This week’s security news: Holy crap, Kohler toilet cameras aren’t fully encrypted

Image by Amnesty International The startup Creator left its database unsecured, exposing more than a million images and videos created by its users – the “vast majority” of which depicted nudes and even nude images of children. A US inspector general report issued its formal determination that Defense Secretary Pete Hegseth put military personnel at risk through his negligence in the Signalgate scandal, but only recommended a compliance review and consideration of new regulations. Cloudflare CEO Matthew Prince told WIRED on stage at the Big Interview event in San Francisco this week that his company has blocked more than 400 billion requests from its customers’ AI bots since July 1.

A new New York law will require retailers to disclose whether personal data collected about you results in algorithmic changes to their prices. And we took a look at a new cellular company that aims to offer the closest thing possible to truly anonymous phone service — and its founder, Nicholas Merrill, who famously spent more than a decade in court fighting an FBI surveillance warrant that targeted one of his ISP’s customers.

Putting a camera-equipped digital device in your toilet that uploads an analysis of your actual bodily waste to a company is such a bad idea that 11 years ago, it was the subject of a satirical commercial. In the year 2025, this product is a real product, and the privacy issues, despite the company’s marketing version behind it, have turned out to be just as bad as any normal human being would imagine.

This week, security researcher Simon Vondre Tytler published a blog post revealing that the Dekota, a camera-equipped smart device sold by Kohler, doesn’t actually use “end-to-end encryption” as it claims. This term usually means that the data is encrypted so that only the user’s devices on “both ends” of the conversation can decrypt the information in it, not the server between them and the hosts that encrypted the connection. But Fondrie-Teitler found that Dekota only encrypts its data from device to server. In other words, according to the company’s definition of end-to-end encryption, one end is essentially — forgive us — your back end, and the other is Kohler’s backend, where “its output images are decoded and processed to provide our services,” the company wrote in a statement to Fondrie-Teitler.

In response to his letter indicating that this is generally no What does end-to-end encryption mean Kohler has removed all examples of this term from its descriptions of Dekota.

The cyberespionage campaign known as Salt Typhoon represents one of the largest counterintelligence disasters in modern US history. Chinese state-sponsored hackers have infiltrated nearly every U.S. telecommunications company, gaining access to real-time calls and text messages of Americans, including presidential and vice presidential candidates Donald Trump and J.D. Vance. But according to the Financial Times, the US government has refused to impose sanctions on China in response to that hacking wave amid the White House’s efforts to reach a trade agreement with the Chinese government. The decision has led to criticism that the administration is rolling back key national security initiatives in an attempt to accommodate Trump’s economic goals. But it’s worth noting that imposing sanctions in response to espionage has always been a controversial move, given that the United States undoubtedly carries out a lot of espionage-oriented hacking operations around the world.

As 2025 draws to a close, the Cybersecurity and Infrastructure Agency (CISA), the nation’s leading cyber defense agency, remains without a director. A nominee for the position, once considered unlikely, now faces hurdles in Congress that may have weakened his chances of permanently running the agency. Sean Blankey’s name was left out of Thursday’s Senate Appointments Committee vote, suggesting his nomination may be “over,” according to CyberScoop. Blankey’s nomination faced various opposition from senators on both sides of the aisle with a broad mix of demands: Florida Republican Senator Rick Scott put his nomination on hold due to DHS terminating the Coast Guard’s contract with a company in his state, while North Carolina GOP senators opposed any new DHS nominees until disaster relief funding was allocated to their state. Meanwhile, Democratic Senator Ron Wyden has demanded that CISA publish a long-awaited report on communications security before his appointment, which has not yet been released.

A Chinese malware-centric hacking campaign known as “Brickstorm” first came to light in September, when Google warned that a hidden spy tool was infecting dozens of victim organizations since 2022. Now CISA, the National Security Agency and the Canadian Cyber ​​Security Center added to Google’s warnings this week in advice on how to spot malware. They also warned that the hackers behind it appear to be not only in a position to spy on US infrastructure, but also potentially carry out devastating cyberattacks. Perhaps more alarming is a specific data point from Google, which measures the average time until Brickstorm breaches are detected in a victim’s network: 393 days.