Interesting research: “CHAI: Command Hijacking Against Embodied AI.”

Abstract: Embodied Artificial Intelligence (AI) promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training distributions and adapt to novel real-world situations. These capabilities, however, also create new security risks. In this paper, we introduce CHAI (Command Hijacking against embodied AI), a new class of prompt-based attacks that exploit the multimodal language interpretation abilities of Large Visual-Language Models (LVLMs). CHAI embeds deceptive natural language instructions, such as misleading signs, in visual input, systematically searches the token space, builds a dictionary of prompts, and guides an attacker model to generate Visual Attack Prompts. We evaluate CHAI on four LVLM agents; drone emergency landing, autonomous driving, and aerial object tracking, and on a real robotic vehicle. Our experiments show that CHAI consistently outperforms state-of-the-art attacks. By exploiting the semantic and multimodal reasoning strengths of next-generation embodied AI systems, CHAI underscores the urgent need for defenses that extend beyond traditional adversarial robustness.

News article.

Snapchat Hacking Investigation Reveals Scale of Phishing Abuse

Snapchat Hacking for Hire

Why the Snapchat Hacking Investigation Matters

Legal Consequences

Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users.

Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.” Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.

Make sure you’re running at least version 8.9.1.

Cyberattack on Berchem School Disrupted Servers

School Files Police Complaint After Ransom Demand

Hackers Target Parents With €50 Per Child Ransom Demand

Parents Advised Not to Pay and Not to Click

Classes Continue Despite Cybersecurity Incident

Rising Concern Over Ransomware Attacks on Schools

Investigation Ongoing

Researchers have demonstrated remotely controlling a wheelchair over Bluetooth. CISA has issued an advisory.

CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth connections, allowing an attacker who is in Bluetooth range of the targeted device to pair with it. The attacker could then control the wheelchair’s movements, override speed restrictions, and manipulate configuration profiles, all without requiring credentials or user interaction.

Forty years ago, The Mentor—Loyd Blankenship—published “The Conscience of a Hacker” in Phrack.

You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

Palo Alto’s crosswalk signals were hacked last year. Turns out the city never changed the default passwords.

Someone hacked an Italian ferry.

It looks like the malware was installed by someone on the ferry, and not remotely.

News:

The Danish Defence Intelligence Service (DDIS) announced on Thursday that Moscow was behind a cyber-attack on a Danish water utility in 2024 and a series of distributed denial-of-service (DDoS) attacks on Danish websites in the lead-up to the municipal and regional council elections in November.

The first, it said, was carried out by the pro-Russian group known as Z-Pentest and the second by NoName057(16), which has links to the Russian state.

Slashdot thread.

At least some of this is coming to light:

Doublespeed, a startup backed by Andreessen Horowitz (a16z) that uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products has been hacked. The hack reveals what products the AI-generated accounts are promoting, often without the required disclosure that these are advertisements, and allowed the hacker to take control of more than 1,000 smartphones that power the company.

The hacker, who asked for anonymity because he feared retaliation from the company, said he reported the vulnerability to Doublespeed on October 31. At the time of writing, the hacker said he still has access to the company’s backend, including the phone farm itself.

Slashdot thread.

IP Camera Hacking Suspects Sold Stolen Video Files

• Suspect B hacked around 30,000 cameras, edited the stolen footage into 545 videos, and earned virtual assets worth about 35 million won.
• Suspect C created 648 files from around 70,000 hacked devices, earning about 18 million won.
• Their videos made up 62% of all content uploaded on the illegal overseas website (Site A) in the past year.
• Suspect D hacked about 15,000 cameras and stored child and youth sexual exploitation material.
• Suspect E hacked 136 cameras but did not distribute any content.

Police Investigating Operators, Purchasers, and Viewers of Illegally Filmed Material

Security Measures Issued After Large-Scale IP Camera Hacking Damage

Protection for Victims and Strong Action Against Secondary Harm

Polish authorities arrested a 23-year-old Russian citizen on November 16, after investigators linked him to unauthorized intrusions into e-commerce platforms, gaining access to databases containing personal data and transaction histories of customers across Poland and potentially other European Union member states. The suspect, who illegally crossed Poland's border in 2022 before obtaining refugee status in 2023, now faces three months of pre-trial detention as prosecutors examine connections to broader cybercrime operations targeting European infrastructure.

Officers from the Central Bureau for Combating Cybercrime detained the Russian national after gathering evidence confirming he operated without required authorization from online shop operators, breaching security protections to access IT systems and databases before interfering with their structure.

Expanding Investigation Into European Cyberattacks

Polish Interior Minister Marcin Kierwinski announced the arrest Thursday, stating that investigators established the suspect may have connections to additional cybercriminal activities targeting companies operating across Poland and EU member states. Prosecutors are currently verifying the scope of potential damages inflicted on victims of these cyberattacks.

According to Polish news outlets, the man was detained in Wroclaw where he had been living, with investigators saying he infiltrated a major e-commerce platform's database, gaining unauthorized access to almost one million customer records including personal data and transaction histories.

The District Court in Krakow approved prosecutors' request for three-month detention, with officials indicating additional arrests are likely as the investigation widens. Authorities are analyzing whether stolen data was used, sold, or transferred to groups outside Poland, including potential connections to organized cybercrime or state-backed networks.

Pattern of Russian Hybrid Warfare

The arrest occurs amid heightened tensions as Poland reports intensifying cyberattacks and sabotage attempts that officials believe link to Russian intelligence services. Poland has arrested 55 people over suspected sabotage and espionage over the past three years, with all charged under Article 130 of the penal code pertaining to espionage and sabotage.

The case represents part of a broader pattern of hostile cyber operations. Poland and other European nations have intensified surveillance of potential Russian cyberattacks and sabotage efforts since Moscow's full-scale invasion of Ukraine in 2022, monitoring suspected arson attacks and strikes on critical infrastructure across the region.

Polish cybersecurity officials previously warned the country remains a constant target of pro-Russian hackers responding to Warsaw's support for Ukraine. Strategic, energy, and military enterprises face particular risk, with attacks intensifying through DDoS operations, ransomware, phishing campaigns, and website impersonation designed to collect personal data and spread disinformation.

The Central Bureau for Combating Cybercrime emphasized that the investigation remains active and developmental, with prosecutors continuing to gather evidence about the full extent of the suspect's activities and potential co-conspirators.

Also read: DDoS-for-Hire Empire Dismantled as Poland Arrests Four, U.S. Seizes Nine Domains

The Department of Justice has indicted thirty-one people over the high-tech rigging of high-stakes poker games.

In a typical legitimate poker game, a dealer uses a shuffling machine to shuffle the cards randomly before dealing them to all the players in a particular order. As set forth in the indictment, the rigged games used altered shuffling machines that contained hidden technology allowing the machines to read all the cards in the deck. Because the cards were always dealt in a particular order to the players at the table, the machines could determine which player would have the winning hand. This information was transmitted to an off-site member of the conspiracy, who then transmitted that information via cellphone back to a member of the conspiracy who was playing at the table, referred to as the “Quarterback” or “Driver.” The Quarterback then secretly signaled this information (usually by prearranged signals like touching certain chips or other items on the table) to other co-conspirators playing at the table, who were also participants in the scheme. Collectively, the Quarterback and other players in on the scheme (i.e., the cheating team) used this information to win poker games against unwitting victims, who sometimes lost tens or hundreds of thousands of dollars at a time. The defendants used other cheating technology as well, such as a chip tray analyzer (essentially, a poker chip tray that also secretly read all cards using hidden cameras), an x-ray table that could read cards face down on the table, and special contact lenses or eyeglasses that could read pre-marked cards.

News articles.

These days, the most important meeting attendee isn’t a person: It’s the AI notetaker.

This system assigns action items and determines the importance of what is said. If it becomes necessary to revisit the facts of the meeting, its summary is treated as impartial evidence.

But clever meeting attendees can manipulate this system’s record by speaking more to what the underlying AI weights for summarization and importance than to their colleagues. As a result, you can expect some meeting attendees to use language more likely to be captured in summaries, timing their interventions strategically, repeating key points, and employing formulaic phrasing that AI models are more likely to pick up on. Welcome to the world of AI summarization optimization (AISO).

Optimizing for algorithmic manipulation

AI summarization optimization has a well-known precursor: SEO.

Search-engine optimization is as old as the World Wide Web. The idea is straightforward: Search engines scour the internet digesting every possible page, with the goal of serving the best results to every possible query. The objective for a content creator, company, or cause is to optimize for the algorithm search engines have developed to determine their webpage rankings for those queries. That requires writing for two audiences at once: human readers and the search-engine crawlers indexing content. Techniques to do this effectively are passed around like trade secrets, and a $75 billion industry offers SEO services to organizations of all sizes.

More recently, researchers have documented techniques for influencing AI responses, including large-language model optimization (LLMO) and generative engine optimization (GEO). Tricks include content optimization—adding citations and statistics—and adversarial approaches: using specially crafted text sequences. These techniques often target sources that LLMs heavily reference, such as Reddit, which is claimed to be cited in 40% of AI-generated responses. The effectiveness and real-world applicability of these methods remains limited and largely experimental, although there is substantial evidence that countries such as Russia are actively pursuing this.

AI summarization optimization follows the same logic on a smaller scale. Human participants in a meeting may want a certain fact highlighted in the record, or their perspective to be reflected as the authoritative one. Rather than persuading colleagues directly, they adapt their speech for the notetaker that will later define the “official” summary. For example:

• “The main factor in last quarter’s delay was supply chain disruption.”
• “The key outcome was overwhelmingly positive client feedback.”
• “Our takeaway here is in alignment moving forward.”
• “What matters here is the efficiency gains, not the temporary cost overrun.”

The techniques are subtle. They employ high-signal phrases such as “key takeaway” and “action item,” keep statements short and clear, and repeat them when possible. They also use contrastive framing (“this, not that”), and speak early in the meeting or at transition points.

Once spoken words are transcribed, they enter the model’s input. Cue phrases—and even transcription errors—can steer what makes it into the summary. In many tools, the output format itself is also a signal: Summarizers often offer sections such as “Key Takeaways” or “Action Items,” so language that mirrors those headings is more likely to be included. In effect, well-chosen phrases function as implicit markers that guide the AI toward inclusion.

Research confirms this. Early AI summarization research showed that models trained to reconstruct summary-style sentences systematically overweigh such content. Models over-rely on early-position content in news. And models often overweigh statements at the start or end of a transcript, underweighting the middle. Recent work further confirms vulnerability to phrasing-based manipulation: models cannot reliably distinguish embedded instructions from ordinary content, especially when phrasing mimics salient cues.

How to combat AISO

If AISO becomes common, three forms of defense will emerge. First, meeting participants will exert social pressure on one another. When researchers secretly deployed AI bots in Reddit’s r/changemyview community, users and moderators responded with strong backlash calling it “psychological manipulation.” Anyone using obvious AI-gaming phrases may face similar disapproval.

Second, organizations will start governing meeting behavior using AI: risk assessments and access restrictions before the meetings even start, detection of AISO techniques in meetings, and validation and auditing after the meetings.

Third, AI summarizers will have their own technical countermeasures. For example, the AI security company CloudSEK recommends content sanitization to strip suspicious inputs, prompt filtering to detect meta-instructions and excessive repetition, context window balancing to weight repeated content less heavily, and user warnings showing content provenance.

Broader defenses could draw from security and AI safety research: preprocessing content to detect dangerous patterns, consensus approaches requiring consistency thresholds, self-reflection techniques to detect manipulative content, and human oversight protocols for critical decisions. Meeting-specific systems could implement additional defenses: tagging inputs by provenance, weighting content by speaker role or centrality with sentence-level importance scoring, and discounting high-signal phrases while favoring consensus over fervor.

Reshaping human behavior

AI summarization optimization is a small, subtle shift, but it illustrates how the adoption of AI is reshaping human behavior in unexpected ways. The potential implications are quietly profound.

Meetings—humanity’s most fundamental collaborative ritual—are being silently reengineered by those who understand the algorithm’s preferences. The articulate are gaining an invisible advantage over the wise. Adversarial thinking is becoming routine, embedded in the most ordinary workplace rituals, and, as AI becomes embedded in organizational life, strategic interactions with AI notetakers and summarizers may soon be a necessary executive skill for navigating corporate culture.

AI summarization optimization illustrates how quickly humans adapt communication strategies to new technologies. As AI becomes more embedded in workplace communication, recognizing these emerging patterns may prove increasingly important.

This essay was written with Gadi Evron, and originally appeared in CSO.