This week’s security news: Oh bad, Kohler toilet cameras aren’t actually encrypted

An artificial intelligence image The startup left its database unsecured, exposing more than a million images and videos its users had created — the vast majority of which featured nudes and even nude images of children. A US inspector general’s report released its official determination that Defense Secretary Pete Hegsett put military personnel at risk because of his negligence in the SignalGate scandal, but only recommended a compliance review and consideration of the new regulations. Cloudflare CEO Matthew Prince told WIRED on stage at our Big Interview event in San Francisco this week that his company has blocked more than 400 billion AI bot requests for its customers since July 1st.

A new New York law requires retailers to disclose if personal data collected about you results in algorithmic changes to their prices. And we’ve introduced a new mobile carrier that aims to offer the closest thing possible to truly anonymous phone service — and whose founder, Nicholas Merrill, famously spent more than a decade in court fighting an FBI surveillance warrant targeting one of his Internet service provider customers.

Putting a camera-equipped digital device in your toilet that uploads an analysis of your actual bodily waste to a company is such a bad idea that it was the subject of a parody commercial 11 years ago. In 2025, it’s a real product—and one whose privacy problems, despite the marketing copy of the company behind it, have become exactly as bad as any normal human might imagine.

Security researcher Simon Fondrie-Teitler published a blog post this week showing that Dekota, a smart camera packaging device sold by Kohler, does not actually use “end-to-end encryption” as it claims. This term usually means that the data is encrypted in such a way that only the user devices at either end of the conversation can decipher the information contained in it, not the server between them and the hosts where the communication is encrypted. But Fondrie-Teitler found that Dekota only encrypts its data from the device to the server. In other words, according to the company’s definition of end-to-end encryption, one side is essentially — excuse us — your back end, and the other side is Kohler’s backend, whose output images are “decoded and processed to provide our services,” as the company wrote in a statement to Fondrie-Teitler.

In reply to his post he pointed out that this is in general no As for what end-to-end encryption means, Kohler has removed all instances of that term from his description of Dekota.

The cyber espionage campaign known as Salt Storm is one of the largest counterintelligence failures in modern US history. Chinese government-sponsored hackers penetrated virtually all US telecommunications and accessed real-time calls and text messages of Americans including presidential and vice presidential candidates Donald Trump and JD Vance. But according to the report of the Financial Times, the US government has refused to impose sanctions against China in response to these hackers in the midst of the White House’s efforts to reach a trade agreement with the Chinese government. The decision has led to criticism that the administration is backing away from key national security initiatives in an effort to meet Trump’s economic goals. But it’s worth noting that imposing sanctions in response to espionage has always been a controversial move, given that the U.S. no doubt does a lot of espionage hacking around the world.

As 2025 draws to a close, the country’s lead cyber defense agency, the Cyber ​​Security and Infrastructure Agency (CISA), still has no director. And the nominee for the position, once considered a front-runner, now faces hurdles in Congress that may have permanently dampened his chances of running the agency. According to CyberScoop, Sean Plankey’s name was removed from Thursday’s Senate vote on the nominating committee, indicating that his nomination may be “over.” Plancki’s nomination has faced a variety of opposition from senators on both sides of the aisle with a wide mix of demands: Florida Republican Sen. Rick Scott held off on his nomination because of the Department of Homeland Security’s (DHS) termination of a Coast Guard contract with a company in his state, while North Carolina’s new senators held off on the nomination until senators opposed to North Carolina’s new administration objected. assigned to its own state. Meanwhile, Sen. Ron Wyden, a Democrat, has asked Sissa to release a long-awaited report on telecommunications security before his appointment, which has yet to be released.

A Chinese hacking campaign centered on the malware known as “Brickstorm” was first revealed in September, when Google warned that the secret spy tool had infected dozens of victim organizations since 2022. Now CISA, the National Security Agency and the Canadian Cyber ​​Security Center have jointly added to Google’s warnings about how to identify malware this week. They also warned that the hackers behind it appear to have a penchant for not only espionage targeting US infrastructure, but also potentially destructive cyberattacks. Perhaps most alarming is a data point from Google that measures the average time until Brickstorm breaches are discovered on a victim’s network: 393 days.