BleepingComputer's Sergiu Gatlan reports: "Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year, will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST.

Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. These criteria include using unique and strong default passwords, software updates, data protection, and incident detection capabilities. Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product's minimum support period, and a notification if the manufacturer does not offer updates for the device. "Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations," the Biden administration said on Tuesday.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.

The OnePlus 13 launched in the North American market today, making it the first flagship smartphone of 2025. As the smartphone market continues to consolidate, it has become increasingly difficult for non-Samsung, Google, and Apple devices to gain significant traction in the competitive U.S. market. Nevertheless, OnePlus has continually released premium flagship-tier devices at relatively modest price points, hoping to pry users away from the Big Tech monoliths.

The OnePlus 13 features Qualcomm's latest Snapdragon 8 Elite chipset, up to 16GB of RAM, a 6.82" QHD+ OLED display, a triple Hasselblad-branded camera system, a massive 6,000mAh battery, and support for 5G networks across all major carriers in the U.S. and Canada. A full list of specifications can be found here.

Based on the early reviews, the OnePlus 13 appears to set the bar high with not a lot of faults to highlight among reviewers. Here are some of our favorite reviews published today:

OnePlus 13 review: finally, a flagship that can hang (The Verge)
OnePlus 13 review: I'm dumbfounded, I can't find anything wrong with this phone (TechRadar)
OnePlus 13 Review: Ship Shape? (Michael Fisher)
OnePlus 13 Review: The Bar Has Been Set! (Marques Brownlee)
The OnePlus 13 is finally a OnePlus flagship I trust to do it all (Android Authority)
OnePlus 13 Review: 2025's First Flagship Finds Success (Forbes)
OnePlus 13 review: The complete package (BGR)
The OnePlus 13 sets a new bar for smartphone performance (Business Insider)

This is not a Slashvertisement. We just like shiny, new tech.

Cornell Tech researchers have developed a portable device called SoilScanner that uses radio frequency signals and machine learning to detect lead contamination in soil. It offers a cost-effective alternative to traditional methods of testing that "generally involves either sending samples to a lab for analysis, which relies upon harsh chemicals and can be expensive, or using a portable X-ray fluorescence device," notes Phys.org. From the report: "In recent years, especially during COVID, a lot of us got excited about having our own backyard garden, or spending more time at home," said [Rajalakshmi Nandakumar, assistant professor at the Jacobs Technion-Cornell Institute at Cornell Tech] who's also a member of the Department of Information Science in the Cornell Ann S. Bowers College of Computing and Information Science. "But if you look at instructions for how to grow tomatoes, no one actually tells you that you have to check your soil for lead," she said. "It's all about pH levels. A lot of us, even though we interact very often with soils, are totally unaware of possible lead contamination."

[Yixuan Gao, a doctoral candidate in computer science] said the group was motivated by a map of lead contamination in New York City that Cheng's Urban Soils Lab (USL) had produced over the course of several years of testing for hundreds of soil samples throughout the five boroughs. The testing revealed dangerously high levels of lead in many locations, most notably in northern Brooklyn. About 45% of the soil samples tested by USL had lead levels above 400 parts per million (ppm), the previous EPA recommended screening level (revised a year ago to 200 ppm for residential soils). "This means there is a significant risk when gardening in these urban soils," Gao said. You can learn more about the device here (PDF).

Windows 11 24H2 continues to experience issues with multifunction devices using the eSCL scan protocol, despite Microsoft marking the problem as resolved. According to a Register reader, "It works on a Windows 10 machine, but not on Windows 11, unless both the computer and the scanner are on wired Ethernet." From the report: Microsoft issued a compatibility safeguard hold on USB-connected devices using the Scanner Communication Language (eSCL) protocol in November after users who installed the Windows update experienced glitches with device discovery. The issue was reported resolved by Microsoft in December. However, it seems that KB5048667 might not have fixed all the problems for Canon owners. According to our reader: "Canon support tells me that the 24H2 eSCL issue still is not fixed." We asked Microsoft about the situation, but despite telling us it was looking into the problem on Friday, December 20, the company has yet to provide any further details. Canon was more forthcoming. A spokesperson told The Register it was aware of a problem impacting devices using ScanGear MF.

ScanGear MF is a scanner driver provided by Canon and allows customers to configure advanced settings for scanning. Canon does not appear to be changing its code to rectify whatever problems had been brought on by the Windows 11 update. The spokesperson said: "Microsoft is currently working on an OS amendment to resolve this and we are keeping in close contact with them. The timing for resolving this is yet to be confirmed by Microsoft, however we expect to receive the plan to fix in January 2025." Customers affected by the issue, which manifests itself with a communications error message, according to Canon's support forum, are advised to use either native Microsoft software solutions or go fully wired via USB.

The UK's Information Commissioner's Office (ICO) warns that while most adults recognize the importance of wiping personal data from old devices, nearly 30% don't know how, and a significant number of young people either don't care or find it too cumbersome. The Register reports: Clearing personal data off an old device is an important step before ditching it or handing it on to another user. However, almost three in ten (29 percent) of adults don't know how to remove the information, according to a survey of 2,170 members of the UK public. Seventy-one percent agreed that wiping a device was important, but almost a quarter (24 percent) reckoned it was too arduous. This means that the drawer of dusty devices is set to swell -- three-quarters of respondents reported hanging on to at least one old device, and a fifth did so because they were worried about their personal information. [...]

More than one in five (21 percent) of young people in the survey didn't think it was important to wipe personal data, while 23 percent said they didn't care about what might happen to that data. Fourteen percent of people aged 18-34 said they wouldn't bother wiping their devices at all, compared to just 4 percent of people over 55. On the plus side, the majority (84 percent) of respondents said they would ensure data was erased before disposing of a device. Alternatively, some might not worry about it and stick it in that special drawer alongside all the cables that might be needed one day. The survey also found that more than a quarter (27 percent) of UK adults were planning to treat themselves to a new device over the festive season [...].

An anonymous reader quotes a report from PCWorld: Smart home devices compatible with the Matter standard have garnered most of our attention lately, but the compelling features in the latest generation of Z-Wave chips convinced the IoT developer Shelly Group to build no fewer than 11 new products powered by Z-Wave technology. The new collection includes a smart plug, in-wall dimmers, relays, and various sensors aimed at DIYers, installers, and commercial builders. Citing the ability of Z-Wave 800 (aka Z-Wave Long Range or LR) chips to operate IoT devices over extremely long range -- up to 1 mile, line of sight -- while running on battery power for up to 10 years, Shelly Group CTO Leon Kralj said "Shelly is helping break down smart home connectivity barriers, empowering homeowners, security installers, and commercial property owners and managers with unmatched range, scalability, and energy efficiency to redefine their automation experience."

[...] While most homeowners won't need to worry about the number of IoT devices their networks can support, commercial builders will appreciate the scalability of Z-Wave 800-powered devices -- namely, you can deploy as many as 4,000 nodes on a single mesh network. That's a 20x increase over what was possible with previous generations of the chip. And since Z-Wave LR is backward compatible with those previous generations, there should be no worries about integrating the new devices into existing networks. Shelly says all 11 of its new Z-Wave 800-powered IoT devices will be available in the first half of 2025. The new Shelly devices will be available in the U.S. in the first half of 2025.

Here's a list of the devices enhanced with the new long-range capabilities:
- Shelly Wave Plug US
- Shelly Wave Door/Window
- Shelly Wave H&T
- Shelly Wave Motion
- Shelly Wave Dimmer
- Shelly Wave Pro Dimmer 1 PM
- Shelly Wave Pro Dimmer 2 PM
- Shelly Wave 1
- Shelly Wave 1 PM
- Shelly Wave 2 PM
- Shelly Wave Shutter

D-Link confirmed no fix will be issued for the over 60,000 D-Link NAS devices that are vulnerable to a critical command injection flaw (CVE-2024-10914), allowing unauthenticated attackers to execute arbitrary commands through unsanitized HTTP requests. The networking company advises users to retire or isolate the affected devices from public internet access. BleepingComputer reports: The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses: DNS-320 Version 1.00; DNS-320LW Version 1.01.0914.2012; DNS-325 Version 1.01, Version 1.02; and DNS-340L Version 1.08. [...] A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.

In a security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions. The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.

Longtime Slashdot reader AmiMoJo shares a report from The Verge: It's been two long years since the launch of Matter -- the one smart home standard designed to rule them all -- and there's been a fair amount of disappointment around a sometimes buggy rollout, slow adoption by companies like Apple, Amazon, and Google, and frustrating setup experiences. However, the launch of the Matter 1.4 specification this week shows some signs that the Connectivity Standards Alliance (CSA, the organization behind Matter) is using more sticks and fewer carrots to get the smart home industry coalition to cooperate.

The new spec introduces 'enhanced multi-admin,' an improvement on multi-admin -- the much-touted interoperability feature that means your Matter smart light can work in multiple ecosystems simultaneously. It brings a solution for making Thread border routers from different companies play nicely together and introduces a potentially easier way to add Matter infrastructure to homes through Wi-Fi routers and access points. Matter 1.4 also brings some big updates to energy management support, including adding heat pumps, home batteries, and solar panels as Matter device types.

After a couple of years of regular use, Samsung's $400 Galaxy Ring will end up contributing to the growing e-waste problem. "The Galaxy Ring -- and all smart rings like it -- comes with a huge string attached," writes iFixit in a blog post. "It's 100% disposable, just like the AirPod-style Buds3 that Samsung just released. The culprit? The lithium ion batteries." ZDNet reports: The problem is the battery, and how they have a finite lifespan. Usually that's about 400 recharge cycles, and after that the batteries are finished. And if you can't replace it, then it's the end of the line for the gadget, and it's tossed onto the e-waste pile. [...]

iFixit is damning about this sort of tech. "There's nothing wrong with simple but there is something wrong with unrepairable. Just like the Galaxy Buds3, the Galaxy Ring is a disposable tech accessory that isn't designed to last more than two years." And the bottom line is simple: "We can't recommend buying disposable tech like this." Here's what iFixit's Shahram Mokhtari had to say about the Galaxy Ring's battery, after putting it through a CT scanner: On the right hand side of the ring is the faint outline of a lithium polymer battery pouch. There's an inductive coil sitting right on top of the battery (the lines that look like a rectangular track) and another very similar inductive coil that's parallel and slightly separated from the first. That second inductive coil is inside the charging case and works together with the inductive coil in the ring to recharge the battery inside the Galaxy Ring. Inductive charging is the only practical way to deliver power to a device that doesn't have any ports. But there's something else here that sticks out like a sore thumb ... that is a press connector joining the battery to the rest of the board! This is a surprising use of space, why isn't this directly soldered? Nobody is getting back in there to disconnect this thing!

We love press connectors, they're easy to work with and make replacing batteries a sight easier than desoldering a half dozen wires. But this one is sealed into the device and serves no purpose in replacement or repair. Our best guess as to why it's in the Galaxy Ring: The battery and wireless charging coil were made in one place, the circuit board somewhere else, and it all comes to a production line somewhere where the two need to be connected together quickly and cheaply. Hence the press connector. It's not for your benefit, it's for the manufacturers.

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon..., and it's not clear when it was taken down. The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one. The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings "DO NOT SHIP" or "DO NOT TRUST." These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren't clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret. Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here. "It's a big problem," said Martin Smolar, a malware analyst specializing in rootkits who reviewed the Binarly research. "It's basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically... execute any malware or untrusted code during system boot. Of course, privileged access is required, but that's not a problem in many cases."

Binarly founder and CEO Alex Matrosov added: "Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?"

Arm is launching its Arm Accuracy Super Resolution (ASR) upscaler that "can make games look better, while lowering power consumption on your phone," according to The Verge. "It's also making the upscaling technology available to developers under an MIT open-source license." From the reprot: Arm based its technology on AMD's FidelityFX Super Resolution 2 (FSR 2), which uses temporal upscaling to make PC games look better and boost frame rates. Unlike spatial upscaling, which upscales an image based on a single frame, temporal upscaling involves using multiple frames to generate a higher-quality image.

You can see just how Arm ASR stacks up to AMD's FSR 2 and Qualcomm's GSR tech in [this chart] created by Arm. Arm claims ASR produced 53 percent higher frame rates than rendering at native resolution on a device with an Arm Immortalis-G720 GPU and 2800 x 1260 display, beating AMD FSR 2. It also tested ASR on a device using MediaTek's Dimensity 9300 chip and found that rendering at 540p and upscaling with ASR used much less power than running a game at native 1080p resolution.

storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.

According to Bloomberg's Mark Gurman, Apple appears ready to embrace a thinner design language with the upcoming MacBook Pro, Apple Watch, and iPhone. MacRumors reports: When the M4 iPad Pro was unveiled last month, Apple touted it as the company's thinnest product ever, and even compared it to the 2012 iPod nano to emphasize its slim dimensions. Writing in the latest edition of his Power On newsletter, Gurman says that like the iPad Pro, Apple is now focused on delivering the thinnest possible devices across its lineups without compromising on battery life or major new features. Gurman writes that the new iPad Pro is the "beginning of a new class of Apple devices," and that Apple's aim is to offer "the thinnest and lightest products in their categories across the whole tech industry." Apple now reportedly has its sights on making thinner versions of iPhone, Apple Watch, and MacBook Pro over the next couple of years.

Gurman's sources tell him Apple is now focused on developing a significantly skinnier iPhone in time for the iPhone 17 line in 2025, corroborating a May report by The Information. According to the latter report, Apple is planning to launch an all-new thinner iPhone 17 model next year that will allegedly feature a "major redesign" akin to the iPhone X. Gurman previously reported that Apple is planning a complete revamp of the Apple Watch for the device's tenth anniversary, dubbed "Apple Watch X." Since the original Apple Watch was unveiled in 2014 and launched in 2015, Gurman is unsure whether the Apple Watch X will be released in 2024 or 2025. However, Apple analyst Ming-Chi Kuo today claimed that this year's upcoming Apple Watch will have a larger screen and thinner design, which sounds like the sort of major overhaul and design signature that Gurman has suggested.

Following in the European Union's footsteps, Japan's parliament has enacted a law on Wednesday that will prohibit big tech from blocking third-party app stores. AppleInsider reports: The intention of the bill is that it will facilitate competition and reduce app prices. Japan's government reportedly believes that Apple and Google are a duopoly, and that they charge developers high fees that are then passed on to users. Big tech companies with App Stores will also prohibit companies from prioritizing their own services. Google is likely to be hit hardest by this. Violators will initially be fined up to 20% of the domestic revenue of the specific service that broke the law. The fee can increase to 30%, if the behavior continues.

The Japanese government's Fair Trade Commission (FTC) will choose which firms to apply it to. Companies that will be regulated will be required to submit compliance reports annually. While it hasn't been explicitly said that Apple and Google must comply, It seems certain that the announcement that they'll be held to the provisions is imminent. The Japan FTC isn't expected to add any Japanese firms to the list. The law likely won't take effect until the end of 2025.

Apple has quietly added a Thread radio to nearly all of its newest iPads, MacBooks, and iMacs. The Verge reports: While the company doesn't list Thread on the specs of any of these products, FCC reports indicate that many of Apple's latest devices have had Thread radios tested for compliance. Generally, you don't test a radio that's not there. We found evidence of Thread testing in the following models: iPad Pro 13-inch (M4) (Wi-Fi + Cellular), iPad Pro 11-inch (M4) (Wi-Fi + Cellular), iPad Pro 11-inch (M4) (Wi-Fi), iPad Air 11-inch (M2) (Wi-Fi + Cellular), iPad Air 13-inch (M2) Wi-Fi, MacBook Air 15-inch (M3), MacBook Pro 14-inch (M3), MacBook Pro 14-inch (M3 Pro or M3 Max), MacBook Pro 16-inch (M3 Pro or M3 Max), iMac (M3, two ports), and iMac (M3, four ports).

The FCC requires manufacturers to list every radio contained in a device and to test them in every possible scenario to make sure they comply with its transmission regulations. Tom Sciorilli, director of certification for Thread Group, told The Verge that the FCC reports reference FCC 15.247, "which confirms the device will essentially 'stay in its lane' and not interfere with other radios when operating." The reports we found are tests of the IEEE 802.15.4 transmitter functionality -- 802.15.4 is the radio standard Thread runs on. While it supports a number of technologies, the reports mention Thread explicitly.

Thread is the primary wireless protocol for the new smart home standard Matter, which Apple helped develop and that is now the underlying architecture for its Apple Home smart home platform. A low-power, low-bandwidth, mesh networking protocol specifically designed for IoT devices, Thread is shown to be faster than Bluetooth and offers better range, making it ideal for connecting products like smart lights, locks, thermostats, and sensors. [...] So why is it there? The Apple Home app runs on Macs and iPads, and Thread radios could allow them to communicate directly with smart home devices and act as Thread border routers. It's possible Apple is planning to turn your Mac or iPad into a home hub, but iPads used to be home hubs, and the company discontinued that capability for its new Apple Home architecture. Those iPads didn't have Thread radios, though.