Wi-Fi Alliance announcement at CES. The BCM4389 builds upon Broadcom's success with the BCM4375, which happens to be the currently leading client Wi-Fi 6 chipset in the smartphone market. In addition to the new 6 GHz support with tri-band simultaneous operation and 160 MHz channel support, the BCM4389 also brings in additional power efficiency, thanks to its 16nm process technology and architectural improvements.

The BCM4375 is a 28nm chipset with 2x2 2.4 GHz and 2x2 5 GHz support, while the new BCM4389 adds 2x2 6 GHz to the mix. The scanning radio accounts for the additional radio chain. The Bluetooth 5.0 functionality has also received a boost with MIMO support. Broadcom claims that the new implementation can reduce pairing time by a factor of 2 and also alleviate glitching issues when connected to Wi-Fi at the same time (compared to the BCM4375). The icing on the cake is that the MIMO support works with implicit beamforming ensuring that legacy Bluetooth devices stand to benefit too.

The sophistication of the Emotet malware's code base and its regularly evolving methods for tricking targets into clicking on malicious links has allowed it to spread widely. "Now, Emotet is adopting yet another way to spread: using already compromised devices to infect devices connected to nearby Wi-Fi networks," reports Ars Technica. From the report: Last month, Emotet operators were caught using an updated version that uses infected devices to enumerate all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to profile the SSID, signal strength, and use of WPA or other encryption methods for password-protecting access. Then, the malware uses one of two password lists to guess commonly used default username and password combinations. After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," researchers from security firm Binary Defense wrote in a recently published post. "Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords." The Binary Defense post said the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense didn't observe it being used in the wild until last month.

An anonymous reader quotes a report from Reuters: T-Mobile's edged closer to a takeover of Sprint after a federal judge on Tuesday approved the deal, rejecting a claim by a group of states that said the deal would violate antitrust laws and raise prices. During a two-week trial in December, T-Mobile and Sprint argued the merger will better equip the new company to compete with top players Verizon and AT&T as the third-largest U.S. wireless carrier, creating a more efficient company with low prices and faster internet speeds. The states, led by California and New York, had said the deal would reduce competition, leading to higher prices.

The decision by U.S. District Court Judge Victor Marrero clears the path for the deal, which already has federal approval and was originally valued at $26 billion. In his ruling, the judge noted the difficulty in deciding an antitrust case since it forces the judge to predict the future in deciding if a deal will lead to higher prices. But Judge Marrero said that he based his decision on three essential points. The first was that he was not persuaded by the states that the deal would lead to higher prices or lower quality wireless services. He disagreed that Sprint would remain a strong competitor and was unconvinced that DISH, who is buying divested assets from the deal, would fail to live up to its promises to enter and compete in the wireless market. Sprint and T-Mobile said in a statement they would move to finalize the merger, which is still subject to certain closing conditions and possible court proceedings. New York's attorney general said the state is considering an appeal; California's attorney general said that state is "prepared to fight."

Two smartphone makers canceled events at the world's biggest mobile technology showcase in response to the coronavirus outbreak, and organizers reinforced hygiene protocol for people still planning to attend. From a report: Delegates were warned to avoid handshakes and microphones will be changed for different conference speakers in an effort to avoid infections at MWC Barcelona, an annual event that's set to draw around 100,000 people from around the world to the Spanish city from Feb. 24 to 27. This year's conference is supposed to be a launch pad for a renewed push on 5G devices. However, South Korea's LG Electronics said it's withdrawing from exhibiting at the conference because most health experts advised against "needlessly" exposing hundreds of employees to international travel. Shenzhen, China-based ZTE, which makes smartphones and wireless networking equipment, cited difficulties in traveling out of China while virus-containment restrictions are in place, and so it's canceling its MWC press conference, though it will still send a delegation.

Slashdot reader JustAnotherOldGuy quotes ZDNet: Security experts have published a report Tuesday warning that the new and fast-rising LoRaWAN technology is vulnerable to cyberattacks and misconfigurations, despite claims of improved security rooted in the protocol's use of two layers of encryption.

LoRaWAN stands for "Long Range Wide Area Network." It is a radio-based technology that works on top of the proprietary LoRa protocol. LoRaWAN takes the LoRa protocol and allows devices spread across a large geographical area to wirelessly connect to the internet via radio waves...

But broadcasting data from devices via radio waves is not a secure approach. However, the protocol's creators anticipated this issue. Since its first version, LoRaWAN has used two layers of 128-bit encryption to secure the data being broadcast from devices — with one encryption key being used to authenticate the device against the network server and the other against a company's backend application. In a 27-page report published Tuesday, security researchers from IOActive say the protocol is prone to misconfigurations and design choices that make it susceptible to hacking and cyber-attacks. The company lists several scenarios it found plausible during its analysis of this fast-rising protocol.
Some examples:

• "Encryption keys can be extracted from devices by reverse engineering the firmware of devices that ship with a LoRaWAN module."
• "Many devices come with a tag displaying a QR code and/or text with the device's identifier, security keys, or more."

Federal Communications Commission Chairman Ajit Pai told lawmakers Friday he intends to propose fines against at least one U.S. wireless carrier for sharing customers' real-time location data with outside parties without the subscribers' knowledge or consent. From a report: The FCC has been investigating for more than a year following revelations that subscriber location data from AT&T, T-Mobile and Sprint made its way to a resale market used by bounty hunters. Pai said in letters to several lawmakers that the agency's investigation has found that "one or more wireless carriers apparently violated federal law."

Jacob Hoffman-Andrews, writing for EFF: If you follow security on the Internet, you may have seen articles warning you to "beware of public Wi-Fi networks" in cafes, airports, hotels, and other public places. But now, due to the widespread deployment of HTTPS encryption on most popular websites, advice to avoid public Wi-Fi is mostly out of date and applicable to a lot fewer people than it once was. The advice stems from the early days of the Internet, when most communication was not encrypted. At that time, if someone could snoop on your network communications -- for instance by sniffing packets from unencrypted Wi-Fi or by being the NSA -- they could read your email. Starting in 2010 that all changed. Eric Butler released Firesheep, an easy-to-use demonstration of "sniffing" insecure HTTP to take over people's accounts. Site owners started to take note and realized they needed to implement HTTPS (the more secure, encrypted version of HTTP) for every page on their site. The timing was good: earlier that year, Google had turned on HTTPS by default for all Gmail users and reported that the costs to do so were quite low. Hardware and software had advanced to the point where encrypting web browsing was easy and cheap.

However, practical deployment of HTTPS across the whole web took a long time. One big obstacle was the difficulty for webmasters and site administrators of buying and installing a certificate (a small file required in order to set up HTTPS). EFF helped launch Let's Encrypt, which makes certificates available for free, and we wrote Certbot, the easiest way to get a free certificate from Let's Encrypt and install it. Meanwhile, lots of site owners were changing their software and HTML in order to make the switch to HTTPS. There's been tremendous progress, and now 92% of web page loads from the United States use HTTPS. In other countries the percentage is somewhat lower -- 80% in India, for example -- but HTTPS still protects the large majority of pages visited. [...] What about the risk of governments scooping up signals from "open" public Wi-Fi that has no password? Governments that surveill people on the Internet often do it by listening in on upstream data, at the core routers of broadband providers and mobile phone companies. If that's the case, it means the same information is commonly visible to the government whether they sniff it from the air or from the wires.

Parents cave in to kids' relentless begging for Apple's wireless white earbuds; schools ban the. From a report: AirPods, once just an adult status symbol, are turning up on the playground. Kids' persistent nagging for the tiny wireless earbuds have parents groaning about the cost, the risk of loss or theft and concerns that they scream "privilege." [...] The desire for the high-end tech may well be due to the fact that even very young children see them all over social media, but it also speaks to the rising popularity of "hearables," which my colleagues predicted will be among the life-changing technologies of 2020. By the end of the year, eMarketer predicts, more than one-third of the U.S. population will be using smart ear-worn devices.

Johnny Sanchez's (anecdote in the story) 10-year-old son was begging for AirPods because his three older siblings all have them. Mr. Sanchez, a technology manager at an entertainment company in Los Angeles, finally gave his youngest child his AirPods when he upgraded his own. "We've talked about how it feels cool to have them but you don't rub it in peoples" faces," said Mr. Sanchez. Mr. Sanchez doesn't have to worry about his son showing off to his classmates because he said his elementary school has banned AirPods. Other schools have banned them and regular earbuds too, arguing they cause students to be distracted and can be used to cheat on tests.

Long-time Slashdot reader gabebear writes: The FCC hasn't officially cleared 6 GHz for WiFi, but chipsets that support 6 GHz are starting to be released. 6 GHz opens up a several times more bandwidth than what is currently available with WiFi, although it doesn't penetrate walls as well as 2.4 GHz.

Celeno has their press release and Broadcom has their press release. Still no news from Intel or Qualcomm on chipsets that support 6 GHz.

An anonymous reader quotes a report from Ars Technica: Today's example of smart stuff going dumb comes courtesy of Under Armour, which is effectively rendering its fitness hardware line very expensive paperweights. The company quietly pulled its UA Record app from both Google Play and Apple's App Store on New Year's Eve. In an announcement dated sometime around January 8, Under Armour said that not only has the app been removed from all app stores, but the company is no longer providing customer support or bug fixes for the software, which will completely stop working as of March 31.

Under Armour launched its lineup of connected fitness devices in 2016. The trio of trackers included a wrist-worn activity monitor, a smart scale, and a chest-strap-style heart rate monitor. The scale and wristband retailed at $180 each, with the heart monitor going for $80. Shoppers could buy all three together in a $400 bundle called the UA HealthBox. The end of the road is nigh, it seems, and all three products are about to meet their doom as Under Armour kills off Record for good. Users are instead expected to switch to MapMyFitness, which Under Armour bills as "an even better tracking experience." The company also set the UA Record Twitter account to private, effectively taking it offline to anyone except the 133 accounts it follows. Current device owners also can't export all their data. While workout data can be exported and transferred to some other tracking app, Record users cannot capture weight or other historical data to carry forward with them.

A group of U.S. states suing to block T-Mobile from merging with Sprint on Wednesday told a federal judge that the deal would violate antitrust laws and raise wireless prices for consumers. Reuters reports: The states filed a lawsuit in June to block the merger, saying it would harm low-income Americans in particular. T-Mobile and Sprint contend that the merger would enable the combined company to compete more effectively with dominant carriers Verizon and AT&T. U.S. District Court Judge Victor Marrero, who presided over a two-week trial last month in federal court in Manhattan, began hearing closing arguments in the case on Wednesday.

"I'm here speaking on behalf of 130 million consumers who live in these states," Glenn Pomerantz, a lawyer for the states, said at the outset of his argument. "If this merger goes forward, they're at risk for paying billions of dollars more every single year for those services." When T-Mobile majority shareholder Deutsche Telekom first contemplated the deal in 2010, it "expressly and unambiguously admitted that it had potential to reduce price competition," Pomerantz said. The states also emphasized that the carriers did not need a merger to introduce previous generations of wireless technology, and Pomerantz argued that T-Mobile would continue to acquire spectrum, or airwaves that carry data, from a variety of sources even if the merger was blocked.

Google said today that it's on track to bring more than 120 games to its cloud gaming service Stadia in 2020 and is planning to offer more than 10 Stadia-exclusive games for the first half of the year. From a report: That would be a pretty massive jump from the 26 games and one exclusive that are currently available, and all in a little more than a year after the service's launch, if those projections hold true. Previously, Google had only explicitly confirmed four games for 2020, so this news was much needed to let early adopters know there are a lot more games on the way. Google also announced other updates rolling out to Stadia over the next three months, including 4K gaming on the web, support for more Android phones (it's currently only available on Google's Pixels), wireless gameplay on the web through the Stadia controller (you currently have to plug in a cable), and "further [Google] Assistant functionality" when playing Stadia through a browser. We're asking Google for more details -- and we're particularly curious whether any of the new exclusive games are the kind that are only possible with the power of the cloud. The company said in October that it's building out a few first-party studios to eventually make that a reality.

Bruce Schneier comments on the issues surrounding 5G security: [...] Keeping untrusted companies like Huawei out of Western infrastructure isn't enough to secure 5G. Neither is banning Chinese microchips, software, or programmers. Security vulnerabilities in the standards, the protocols and software for 5G, ensure that vulnerabilities will remain, regardless of who provides the hardware and software. These insecurities are a result of market forces that prioritize costs over security and of governments, including the United States, that want to preserve the option of surveillance in 5G networks. If the United States is serious about tackling the national security threats related to an insecure 5G network, it needs to rethink the extent to which it values corporate profits and government espionage over security. To be sure, there are significant security improvements in 5G over 4G in encryption, authentication, integrity protection, privacy, and network availability. But the enhancements aren't enough. The 5G security problems are threefold.

First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it. Second, there's so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems. Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.

On Monday, members of the European Parliament (MEPs) discussed the idea of introducing "binding measures" that would require chargers that fit all mobile phones and portable electronic devices. The company that would be impacted most by this legislation would be Apple and its iPhone, which uses a Lightning cable while most new Android phones use USB-C ports for charging. ZDNet reports: The EU introduced the voluntary Radio Equipment Directive in 2014, but MEPs believe the effort fell short of the objectives. "The voluntary agreements between different industry players have not yielded the desired results," MEPs said. The proposed more stringent measures are aimed at reducing electronic waste, which is estimated to amount to 51,000 tons per year in old chargers.

Apple last year argued that regulations to standardize chargers for phones would "freeze innovation rather than encourage it" and it claimed the proposal was "bad for the environment and unnecessarily disruptive for customers." Noted Apple analyst Ming-Chi Kuo reckons Apple has a different idea in store: getting rid of the Lightning port and not replacing it with USB-C, which is a standard that Apple doesn't have complete control over. According to the analyst, Apple plans to remove the Lightning connector on a flagship iPhone to be released in 2021. Instead it would rely on wireless charging.

A Princeton University academic study found that five major US prepaid wireless carriers are vulnerable to SIM swapping attacks. From a report: A SIM swap is when an attacker calls a mobile provider and tricks the telco's staff into changing a victim's phone number to an attacker-controlled SIM card. This allows the attacker to reset passwords and gain access to sensitive online accounts, like email inboxes, e-banking portals, or cryptocurrency trading systems. All last year, Princeton academics spent their time testing five major US telco providers to see if they could trick call center employees into changing a user's phone number to another SIM without providing proper credentials. According to the research team, AT&T, T-Mobile, Tracfone, US Mobile, and Verizon Wireless were found to be using vulnerable procedures with their customer support centers, procedures that attackers could use to conduct SIM swapping attacks. In addition, the research team also looked at 140 online services and websites and analyzed on which of these attackers could employ a SIM swap to hijack a user's account. According to the research team, 17 of the 140 websites were found to be vulnerable.

An anonymous reader quotes a report from CNN: Verizon is changing the way it sells its internet and cable packages as customers are increasingly seeking ways to cut the costly cord. The company is eliminating bundles and contracts, Verizon announced Thursday. Instead, it will sell its Fios TV and internet services separately. Long-term contracts are also being trashed in favor of charging customers month-to-month. That is similar to how streaming services charge customers. Verizon is calling the new offers "Mix and Match on Fios." There are now three internet packages and five Fios TV packages. Notably, Verizon will continue selling Google's YouTube TV for $49.99 per month as a TV option under an agreement the two companies signed last year. A home telephone package will also be sold for $20 per month. The new bundle-free packages offer more price transparency for customers, Verizon claims. Not all surcharges are going away though. "Verizon will continue charging a $15 monthly fee for routers in some of its internet packages and a $12 set-top monthly fee in most of its Fios TV packages," the report adds. "But other fees it previously charged, including for regional sports networks, will now be included in the total Fios TV price."