InfoSec News 16JAN2026

General

• Time to update your Bluetooth audio accessories, if they support Google Fast Pair. Turns out that a lot of them don't require the device to be in pairing mode, before allowing anyone to proceed through the Fast Pairing pathway.
  • https://www.esat.kuleuven.be/cosic/news/whisperpair-hijacking-bluetooth-accessories-using-google-fast-pair/
  • https://www.bleepingcomputer.com/news/security/critical-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/
  • https://www.wired.com/story/google-fast-pair-bluetooth-audio-accessories-vulnerability-patches/
• Also time to patch your Palo Alto Networks (PAN) firewalls - an unauthenticated Denial of Service (DoS) has been discovered. No exploitation reported as yet.
  • https://security.paloaltonetworks.com/CVE-2026-0227
  • https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/
• X is at last responding to complaints about illegal and unauthorised image manipulation on the platform.

We remain committed to making X a safe platform for everyone and continue to have zero tolerance for any forms of child sexual exploitation, non-consensual nudity, and unwanted sexual content.
...
We have implemented technological measures to prevent the [@]Grok account on X globally from allowing the editing of images of real people in revealing clothing such as bikinis.

• https://x.com/Safety/status/2011573102485127562
• https://therecord.media/musk-x-grok-block-sexual
• [DE] Germany looks to Israel for assistance and co-operation in improving cyber defences, likely - at least partially - to increased aggression in this space from Russia.

German intelligence agencies have repeatedly warned of growing cyber and espionage threats from foreign powers, particularly Russia, China and Iran.
...
Last month, Germany summoned Russia’s ambassador after accusing Moscow of carrying out a cyberattack on its state-owned air traffic control operator and of running a disinformation campaign ahead of February’s federal election.

• https://therecord.media/germany-cyber-dome-israel

Getting Techy

• Fun Friday Fail - EatonWorks really needed to pull out all of their technical tricks to hack this one - Bluvoyix, SaaS supply-chain management "that powers the cargo and ocean shipping/logistics industry".
  • https://eaton-works.com/2026/01/14/bluspark-bluvoyix-hack/
• Smart thinking from Wiz, unearthed a supply-chain weakness in AWS's GitHub CI/CD pipelines for public projects. A very subtle flaw cracked open the whole repo.
  • https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
  • https://www.cybersecuritydive.com/news/critical-flaw-in-aws-console-risked-compromise-of-build-environment/809745/
  • https://www.theregister.com/2026/01/15/codebuild_flaw_aws/
• A single undocumented bit, can leak data between Virtual Machines (VMs) on AMD EPYC CPU's. Flipping the bit, stops tracking of stack data, allowing a malicious VM to grab that stack data from another VM sharing that CPU.
  AMD released updated microcode in July 2025.
  • https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3027.html
  • https://cispa.de/en/stackwarp
  • https://www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/

Geo-Politics

• [EU] AWS looks to head off moves by the European Union to create their own sovereign cloud services, by creating "AWS European Sovereign Cloud". The new offering is now generally available, with a subset of services. The cloud offering is said to have a different legal, operational and technical structure, to provide separation from the standard US offering. Whether this truly provides protection from US legal and intelligence-lead snooping, remains to be seen.
  • https://aws.amazon.com/blogs/aws/opening-the-aws-european-sovereign-cloud/
  • https://www.theregister.com/2026/01/15/aws_european_sovereign_cloud/

Privacy

• [US] General Motors [GM] banned from selling data from the OnStar onboard safety/telemetry system, but only for five years. For twenty years, GM must obtain consent, before collecting, using or sharing connected vehicle data. Let's hope that's an explicit, informed consent, and not just a mandatory click through, or a term buried in the sales paperwork.
  • (FTC Complaint) https://www.ftc.gov/system/files/ftc_gov/pdf/242_3052_-_general_motors_complaint.pdf
  • (FTC Decision) https://www.ftc.gov/system/files/ftc_gov/pdf/GMAdminOrderDec2025.pdf
  • https://www.bleepingcomputer.com/news/security/ftc-bans-general-motors-from-selling-drivers-location-data-for-five-years/
  • https://www.theregister.com/2026/01/15/ftc_gm_tracking_ban/
• Google to settle lawsuit (US$8.25m) over claims of collecting data on children under 13, in violation of the "Children's Online Privacy Protection Act" (COPPA). App labelled as "Designed for Families" (DFF), and clearly targeting children, included the AdMod Software Development Kit (SDK), which performed the data collection.
  • https://therecord.media/google-youtube-lawsuit-settle
• Troy Hunt discusses the privacy implications and decisions behind whether or not a data breach is marked as sensitive on HaveIBeenPwned.
  • https://www.troyhunt.com/who-decides-who-doesnt-deserve-privacy/
• [US] Legislation is being tabled to limit the use of facial recognition software by Department of Homeland Security (DHS) agents, including Immigrations and Customs Enforcement (ICE).

The proposed law, called the Realigning Mobile Phone Biometrics for American Privacy Protection Act, aims to curtail both Mobile Fortify and Mobile Identify, the local law enforcement version, in a few ways. First, it would ban use of the apps except for identification at ports of entry.

• https://www.404media.co/new-legislation-would-rein-in-ices-facial-recognition-app/

AI

• OpenAI looking for more ways to use its Large Language Models (LLMs) - this time, it's ChatGPT Translate.
  • https://chatgpt.com/translate
• https://www.bleepingcomputer.com/news/artificial-intelligence/openais-hidden-chatgpt-translate-tool-takes-on-google-translate/
• Meanwhile, staffing instability continues apace - more movement at Thinking Machines (founded by ex-OpeAI staff), OpenAI, Anthropic.
  • https://techcrunch.com/2026/01/15/the-ai-lab-revolving-door-spins-ever-faster/