Enlarge/ The Apple Park campus in Cupertino, California.
Apple’s earnings report for the second quarter of the company’s 2024 fiscal year showed a slide in hardware sales, especially for the iPhone. Nonetheless, Apple beat analysts’ estimates for the quarter thanks to the company’s rapidly growing services revenue.
iPhone revenue dropped from $51.33 billion in the same quarter last year to $45.96 billion, a fall of about 10 percent. This was the second consecutive quarter with declining iPhone revenues. That said, investors feared a sharp drop before the earnings call.
Notably, Apple’s revenue in the region it dubs Greater China (which includes China, Taiwan, Singapore, and Hong Kong) fell 8 percent overall. The company fared a little better in other regions. China’s economy is slowing even as China-based Huawei is taking bigger slices of the pie in the region.
Globally, Mac revenue was $7.5 billion compared to last year’s $7.12 billion. Other products—which include the Watch, AirPods, Apple TV 4K, HomePod, and the new Vision Pro headset—were down to $7.9 billion from last year’s $8.76 billion, despite the fact this quarter included the launch of the Vision Pro.
iPad revenue was also down, at $5.6 billion from $6.67 billion. Apple is expected to launch new iPads next week, which suggests that those updates are needed to achieve the company’s business goals.
The rosiest revenue category was services, which includes everything from Apple Music to iCloud. Its revenue was $23.9 billion, up from Q2 2023’s $20.91 billion.
The company also announced authorization of $110 billion for share purchases.
Wear OS was nearly dead a few years ago but is now on a remarkable comeback trajectory, thanks to renewed commitment from Google and a hardware team-up with Samsung. Wear OS is still in a distant second place compared to the Apple Watch, but a new Counterpoint Research report has the wearable OS at 21 percent market share, with the OS expected to hit 27 percent in 2024.
Counterpoint’s market segmentation for this report is basically “smartwatches with an app store,” so it excludes cheaper fitness bands and other, more simple electronic watches. We’re also focusing on the non-China market for now. The report has Apple’s market share at 53 percent and expects it to fall to 49 percent in 2024. The “Other” category is at 26 percent currently. That “Other” group would have to be Garmin watches, a few remaining Fitbit smartwatches like the Versa and Ionic, and Amazfit watches. Counterpoint expects the whole market (including China) to grow 15 percent in 2024 and that a “major part” of the growth will be non-Apple watches. Counterpoint lists Samsung as the major Wear OS driver, with OnePlus, Oppo, Xiaomi, and Google getting shout-outs too.
Enlarge/ 2023 are actual numbers, while 2024 is a forecast.
China is a completely different world, with Huawei’s HarmonyOS currently dominating with 48 percent. Counterpoint expects the OS’s smartwatch market share to grow to 61 percent this year. Under the hood, HarmonyOS-for-smartwatches is an Android fork, and for hardware, the company is gearing up to launch an Apple Watch clone. Apple is only at 28 percent in China, and Wear OS is relegated to somewhere in the “Other” category. There’s no Play Store in China, so Wear OS is less appealing, but some Chinese brands like Xiaomi and Oppo are still building Wear OS watches.
For chipsets, Apple and Samsung currently hold a whopping two-thirds of the market. Qualcomm, which spent years strangling Wear OS, is just starting to claw back market share with releases like the W5 chipset. Of course, Samsung watches use Samsung chips, and so does the Pixel Watch, so the only places for Qualcomm watches are the Chinese brands with no other options: Xiaomi, Oppo, and OnePlus.
Streaming services like Netflix and Peacock have already found multiple ways to aggravate paying subscribers this week.
The streaming industry has been heating up. As media giants rush to establish a successful video streaming business, they often make platform changes that test subscribers’ patience and the value of streaming.
Below is a look at the most exasperating news from streaming services from this week. The scale of this article demonstrates how fast and frequently disappointing streaming news arises. Coincidentally, as we wrote this article, another price hike was announced.
We’ll also examine each streaming platform’s financial status to get an idea of what these companies are thinking (spoiler: They’re thinking about money).
Peacock’s raising prices
For the second time in the past year, NBCUniversal is bumping the price of Peacock, per The Hollywood Reporter (THR) on Monday.
As of July 18, if you try to sign up for Peacock Premium (which has ads), it’ll cost $7.99 per month, up from $5.99/month today. Premium Plus, (which doesn’t have ads), will go up from $11.99/month to $13.99/month. Annual subscription pricing for the ad plan is increasing 33.3 percent from $59.99 to $79.99, and the ad-free annual plan’s price will rise 16.7 percent from $119.99/year to $139.99/year.
Those already subscribed to Peacock won’t see the changes until August 17, six days after the closing ceremony of the 2024 Summer Olympics, which will stream on Peacock.
The pricing changes will begin eight days before the Olympics’ opening ceremony. That means that in the days leading up to the sporting event, signing up for Peacock will cost more than ever. That said, there’s still time to sign up Peacock for its current pricing.
As noted by THR, the changes come as NBCUniversal may feel more confident about its streaming service, which now includes big-ticket items, like exclusive NFL games and Oppenheimer(which Peacock streamed exclusively for a time),in addition to new features for the Olympics, like multiview.
Some outspoken subscribers, though, aren’t placated.
“Just when I was starting to like the service,” Reddit user MarkB1997 said in response to the news. “I’ll echo what everyone has been saying for a while now, but these services are pricing themselves out of the market.”
Peacock subscribers already experienced a price increase on August 17, 2023. At the time, Peacock’s Premium pricing went from $4.99/month to $5.99/month, and the Premium Plus tier from $9.99/month to $11.99/month.
Peacock’s pockets
Peacock’s price bumps appear to be a way for the younger streaming service to inch closer to profitability amid a major, quadrennial, global event.
NBCUniversal parent company Comcast released its Q1 2024 earnings report last week, showing that Peacock, which launched in July 2020, remains unprofitable. For the quarter, Peacock lost $639 million, compared to $825 million in Q4 2023 and $704 million in Q1 2023. Losses were largely attributed to higher programming costs.
Peacock’s paid subscriber count is lower than some of its rivals. The platform ended the quarter with 34 million paid users, up from 31 million at the end of 2023. Revenue also rose, with the platform pulling in $1.1 billion, representing a 54 percent boost compared to the prior year.
Sony bumps Crunchyroll prices weeks after shuttering Funimation
Today, Sony’s anime streaming service Crunchyroll announced that it’s increasing subscription prices as follows:
The Mega Fan Tier, which allows streaming on up to four devices simultaneously, will go from $9.99/month to $11.99/month
The Ultimate Fan Tier, which allows streaming on up to six devices simultaneously, will go from $14.99/month to $15.99/month
Crunchyroll’s cheapest plan ($7.99/month) remains unchanged. None of Crunchyroll’s subscription plans have ads. Crunchyroll’s also adding discounts to its store for each subscription tier, but this is no solace for those who don’t shop there on a monthly basis or at all.
The news of higher prices comes about a month after Sony shuttered Funimation, an anime streaming service it acquired in 2017. After buying Crunchyroll in 2021, Funimation was somewhat redundant for Sony. And now that Sony has converted all remaining Funimation accounts into Crunchyroll accounts (while deleting Funimation digital libraries), it’s forcing many customers to pay more to watch their favorite anime.
A user going by BioMountain on Crunchyroll said the news is “not great,” since they weren’t “a big fan of having to switch from Funimation to begin with, especially since that app was so much better” than Crunchyroll.
Interestingly, when Anime News Network asked on February 29 whether Crunchyroll would see prices rise over the next two years, the company told the publication that predicting a price change for that time frame would be improbable.
Crunching numbers
Crunchyroll had 5 million paid subscribers in 2021 but touted over 13 million in January, (plus over 89 million unpaid users, per Bloomberg). Crunchyroll president Rahul Purini has said that Crunchyroll is profitable, but not by how much.
In 2023, Goldman Sachs estimated that Crunchyroll would represent 36 percent of Sony Pictures Entertainment’s profit by 2028, compared to about 1 percent in March.
However, Purini has shown interest in growing the company further and noted to Variety in February an increase in “general entertainment” companies getting into anime.
Still, anime remains a more niche entertainment category, and Crunchyroll is more specialized than some other streaming platforms. With Sony making it so that anime fans have one less streaming service option and jacking up the prices for one of the limited options, it’s showing that it wants as much of the $20 billion anime market as possible.
Crunchyroll claimed today that its pricing changes are tied to “investment in more anime, additional services like music and games, and additional subscriber benefits.”
If you haven’t heard of the Rabbit R1, this is yet another “AI box” that is trying to replace your smartphone with a voice command device that runs zero apps. Just like the Humane AI Pin, this thing recently launched and seems to be dead on arrival as a completely non-viable device that doesn’t solve any real problems, has terrible battery life, and is missing big chunks of core functionality. Before the device fades into obscurity, though, Android Authority’s Mishaal Rahman looked at the software and found the “smartphone replacement” device just runs a smartphone OS. It’s Android—both an Android OS and Android app, just in a very limited $200 box.
OK, technically, we can’t call it “Android” since that’s a Google trademark that you can only access after licensing Google Play. It runs AOSP (the Android Open Source Project codebase), which is the open source bits of Android without any proprietary Google code. The interface—which is mostly just a clock, settings screen, and voice input—is also just an Android app. Being a normal Android app means you can install it on an Android phone, and Rahman was able to get the Rabbit R1 software running on a Pixel 6. He even got the AI assistant to answer questions on the phone.
Rabbit Inc. does not sound happy about Rahman’s discovery. The company posted on X that it is “aware there are some unofficial rabbit OS app/website emulators out there” and that since it does not want to support “third-party clients,” a “local bootleg APK without the proper OS and Cloud endpoints won’t be able to access our service.” The company describes its device as a “very bespoke AOSP and lower level firmware modifications,” but that’s a statement that would be true for many phones. In another statement to Rahman, the company threatens that it will “reserve all rights for any malicious and illegal cyber security activities towards our services.”
It’s unclear why the company seems to be so mad about the details of its tech stack being public, but from a technical standpoint, Rabbit Inc. is right to use Android, or specifically as much of AOSP as it can. Forget about all the Google Play stuff—if you have something that needs to connect a mobile network, manage charge states, light up a touchscreen, work hardware inputs and a camera, and use an SoC in a power-efficient way, AOSP already does all of this for you. It’s open source and can be used without any connections, obligations, or tracking from Google. You’d need to have a very good reason to spend a bunch of time and money reinventing all of this code when AOSP is free, works well, and is the de facto industry standard to run mobile components. This line of thinking aligns with Google’s master plan to make Android open source, and it ultimately makes sense.
The next question for a hardware developer is, “Should we use the app framework?” and that’s another thing that is hard to argue with re-inventing. The Android app framework will solve a million problems you probably already need to solve, let you define screens and navigation, handle inputs and settings, and countless other features. The next part of Android’s strategy is “Why not also sign up for Google Play and sign on the dotted line with Google, Inc?” This comes with a lot of cloud stuff like push notifications, online storage, millions of smartphone apps, all the proprietary Google code and tracking, and many restrictions and qualifications. A big chunk of those restrictions are around app compatibility, and that makes Google Play non-viable for a weird in-betweener device like the Rabbit R1. If you can’t smoothly slot into one of the categories of “smartwatch,” “smartphone,” “tablet,” “TV,” or “car” app, Google Play doesn’t have a place for you.
The Rabbit devs didn’t want to make a normal device with a million smartphone apps, so skipping Google Play was the right choice. Since you can only use the name “Android”—a registered Google trademark—in marketing if you sign up with Google Play, the company can’t exactly shout from the rooftops about what codebase it’s using. Rabbit’s opening sales pitch that it wants to “break away from the app-based operating system currently used by smartphones” feels a bit disingenuous when it’s using the exact operating system it’s hinting at, but from a technical standpoint, these feel like all the right decisions.
For the record, the Humane AI Pin also ran AOSP. The free and open source nature of AOSP makes it the obvious choice for mobile hardware that’s smaller than a laptop, VR headsets, digital signage, and a million other things that don’t need the expense or app compatibility of Windows. Nowadays, I just assume any new device from a startup is AOSP-based unless proven otherwise.
Enlarge/ A photo of the Cheyenne supercomputer, which is now up for auction.
On Tuesday, the US General Services Administration began an auction for the decommissioned Cheyenne supercomputer, located in Cheyenne, Wyoming. The 5.34-petaflop supercomputer ranked as the 20th most powerful in the world at the time of its installation in 2016. Bidding started at $2,500, but it’s price is currently $27,643 with the reserve not yet met.
The supercomputer, which officially operated between January 12, 2017, and December 31, 2023, at the NCAR-Wyoming Supercomputing Center, was a powerful (and once considered energy-efficient) system that significantly advanced atmospheric and Earth system sciences research.
“In its lifetime, Cheyenne delivered over 7 billion core-hours, served over 4,400 users, and supported nearly 1,300 NSF awards,” writes the University Corporation for Atmospheric Research (UCAR) on its official Cheyenne information page. “It played a key role in education, supporting more than 80 university courses and training events. Nearly 1,000 projects were awarded for early-career graduate students and postdocs. Perhaps most tellingly, Cheyenne-powered research generated over 4,500 peer-review publications, dissertations and theses, and other works.”
UCAR says that Cheynne was originally slated to be replaced after five years, but the COVID-19 pandemic severely disrupted supply chains, and it clocked in two extra years in its tour of duty. The auction page says that Cheyenne recently experienced maintenance limitations due to faulty quick disconnects in its cooling system. As a result, approximately 1 percent of the compute nodes have failed, primarily due to ECC errors in the DIMMs. Given the expense and downtime associated with repairs, the decision was made to auction off the components.
A photo gallery of the Cheyenne supercomputer up for auction.
With a peak performance of 5,340 teraflops (4,788 Linpack teraflops), this SGI ICE XA system was capable of performing over 3 billion calculations per second for every watt of energy consumed, making it three times more energy-efficient than its predecessor, Yellowstone. The system featured 4,032 dual-socket nodes, each with two 18-core, 2.3-GHz Intel Xeon E5-2697v4 processors, for a total of 145,152 CPU cores. It also included 313 terabytes of memory and 40 petabytes of storage. The entire system in operation consumed about 1.7 megawatts of power.
Just to compare, the world’s top-rated supercomputer at the moment—Frontier at Oak Ridge National Labs in Tennessee—features a theoretical peak performance of 1,679.82 petaflops, includes 8,699,904 CPU cores, and uses 22.7 megawatts of power.
The GSA notes that potential buyers of Cheyenne should be aware that professional movers with appropriate equipment will be required to handle the heavy racks and components. The auction includes seven E-Cell pairs (14 total), each with a cooling distribution unit (CDU). Each E-Cell weighs approximately 1,500 lbs. Additionally, the auction features two air-cooled Cheyenne Management Racks, each weighing 2,500 lbs, that contain servers, switches, and power units.
As of this writing, 12 potential buyers have bid on this computing monster so far. The auction closes on May 5 at 6: 11 pm Central Time if you’re interested in bidding. But don’t get too excited by photos of the extensive cabling: As the auction site notes, “fiber optic and CAT5/6 cabling are excluded from the resale package.”
Enlarge/ Be careful with the buckets you put out there for anybody to fill.
Getty Images
If you’re using Amazon Web Services and your S3 storage bucket can be reached from the open web, you’d do well not to pick a generic name for that space. Avoid “example,” skip “change_me,” don’t even go with “foo” or “bar.” Someone else with the same “change this later” thinking can cost you a MacBook’s worth of cash.
Ask Maciej Pocwierz, who just happened to pick an S3 name that “one of the popular open-source tools” used for its default backup configuration. After setting up the bucket for a client project, he checked his billing page and found nearly 100 million unauthorized attempts to create new files on his bucket (PUT requests) within one day. The bill was over $1,300 and counting.
“All this actually happened just a few days after I ensured my client that the price for AWS services will be negligible, like $20 at most for the entire month,” Pocwierz wrote over chat. “I explained the situation is very unusual but it definitely looked as if I didn’t know what I’m doing.”
Pocwierz declined to name the open source tool that inadvertently bum-rushed his S3 account. In a Medium post about the matter, he noted a different problem with an unlucky default backup. After turning on public writes, he watched as he collected more than 10GB of data in less than 30 seconds. Other people’s data, that is, and they had no idea that Pocwierz was collecting it.
Some of that data came from companies with customers, which is part of why Pocwierz is keeping the specifics under wraps. He wrote to Ars that he contacted some of the companies that either tried or successfully backed up their data to his bucket, and “they completely ignored me.” “So now instead of having this fixed, their data is still at risk,” Pocwierz writes. “My lesson is if I ever run a company, I will definitely have a bug bounty program, and I will treat such warnings seriously.”
As for Pocwierz’s accounts, both S3 and bank, it mostly ended well. An AWS representative reached out on LinkedIn and canceled his bill, he said, and was told that anybody can request refunds for excessive unauthorized requests. “But they didn’t explicitly say that they will necessarily approve it,” he wrote. He noted in his Medium post that AWS “emphasized that this was done as an exception.”
In response to Pocwierz’s story, Jeff Barr, chief evangelist for AWS at Amazon, tweeted that “We agree that customers should not have to pay for unauthorized requests that they did not initiate.” Barr added that Amazon would have more to share on how the company could prevent them “shortly.” AWS has a brief explainer and contact page on unexpected AWS charges.
The open source tool did change its default configuration after Pocwierz contacted them. Pocwierz suggested to AWS that it should restrict anyone else from creating a bucket name like his, but he had yet to hear back about it. He suggests in his blog post that, beyond random bad luck, adding a random suffix to your bucket name and explicitly specifying your AWS region can help avoid massive charges like the one he narrowly dodged.
Enlarge/ An iPhone in Standby mode, charging wirelessly on a desk.
Apple
If your iPhone’s alarm hasn’t woken you lately, it seems you’re not alone: Apple has confirmed to Today that a software bug is to blame, following user complaints on TikTok and other social platforms.
Apple is “aware of an issue causing some iPhone alarms to not play the expected sound,” according to the report and “is working on a fix.” The company’s official statement didn’t go into more detail on what caused the bug or why it seems to affect some users but not others.
These sorts of bugs usually relate to some kind of time change; one circa 2010 iOS alarm bug was caused by Daylight Saving Time, and another cropped up in the first two days of 2011 when alarms suddenly stopped working for the first two days of the year (for whatever reason. they began working properly again on January 3 without any kind of software update). Daylight Saving Time in 2024 kicked in all the way back in mid-March, so it’s hard to say whether the problem is related to the change this time around.
If you aren’t affected by the bug—my alarms have been working fine—you can still keep this bug in your pocket for when you’re late for something for another reason.
Roku CEO Anthony Wood disclosed plans to introduce video ads to the Roku OS home screen. The news highlights Roku’s growing focus on advertising and an alarming trend in the streaming industry that sees ads increasingly forced on viewers.
As spotted by The Streamable, during Roku’s Q1 2024 earnings call last week, Wood, also the company’s founder and chairman, boasted about the Roku OS home screen showing users ads “before they select an app,” avoiding the possibility that they don’t see any ads during their TV-viewing session. (The user might only use Roku to access a video streaming app for which they have an ad-free subscription.)
Wood also noted future plans to make the Roku home screen even more ad-laden:
On the home screen today, there’s the premier video app we call the marquee ad and that ad traditionally has been a static ad. We’re going to add video to that ad. So that’ll be the first video ad that we add to the home screen. That will be a big change for us.
Wood’s comments didn’t address the expected impact on the Roku user experience or whether the company thinks this might turn people off its platform. In December, Amazon made a similar move by adding autoplay video ads to the home screen of the Fire OS (which third-party TVs and Amazon-branded Fire TV sets and streaming devices use). Fire OS users who disable the ads’ autoplay function will still see ads as “a full-screen slide show of image ads,” per AFTVnews. Some users viewed the introduction as an intrusive step that went too far, and Roku may hear the same feedback.
During Roku’s earnings call, Wood also said the company is testing “other types of video ad units” and is looking for more ways to bring advertising to the Roku OS home screen.
This comes after recent efforts to expand ad presence on Roku OS, including through new FAST (free ad-supported streaming TV) channels and by putting content recommendations on the home screen for the first time, per Wood, who said the personalized content row “will be, obviously, AI-driven recommendations.”
“There’s lots of ways we’re working on enhancing the home screen to make it more valuable to viewers but also increase the monetization on the home screen,” he said.
Roku’s revenue rise
Roku saw its average revenue per user (ARPU) drop from $41.03 in Q3 of its 2023 financial year to $39.92 in Q4 2023 (in Q4 2022, the company reported an ARPU of $41.68). Last week, Roku reported that ARPU, a key metric for the streaming industry these days, rose to $40.65 in Q1 2024. Meanwhile, Roku’s active account count rose by 1.6 million users from the prior quarter to 81.6 million.
“Roku has a direct relationship with more than 81 million Streaming Households, and we are deepening relationships with third-party platforms, including [demand side platforms], retail media networks, and measurement partners. Our business remains well positioned to capture the billions of dollars in traditional TV ad budgets that will shift to streaming,” an April 25 letter to shareholders [PDF] authored by Wood and Roku CFO Dan Jedda reads.
Like many streaming companies, a shift toward ads has resulted in higher revenue potential and user discontent. In its Q1 2024 results, Roku reported that revenue for its Devices business reached $126.5 million, compared to $754.9 for its Platform business, which drives most of its revenue through ad sales, representing a 19 percent year-over-year (YoY) increase. Overall, revenue rose 19 percent YoY to $882 million, and Roku’s gross profit grew 15 percent YoY to $388 million.
But growing revenue doesn’t equate to an improved user experience. For example, an Accenture survey of 6,000 “global consumers” noted by The Streamable found that 52.2 percent of participants thought that streaming platform-recommended content “did not match their interests.” Similarly, an October TiVo survey of 4,500 viewers in the US and Canada ranked “streaming apps / home screen / carousel ads” as the fourth most popular method of content discovery, after word of mouth, commercials aired during other shows, and social media. While Roku is a budget brand associated with more affordable TVs and streaming devices, excessive ads could make people reconsider the true price of these savings.
Despite people’s ad aversion, Roku intends to find more ways to drive advertising opportunities. Among those ideas being explored is the ability to show ads over anything plugged into the TV.
Starting in March with the release of iOS 17.4, iPhones in the European Union have been subject to the EU’s Digital Markets Act (DMA), a batch of regulations that (among other things) forced Apple to support alternate app stores, app sideloading, and third-party browser engines in iOS for the first time. Today, EU regulators announced that they are also categorizing Apple’s iPadOS as a “gatekeeper,” meaning that the iPad will soon be subject to the same regulations as the iPhone.
The EU began investigating whether iPadOS would qualify as a gatekeeper in September 2023, the same day it decided that iOS, the Safari browser, and the App Store were all gatekeepers.
“Apple now has six months to ensure full compliance of iPadOS with the DMA obligations,” reads the EU’s blog post about the change.
Apple technically split the iPad’s operating system from the iPhone’s in 2019 when it began calling its tablet operating system “iPadOS” instead of iOS. But practically speaking, little separates the two operating systems under the hood. Both iOS and iPadOS share the same software build numbers, they’re updated in lockstep (with rare exceptions), and most importantly for DMA compliance purposes, they pull software from the same locked-down App Store with the same Apple-imposed restrictions in place.
Apps distributed through alternate app stores or third-party websites will have to abide by many of Apple’s rules and will still generally be limited to using Apple’s public APIs. However, the ability to use alternate app stores and browser engines on the iPad’s large screen (and the desktop-class M-series chips) could make the tablets better laptop replacements by allowing them to do more of the things that Mac users can do on their systems.
Though Apple has made multiple changes to iOS in the EU to comply with the DMA, EU regulators are already investigating Apple (as well as Google and Meta) for “non-compliance.” Depending on the results of that investigation, the EU may require Apple to make more changes to the way it allows third-party apps to be installed in iOS and to the way that third-party developers are allowed to advertise non-Apple app store and payment options. Any changes that Apple makes to iOS to comply with the investigation’s findings will presumably trickle down to the iPad as well.
Of course, none of this directly affects US-based iPhone or iPad users, whose devices remain restricted to Apple’s app stores and the WebKit browsing engine. That said, we have seen some recent App Store rule changes that have arguably trickled down from Apple’s attempts to comply with the DMA, most notably policy changes that have allowed (some, not all) retro game console emulators into the App Store for the first time.
If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all.
A new version of the 2022 Product Security and Telecommunications Infrastructure Act (PTSI) is now in effect, covering just about everything that a consumer can buy that connects to the web. Under the guidelines, even the tiniest Wi-Fi board must either have a randomized password or else generate a password upon initialization (through a smartphone app or other means). This password can’t be incremental (“password1,” “password54”), and it can’t be “related in an obvious way to public information,” such as MAC addresses or Wi-Fi network names. A device should be sufficiently strong against brute-force access attacks, including credential stuffing, and should have a “simple mechanism” for changing the password.
There’s more, and it’s just as head-noddingly obvious. Software components, where reasonable, “should be securely updateable,” should actually check for updates, and should update either automatically or in a way “simple for the user to apply.” Perhaps most importantly, device owners can report security issues and expect to hear back about how that report is being handled.
Violations of the new device laws can result in fines up to 10 million pounds (roughly $12.5 million) or 4 percent of related worldwide revenue, whichever is higher.
Besides giving consumers better devices, these regulations are aimed squarely at malware like Mirai, which can conscript devices like routers, cable modems, and DVRs into armies capable of performing distributed denial-of-service attacks (DDoS) on various targets.
As noted by The Record, the European Union’s Cyber Resilience Act has been shaped but not yet passed and enforced, and even if it does pass, would not take effect until 2027. In the US, there is the Cyber Trust Mark, which would at least give customers the choice of buying decently secured or genially abandoned devices. But the particulars of that label are under debate and seemingly a ways from implementation. At the federal level, a 2020 bill tasked the National Institutes of Standard and Technology with applying related standards to connected devices deployed by the feds.
Enlarge/ AI is here to terminate your bank account.
Carolco Pictures
Give the AI access to your credit card, they said. It’ll be fine, they said. Users of Meta’s ad platform who followed that advice have been getting burned by an AI-powered ad purchasing system, according to The Verge. The idea was to use a Meta-developed AI to automatically set up ads and spend your ad budget, saving you the hassle of making decisions about your ad campaign. Apparently, the AI funnels money to Meta a little too well: Customers say it burns, though, what should be daily ad budgets in a matter of hours, and costs are inflated as much as 10-fold.
The AI-powered software in question is the “Advantage+ Shopping Campaign.” The system is supposed to automate a lot of ad setup for you, mixing and matching various creative elements and audience targets. The power of AI-powered advertising (Google has a similar product) is that the ad platform can get instant feedback on its generated ads via click-through rates. You give it a few guard rails, and it can try hundreds or thousands of combinations to find the most clickable ad at a speed and efficiency no human could match. That’s the theory, anyway.
The Verge spoke to “several marketers and businesses” with similar stories of being hit by an AI-powered spending spree once they let Meta’s system take over a campaign. The description of one account says the AI “had blown through roughly 75 percent of the daily ad budgets for both clients in under a couple of hours” and that “the ads’ CPMs, or cost per impressions, were roughly 10 times higher than normal.” Meanwhile, the revenue earned from those AI-powered ads was “nearly zero.” The report says, “Small businesses have seen their ad dollars get wiped out and wasted as a result, and some have said the bouts of overspending are driving them from Meta’s platforms.”
Meta’s Advantage+ sales pitch promises to “Use machine learning to identify and aim for your highest value customers across all of Meta’s family of apps and services, with minimal input.” The service can “Automatically test up to 150 creative combinations and deliver the highest performing ads.” Meta promises that “on average, companies have seen a 17 percent reduction in cost per action [an action is typically a purchase, registration, or sign-up] and a 32 percent increase in return on ad spend.”
In response to the complaints, a Meta spokesperson told The Verge the company had fixed “a few technical issues” and that “Our ads system is working as expected for the vast majority of advertisers. We recently fixed a few technical issues and are researching a small amount of additional reports from advertisers to ensure the best possible results for businesses using our apps.” The Verge got that statement a few weeks ago, though, and advertisers are still having issues. The report describes the service as “unpredictable” and says what “other marketers thought was a one-time glitch by Advantage Plus ended up becoming a recurring incident for weeks.”
To make matters worse, layoffs in Meta’s customer service department mean it’s been difficult to get someone at Meta to deal with the AI’s spending sprees. Some accounts report receiving refunds after complaining, but it can take several tries to get someone at customer service to deal with you and upward of a month to receive a refund. Some customers quoted in the report have decided to return to pre-AI, non-automated way of setting up a Meta ad campaign, which can take “an extra 10 to 20 minutes.”
Google says it has patched a nasty loophole in the Android TV account security system, which would grant attackers with physical access to your device access to your entire Google account just by sideloading some apps. As 404 Media reports, the issue was originally brought to Google’s attention by US Sen. Ron Wyden (D-Ore.) as part of a “review of the privacy practices of streaming TV technology providers.” Google originally told the senator that the issue was expected behavior but, after media coverage, decided to change its stance and issue some kind of patch.
“My office is mid-way through a review of the privacy practices of streaming TV technology providers,” Wyden told 404 Media. “As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set-top box, a criminal could get access to private emails of the Gmail user who set up the TV.”
The video in question was a PSA from YouTuber Cameron Gray, and it shows that grabbing any Android TV device and sideloading a few apps will grant access to the current Google account. This is obvious if you know how Android works, but it’s not obvious to most users looking at a limited TV interface.
The heart of the issue is how Android treats your Google account. Since the OS started on phones, every Android device starts with the assumption that it is a private, one-person device. Google has built on top of that feature with multiuser support and guest accounts, but these aren’t part of the default setup flow, can be hard to find, and are probably disabled on many Android TV boxes. The result is that signing in to an Android TV device often gives it access to your entire Google account.
Android has a centralized Google account system shared by a million Google-centric background and syncing processes, the Play Store, and nearly all Google apps. When you boot an Android device for the first time, the guided setup asks for a Google account, which is expected to live on the device forever as the owner’s primary account. Any new Google app you add to your device automatically gets access to this central Google account repository, so if you set up the phone and then install Google Keep, Keep automatically gets signed in and gains access to your notes. During the initial setup, where you might install 10 different apps that use a Google account, it would be annoying to enter your username and password over and over again.
This centralized account system is hungry for Google accounts, so any Google account you use to sign in to any Google app gets sucked into the central account system, even if you decline the initial setup. A common annoyance is to have a Google Workspace account at work, then sign into Gmail for work email and then have to deal with this useless work account showing up in the Play Store, Maps, Photos, etc.
For TVs, this presents a unique gotcha because, while you will still be forced to log in to download something from the Play Store, it’s not obvious to the user that you’re granting this device access to your entire Google account—including to potentially sensitive things like location history, emails, and messages. To the average user, a TV device just shows “TV stuff” like your YouTube recommendations and a few TV-specific Play Store apps, so you might not consider it to be a high-sensitivity sign-in. But if you just sideload a few more Google apps, you can get access to anything. Further confusing matters is Google’s OAuth strategy, which teaches users that there are things like scoped access to a Google account on third-party devices or sites, but Android does not work that way.
In the video, Gray simply grabs an Android TV device, goes to a third-party Android app site, then sideloads Chrome. Chrome automatically signs in to the TV owner’s Google account and has access to all passwords and cookies, which means access to Gmail, Photos, Chat history, Drive files, YouTube accounts, AdSense, any site that allows for Google sign-in, and partial credit card info. It’s all available in Chrome without any security checks. Individual apps like Gmail and Google Photos would immediately start working, too.
As Gray’s video points out, Android TV devices can be dongles, set-top boxes, or code installed right into a TV. In businesses and hotels, they can be semi-public devices. It’s also not hard to imagine a TV device falling into the hands of someone else. You might not worry too much about forgetting a $30 Chromecast in a hotel room, or you might sign in to a hotel TV and forget to delete your account, or you might throw out a TV and not think twice about what account it’s signed in to. If an attacker gets access to any of these devices later, it’s trivial to unlock your entire Google account.
Google says it has fixed this problem, though it doesn’t explain how. The company’s statement to 404 says, “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of the devices. As a best security practice, we always advise users to update their devices to the latest software.”
Many Android TV devices, especially those built-in to TV sets, are abandonware and run an old version of the software, but Google’s account system is updatable via the Play Store, so there’s a good chance a fix can roll out to most devices.
