After a couple of years of regular use, Samsung's $400 Galaxy Ring will end up contributing to the growing e-waste problem. "The Galaxy Ring -- and all smart rings like it -- comes with a huge string attached," writes iFixit in a blog post. "It's 100% disposable, just like the AirPod-style Buds3 that Samsung just released. The culprit? The lithium ion batteries." ZDNet reports: The problem is the battery, and how they have a finite lifespan. Usually that's about 400 recharge cycles, and after that the batteries are finished. And if you can't replace it, then it's the end of the line for the gadget, and it's tossed onto the e-waste pile. [...]

iFixit is damning about this sort of tech. "There's nothing wrong with simple but there is something wrong with unrepairable. Just like the Galaxy Buds3, the Galaxy Ring is a disposable tech accessory that isn't designed to last more than two years." And the bottom line is simple: "We can't recommend buying disposable tech like this." Here's what iFixit's Shahram Mokhtari had to say about the Galaxy Ring's battery, after putting it through a CT scanner: On the right hand side of the ring is the faint outline of a lithium polymer battery pouch. There's an inductive coil sitting right on top of the battery (the lines that look like a rectangular track) and another very similar inductive coil that's parallel and slightly separated from the first. That second inductive coil is inside the charging case and works together with the inductive coil in the ring to recharge the battery inside the Galaxy Ring. Inductive charging is the only practical way to deliver power to a device that doesn't have any ports. But there's something else here that sticks out like a sore thumb ... that is a press connector joining the battery to the rest of the board! This is a surprising use of space, why isn't this directly soldered? Nobody is getting back in there to disconnect this thing!

We love press connectors, they're easy to work with and make replacing batteries a sight easier than desoldering a half dozen wires. But this one is sealed into the device and serves no purpose in replacement or repair. Our best guess as to why it's in the Galaxy Ring: The battery and wireless charging coil were made in one place, the circuit board somewhere else, and it all comes to a production line somewhere where the two need to be connected together quickly and cheaply. Hence the press connector. It's not for your benefit, it's for the manufacturers.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon..., and it's not clear when it was taken down. The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one. The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST." These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren't clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret. Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here. "It's a big problem," said Martin Smolar, a malware analyst specializing in rootkits who reviewed the Binarly research. "It's basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically... execute any malware or untrusted code during system boot. Of course, privileged access is required, but that's not a problem in many cases."

Binarly founder and CEO Alex Matrosov added: "Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?"

Arm is launching its Arm Accuracy Super Resolution (ASR) upscaler that "can make games look better, while lowering power consumption on your phone," according to The Verge. "It's also making the upscaling technology available to developers under an MIT open-source license." From the reprot: Arm based its technology on AMD's FidelityFX Super Resolution 2 (FSR 2), which uses temporal upscaling to make PC games look better and boost frame rates. Unlike spatial upscaling, which upscales an image based on a single frame, temporal upscaling involves using multiple frames to generate a higher-quality image.

You can see just how Arm ASR stacks up to AMD's FSR 2 and Qualcomm's GSR tech in [this chart] created by Arm. Arm claims ASR produced 53 percent higher frame rates than rendering at native resolution on a device with an Arm Immortalis-G720 GPU and 2800 x 1260 display, beating AMD FSR 2. It also tested ASR on a device using MediaTek's Dimensity 9300 chip and found that rendering at 540p and upscaling with ASR used much less power than running a game at native 1080p resolution.

storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.

According to Bloomberg's Mark Gurman, Apple appears ready to embrace a thinner design language with the upcoming MacBook Pro, Apple Watch, and iPhone. MacRumors reports: When the M4 iPad Pro was unveiled last month, Apple touted it as the company's thinnest product ever, and even compared it to the 2012 iPod nano to emphasize its slim dimensions. Writing in the latest edition of his Power On newsletter, Gurman says that like the iPad Pro, Apple is now focused on delivering the thinnest possible devices across its lineups without compromising on battery life or major new features. Gurman writes that the new iPad Pro is the "beginning of a new class of Apple devices," and that Apple's aim is to offer "the thinnest and lightest products in their categories across the whole tech industry." Apple now reportedly has its sights on making thinner versions of iPhone, Apple Watch, and MacBook Pro over the next couple of years.

Gurman's sources tell him Apple is now focused on developing a significantly skinnier iPhone in time for the iPhone 17 line in 2025, corroborating a May report by The Information. According to the latter report, Apple is planning to launch an all-new thinner iPhone 17 model next year that will allegedly feature a "major redesign" akin to the iPhone X. Gurman previously reported that Apple is planning a complete revamp of the Apple Watch for the device's tenth anniversary, dubbed "Apple Watch X." Since the original Apple Watch was unveiled in 2014 and launched in 2015, Gurman is unsure whether the Apple Watch X will be released in 2024 or 2025. However, Apple analyst Ming-Chi Kuo today claimed that this year's upcoming Apple Watch will have a larger screen and thinner design, which sounds like the sort of major overhaul and design signature that Gurman has suggested.

Following in the European Union's footsteps, Japan's parliament has enacted a law on Wednesday that will prohibit big tech from blocking third-party app stores. AppleInsider reports: The intention of the bill is that it will facilitate competition and reduce app prices. Japan's government reportedly believes that Apple and Google are a duopoly, and that they charge developers high fees that are then passed on to users. Big tech companies with App Stores will also prohibit companies from prioritizing their own services. Google is likely to be hit hardest by this. Violators will initially be fined up to 20% of the domestic revenue of the specific service that broke the law. The fee can increase to 30%, if the behavior continues.

The Japanese government's Fair Trade Commission (FTC) will choose which firms to apply it to. Companies that will be regulated will be required to submit compliance reports annually. While it hasn't been explicitly said that Apple and Google must comply, It seems certain that the announcement that they'll be held to the provisions is imminent. The Japan FTC isn't expected to add any Japanese firms to the list. The law likely won't take effect until the end of 2025.

Apple has quietly added a Thread radio to nearly all of its newest iPads, MacBooks, and iMacs. The Verge reports: While the company doesn't list Thread on the specs of any of these products, FCC reports indicate that many of Apple's latest devices have had Thread radios tested for compliance. Generally, you don't test a radio that's not there. We found evidence of Thread testing in the following models: iPad Pro 13-inch (M4) (Wi-Fi + Cellular), iPad Pro 11-inch (M4) (Wi-Fi + Cellular), iPad Pro 11-inch (M4) (Wi-Fi), iPad Air 11-inch (M2) (Wi-Fi + Cellular), iPad Air 13-inch (M2) Wi-Fi, MacBook Air 15-inch (M3), MacBook Pro 14-inch (M3), MacBook Pro 14-inch (M3 Pro or M3 Max), MacBook Pro 16-inch (M3 Pro or M3 Max), iMac (M3, two ports), and iMac (M3, four ports).

The FCC requires manufacturers to list every radio contained in a device and to test them in every possible scenario to make sure they comply with its transmission regulations. Tom Sciorilli, director of certification for Thread Group, told The Verge that the FCC reports reference FCC 15.247, "which confirms the device will essentially 'stay in its lane' and not interfere with other radios when operating." The reports we found are tests of the IEEE 802.15.4 transmitter functionality -- 802.15.4 is the radio standard Thread runs on. While it supports a number of technologies, the reports mention Thread explicitly.

Thread is the primary wireless protocol for the new smart home standard Matter, which Apple helped develop and that is now the underlying architecture for its Apple Home smart home platform. A low-power, low-bandwidth, mesh networking protocol specifically designed for IoT devices, Thread is shown to be faster than Bluetooth and offers better range, making it ideal for connecting products like smart lights, locks, thermostats, and sensors. [...] So why is it there? The Apple Home app runs on Macs and iPads, and Thread radios could allow them to communicate directly with smart home devices and act as Thread border routers. It's possible Apple is planning to turn your Mac or iPad into a home hub, but iPads used to be home hubs, and the company discontinued that capability for its new Apple Home architecture. Those iPads didn't have Thread radios, though.

If you contact Spotify's customer service with a valid receipt, the company will refund your Car Thing purchase. That's the latest development reported by Engadget. When Spotify first announced that it would brick every Car Thing device on December 9, 2024, it said that it wouldn't offer owners any subscription credit or automatic refund. From the report: Spotify has taken some heat for its announcement last week that it will brick every Car Thing device on December 9, 2024. The company described its decision as "part of our ongoing efforts to streamline our product offerings" (read: cut costs) and that it lets Spotify "focus on developing new features and enhancements that will ultimately provide a better experience to all Spotify users."

TechCrunch reports that Gen Z users on TikTok have expressed their frustration in videos, while others have complained directed toward Spotify in DMs on X (Twitter) and directly through customer support. Some users claimed Spotify's customer service agents only offered several months of free Premium access, while others were told nobody was receiving refunds. It isn't clear if any of them contacted them after last Friday when it shifted gears on refunds.

Others went much further. Billboard first reported on a class-action lawsuit filed in the US District Court for the Southern District of New York on May 28. The suit accuses Spotify of misleading Car Thing customers by selling a $90 product that would soon be obsolete without offering refunds, which sounds like a fair enough point. It's worth noting that, according to Spotify, it began offering the refunds last week, while the lawsuit was only filed on Tuesday. If the company's statement about refunds starting on May 24 is accurate, the refunds aren't a direct response to the legal action. (Although it's possible the company began offering them in anticipation of lawsuits.) Editor's note: As a disgruntled Car Thing owner myself, I can confirm that Spotify is approving refund requests. You'll just have to play the waiting game to get through to a Spotify Advisor and their "team" that approves these requests. You may have better luck emailing customer service directly at support@spotify.com.

Spotify is about to render its Car Thing dashboard accessory inoperable on December 9th. Not only is the company refusing to open-source the device, it won't offer owners any subscription credit or automatic refund. "Rather, it's just canning the project and telling people to (responsibly) dispose of Car Thing," reports The Verge. From the report: "We're discontinuing Car Thing as part of our ongoing efforts to streamline our product offerings," Spotify wrote in an FAQ on its website. "We understand it may be disappointing, but this decision allows us to focus on developing new features and enhancements that will ultimately provide a better experience to all Spotify users."

The company is recommending that customers do a factory reset on the product and find some way of responsibly recycling the hardware. Spotify is also being direct and confirming that there's little reason to ever expect a sequel. "As of now, there are no plans to release a replacement or new version of Car Thing," the FAQ reads. Car Thing went on sale to the public in early 2022 for $90. Spotify halted production several months later "based on several factors, including product demand and supply chain issues."

At the time, the company said: "Existing devices will perform as intended."

UPDATE 5/30/24: Spotify Says It Will Refund Car Thing Purchases

An anonymous reader quotes a report from Ars Technica: In a major shake-up of its chip roadmap, Apple has announced a new M4 processor for today's iPad Pro refresh, barely six months after releasing the first MacBook Pros with the M3 and not even two months after updating the MacBook Air with the M3. Apple says the M4 includes "up to" four high-performance CPU cores, six high-efficiency cores, and a 10-core GPU. Apple's high-level performance estimates say that the M4 has 50 percent faster CPU performance and four times as much graphics performance. Like the GPU in the M3, the M4 also supports hardware-accelerated ray-tracing to enable more advanced lighting effects in games and other apps. Due partly to its "second-generation" 3 nm manufacturing process, Apple says the M4 can match the performance of the M2 while using just half the power.

As with so much else in the tech industry right now, the M4 also has an AI focus; Apple says it's beefing up the 16-core Neural Engine (Apple's equivalent of the Neural Processing Unit that companies like Qualcomm, Intel, AMD, and Microsoft have been pushing lately). Apple says the M4 runs up to 38 trillion operations per second (TOPS), considerably ahead of Intel's Meteor Lake platform, though a bit short of the 45 TOPS that Qualcomm is promising with the Snapdragon X Elite and Plus series. The M3's Neural Engine is only capable of 18 TOPS, so that's a major step up for Apple's hardware. Apple's chips since 2017 have included some version of the Neural Engine, though to date, those have mostly been used to enhance and categorize photos, perform optical character recognition, enable offline dictation, and do other oddities. But it may be that Apple needs something faster for the kinds of on-device large language model-backed generative AI that it's expected to introduce in iOS and iPadOS 18 at WWDC next month. A separate report from the Wall Street Journal says Apple is developing a custom chip to run AI software in datacenters. "Apple's server chip will likely be focused on running AI models, also known as inference, rather than in training AI models, where Nvidia is dominant," reports Reuters.

Further reading: Apple Quietly Kills the Old-school iPad and Its Headphone Jack

According to Bloomberg's Mark Gurman, Apple's initial set of AI-related features in iOS 18 "will work entirely on device," and won't connect to cloud services. AppleInsider reports: In practice, these AI features would be able to function without an internet connection or any form of cloud-based processing. AppleInsider has received information from individuals familiar with the matter that suggest the report's claims are accurate. Apple is working on an in-house large language model, or LLM, known internally as "Ajax." While more advanced features will ultimately require an internet connection, basic text analysis and response generation features should be available offline. [...] Apple will reveal its AI plans during WWDC, which starts on June 10.

An anonymous reader quotes a report from Ars Technica: Former Apple design lead Jony Ive and current OpenAI CEO Sam Altman are seeking funding for a new company that will produce an "artificial intelligence-powered personal device," according to The Information's sources, who are said to be familiar with the plans. The exact nature of the device is unknown, but it will not look anything like a smartphone, according to the sources. We first heard tell of this venture in the fall of 2023, but The Information's story reveals that talks are moving forward to get the company off the ground.

Ive and Altman hope to raise at least $1 billion for the new company. The complete list of potential funding sources they've spoken with is unknown, but The Information's sources say they are in talks with frequent OpenAI investor Thrive Capital as well as Emerson Collective, a venture capital firm founded by Laurene Powell Jobs. SoftBank CEO and super-investor Masayoshi Son is also said to have spoken with Altman and Ive about the venture. Financial Times previously reported that Son wanted Arm (another company he has backed) to be involved in the project. [...] Altman already has his hands in several other AI ventures besides OpenAI. The Information reports that there is no indication yet that OpenAI would be directly involved in the new hardware company.

An anonymous reader quotes a report from Android Police, written by Dhruv Bhutani: As someone who is an early adopter of all things smart and has invested a significant amount of money in building a fancy smart home, it saddens me to say that I feel cheated by the thousands of dollars I've spent on smart devices. And it's not a one-off. Amazon's recent move to block off local ADB connections on Fire TV devices is the latest example in a long line of grievances. A brand busy wrestling away control from the consumer after they've bought the product, the software update gimps a feature that has been present on the hardware ever since it launched back in 2014. ADB-based commands let users take deep control of the hardware, and in the case of the Fire TV hardware, it can drastically improve the user experience. [...] A few years ago, I decided to invest in the NVIDIA Shield. The premium streamer was marketed as a utopia for streaming online and offline sources with the ability to plug in hard drives, connect to NAS drives, and more. At launch, it did precisely that while presenting a beautiful, clean interface that was a joy to interact with. However, subsequent updates have converted what was otherwise a clean and elegant solution to an ad-infested overlay that I zoom past to jump into my streaming app of choice. This problem isn't restricted to just the Shield. Even my Google TV running Chromecast has a home screen that's more of an advertising space for Google than an easy way to get to my content.

But why stop at streaming boxes? Google's Nest Hubs are equal victims of feature deterioration. I've spent hundreds of dollars on Nest Hubs and outfitted them in most of my rooms and washrooms. However, Google's consistent degradation of the user experience means I use these speakers for little more than casting music from the Spotify app. The voice recognition barely works on the best of days, and when it does, the answers tend to be wildly inconsistent. It wasn't always the case. In fact, at launch, Google's Nest speakers were some of the best smart home interfaces you could buy. You'd imagine that the experience would only improve from there. That's decidedly not the case. I had high hopes that the Fuchsia update would fix the broken command detection, but that's also not the case. And good luck to you if you decided to invest in Google Assistant-compatible displays. Google's announcement that it would no longer issue software or security updates to third-party displays like the excellent Lenovo Smart Display, right after killing the built-in web browser, is pretty wild. It boggles my mind that a company can get away with such behavior.

Now imagine the plight of Nest Secure owners. A home security system isn't something one expects to switch out for many many years. And yet, Google decided to kill the Nest Secure home monitoring solution merely three years after launching the product range. While I made an initial investment in the Nest ecosystem, I've since switched over to a completely local solution that is entirely under my control, stores data locally, and won't be going out of action because of bad decision-making by another company. "It's clear to me that smart home devices, as they stand, are proving to be very poor investments for consumers," Bhutani writes in closing. "Suffice it to say that I've paused any future investments in smart devices, and I'll be taking a long and hard look at a company's treatment of its current portfolio before splurging out more cash. I'd recommend you do the same."

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.

Google said it will allow businesses to install ChromeOS Flex on their Windows devices, "potentially preventing millions of PCs from hitting landfills after Microsoft ends support for Windows 10 next year," reports Reuters. The Chrome operating system will ultimately allow users to keep using their Windows 10 systems, while also providing regular security updates and features like data encryption. From the report: ChromeOS is significantly less popular than other operating systems. In January 2024, it held a 1.8% share of the worldwide desktop OS market, far behind Windows' share of about 73%, according to data from research firm Statcounter. ChromeOS has struggled with wider adaptability due to its incompatibility with legacy Windows applications and productivity suites used by businesses. Google said that ChromeOS would allow users to stream legacy Windows and productivity applications, which will help deliver them to devices by running the apps on a data center.