Dark mode: ON

Infosec Decoded Season 5 #60: Breaktooth

With Doug Spindler and sambowne@infosec.exchange

Recorded Fri, Aug 1, 2025

Politics

Blame the governor! Oklahoma’s “board meeting porn” scandal goes gonzo.
A porn video played during a recent Oklahoma Board of Education meeting, apparently streaming from the computer of Oklahoma Superintendent of Public Instruction Ryan Walters. He denies everything, demands that his accusers resign, blames the governor and the media, and claims that an investigation cleared him--all lies.
Elon Musk Amplifies Bizarre Claim That 'Women Are Built To Be Traded'
A discussion began when Musk responded to a user who’d asked why “liberal white women hate white people so much” by speculating that “they’ve been programmed to do so by their teachers and the media.” Then the poster claimed that women conform, because they are “built to be traded to another tribe (or captured).” Musk, apparently persuaded, reshared the post with his 223 million followers.
For Trump’s Harvard Deal, $500 Million Is Only a Starting Point
Education Secretary Linda McMahon has said she expects Columbia University’s recent $221 million settlement with the government to be a template for agreements with other schools. That deal included a monitor role, and the administration is all but insisting that Harvard agree to the same provision. One official said it would take a jaw-dropping figure, like $1 billion, for President Donald Trump to reconsider — forcing the university to weigh whether to agree to such a provision or try to offer a higher settlement instead.
Newsom wants voters to weigh in on new congressional districts in November
Gov. Gavin Newsom is eyeing a special election in the first week of November to ask California voters to sign off on revised U.S. House districts that could boost Democratic prospects in the 2026 midterms. Democrats currently hold 43 of the state’s 52 House seats, including several competitive districts that flipped from Republican control last November.

Infosec

Serious vulnerability in Bluetooth protocol: once a device goes to sleep, its session can be hijacked by attacker.
The demo at https://breaktooth.github.io/ shows how it works for a Bluetooth keyboard. Powerful! And apparently not easy to patch.
How we Rooted Copilot (PSW)
Microsoft has silently pushed an update back in April 2025 for Copilot Enterprise, enabling a live Python sandbox running Jupyter Notebook that can execute code in the backend. By gradually getting the LLM used to executing commands, they were able to find a script that executes pgrep as root, without specifying the path to pgrep. Creating a companion trojan named pgrep.py gave them root privileges.

This exploit had no significant impact because the container they rooted had nothing interesting. Microsoft patched this.

A Novel Technique for SQL Injection in PDO’s Prepared Statements (PSW)
You might reasonably assume that PHP's PDO is using MySQL’s native prepared statement API here. In fact, PDO emulates all prepared statements in MySQL by default. Unless you explicitly disable PDO::ATTR_EMULATE_PREPARES PDO will actually do all the escaping itself before your query even hits the database.

So it's possible to achieve SQL injection by using a syntax including a backtick and a null byte.

Google tool misused to scrub tech CEO’s shady past from search
A little-known Google search feature known as Refresh Outdated Content can be abused to delete links, by capitalizing some letters in a URL to trick the tool into thinking the page was gone.
China claims Nvidia built backdoor into H20 chip designed for Chinese market
China’s cyber regulator said US AI experts had “revealed that Nvidia’s computing chips have location tracking and can remotely shut down the technology.”

A China tech expert is “skeptical” about the claims of a deliberate back door being built into Nvidia hardware, pointing to the lack of detail in the announcement.

Lawmakers in Washington have expressed concern about chip smuggling and introduced a bill that would require chipmakers such as Nvidia to embed location tracking into export-controlled hardware.

Spikes in malicious activity precede new security flaws in 80% of cases
In roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
Microsoft catches Russian hackers targeting foreign embassies
End goal is the installation of a malicious TLS root certificate for use in intel gathering.
YouTube’s selfie collection, AI age checks are concerning, privacy experts say
Throughout the first half of August, YouTube will begin interpreting "a variety of signals" to determine if certain users are under 18. Anyone determined to be too young will automatically be hit with protections, with YouTube disabling their personalized advertising, "turning on digital wellbeing tools," and "limiting repetitive views of some kinds of content" determined to be harmful or too mature.
How the McMurtry Spéirling defied gravity to become the first car to drive upside down