A roundup of cybersecurity stories that may have slipped under the radar this week, including a Big Tech coalition opposing Canada's proposed encryption legislation, Cisco's open AI security framework, and a collection of security issues in Audi's mobile application stack.
Big Tech Pushes Back Against Canada's Encryption Bill
Major technology companies have formally opposed Canada's proposed legislation that would mandate backdoors or weakened encryption in communications platforms. The bill, which critics argue echoes similar failed proposals in the UK and EU, drew a coordinated response from industry groups representing companies including Apple, Google, Meta, and Microsoft.
The coalition argued that any mandated encryption weakness creates vulnerabilities exploitable by malicious actors and hostile nation-states — not just authorized law enforcement. Security researchers broadly agree that mathematically secure encryption cannot be selectively "opened" for only certain parties.
Privacy advocates noted Canada joins a growing list of Five Eyes nations pushing for legislative access to encrypted communications, a trend that security experts warn could fracture the global internet's security infrastructure if enacted.
Cisco Releases Free AI Security Specification
Cisco published an open AI Security Specification free for industry adoption, positioning it as a baseline framework for organizations deploying AI systems in security-sensitive environments. The spec covers:
- Model integrity verification — ensuring AI models have not been tampered with during distribution
- Inference input/output monitoring — detecting prompt injection and data exfiltration via model outputs
- Access control requirements — privilege separation between AI agents and underlying infrastructure
- Supply chain provenance — tracing model origins and training data lineage
The release aligns with broader industry movement toward formalized AI security standards, building on earlier work by NIST's AI Risk Management Framework. Cisco open-sourced the specification to encourage adoption across the vendor ecosystem rather than as a proprietary product.
Audi Mobile App Security Flaws Exposed
Security researchers disclosed a series of vulnerabilities in Audi's mobile application ecosystem, affecting vehicle companion apps used by millions of owners to remotely monitor and control their vehicles. The identified issues included:
- Insecure direct object references (IDOR) that could allow one registered user to query vehicle data belonging to another customer
- Insufficient server-side authentication checks on remote command endpoints
- Overly permissive OAuth token scopes granting broader access than required for stated functionality
While no active exploitation was reported, the research highlights the growing attack surface created by connected vehicle applications. Remote access to vehicle data — including location tracking, door lock status, and driving history — presents significant privacy risks if exposed.
Audi was notified through responsible disclosure and indicated patches were in progress at the time of publication.
Also Notable This Week
Nvidia GeForce NOW data breach: Nvidia confirmed a data breach affecting GeForce NOW cloud gaming users in Armenia, with user account details exposed. The scope of the breach and affected data types were still being investigated at disclosure.
Android 17 security upgrades: Google's upcoming Android 17 release was confirmed to include significant security architecture improvements, including further restrictions on accessibility API access by non-accessibility applications — a common vector for malware — and enhanced attestation for payment-related operations.
FBI warning on ShinyHunters/Canvas: The FBI issued a warning to educational institutions following the ShinyHunters group's mass compromise of Canvas learning management system portals, with the threat group conducting extortion campaigns against universities and colleges. Institutions were advised to audit Canvas configurations and enforce multi-factor authentication.
Source: SecurityWeek