In this edition of Risk Alerts, we highlight underground coal fires, trackers being used as stalking tools, BadUSB drives and methane leaks, among other threats.

1. A hidden risk: underground coal fires.

The Marshall Fire, which burned approximately 6,000 acres in Colorado last December, was the most destructive wildfire in the state’s history. Authorities are still investigating what caused the blaze, but one possibility is the area’s abandoned coal mines, according to an Associated Press report.

In 1883, a fire raged through an underground Colorado coal field, causing a blaze that the state’s first mining inspector deemed “impossible to extinguish.” Nearly 140 years later, two fires still smolder in the now-abandoned coal field near Boulder.

Across the U.S., at least 259 underground mine fires burned in more than a dozen states as of last September, according to federal Office of Surface Mining data. There are hundreds and possibly thousands more undocumented blazes burning in coal seams that have never been mined, researchers and government officials say.

Such fires can be ignited by lightning, humans and even spontaneously at temperatures as low as 86 degrees Fahrenheit, according to experts. Many are impossible to put out, slowly burning underground as the combustion feeds off a small amount of oxygen present in the coal. The fires emit toxic mercury and carbon dioxide, and cause sinkholes when the ground’s surface collapses into burned cavities below.

The estimated future cost to control the 200 known abandoned mine blazes across the U.S. is almost $900 million, according to the Office of Surface Mining database.

Source: “Deadly Colorado blaze renews focus on underground coal fires,” Associated Press, Jan. 30, 2022

2. Are you being tracked?

Apple’s AirTags are marketed as “an easy way to keep track of your stuff.” But the trackers have also been linked to criminal activity such as stalking and car theft, warns a December 2021 story in The New York Times.

The discs are meant to be attached to personal items like keys, wallets and backpacks. Apple’s location-tracking network, called “Find My,” then tracks how far away the tags are and displays a map with their locations.

But the NYT said that, in recent months, people have posted on TikTok, Reddit and Twitter about finding unknown AirTags on their cars and in their belongings. There is growing concern that the devices may be used for stalking, which privacy groups predicted could happen when Apple introduced the devices in April 2021.

“Apple automatically turned every iOS device into part of the network that AirTags use to report the location of an AirTag,” Eva Galperin, a cybersecurity director at the Electronic Frontier Foundation, told NYT. She noted that while similar trackers exist, “the network that Apple has access to is larger and more powerful than that used by the other trackers. It’s more powerful for tracking and more dangerous for stalking.”

Galperin studies so-called stalkerware—apps, software programs and devices that allow another person to secretly monitor and record information about your phone activity, such as monitoring keystrokes or tracking locations.

Source: “Are Apple AirTags Being Used to Track People and Steal Cars?” New York Times, Dec. 30, 2021

3. Up in flames.

In early January, an e-bike’s battery burst into flames while charging in a Bronx restaurant, starting a four-alarm fire that drew more than 150 first responders and left one firefighter seriously injured. In December, a man was killed and multiple families displaced when the nine e-bike batteries he was charging erupted inside his East Village apartment. And that’s just the beginning.

Last year, there were 104 fires in just New York City caused by e-bike and e-scooter batteries, resulting in 79 injuries and four deaths, according to a report from Curbed. These numbers more than doubled from the previous year, when 44 fires led to 23 injuries, up from 28 fires in 2019.

In NYC, the people most threatened by these rising numbers are the estimated 65,000 delivery workers. Commonly classified as independent contractors by gig companies like Uber and DoorDash, they must spend their earnings to buy their own electric bikes and batteries, and they often charge the batteries in their homes, sometimes just a few feet from their beds.

There’s an initiative to establish physical hubs throughout the city where gig workers can use the bathroom, enjoy a meal, repair their bikes and charge their batteries safely. They could also offer resources to help gig workers apply for insurance.

Source: “E-Bike Batteries Are Catching on Fire Way Too Often,” Curbed, Jan. 25, 2022

4. Software flaws could let criminals hijack Teslas.

A 19-year-old cybersecurity researcher in Germany was performing a security audit for a French company when he noticed something unusual: a software program on the company’s network that exposed all the data about the chief technology officer’s Tesla Inc. vehicle. The data included a full history of where the car had been driven and its precise location at that moment.

He also discovered that he could push commands to Tesla vehicles whose owners were using the program. That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features. (He couldn’t take over the cars’ steering, braking or other operations, however.)

He found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack—and subsequent analysis indicated there could have been hundreds more. The flaws aren’t in Tesla’s vehicles or the company’s network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.

Source: “Teenaged Cyber Prodigy Stumbles Onto Software Flaw Letting Him Hijack Teslas,” Bloomberg/Insurance Journal, Jan. 14, 2022

5. WFH could be bad for your breathing.

A warning to those who work remotely: The air quality in your home may be worse than in your office building, according to a new study from Texas A&M University School of Public Health.

The study, published in the journal Atmosphere, analyzes indoor air quality and health outcomes in people working remotely during the COVID-19 pandemic. Researchers measured indoor air quality in both the offices and homes of employees in 2019 and 2020 and evaluated their health outcomes during those periods.

Air pollution indoors is most often linked to building materials and the activities of people living and working in those buildings. These pollutants include volatile organic compounds (VOCs) from carpet and furniture, paints and other chemicals, as well as fine particulate matter (PM2.5) and mold. Prolonged exposure to indoor air pollutants is associated with a wide range of poor health outcomes, from headaches and dry eyes to cardiovascular disease and lung cancer.

The researchers used a standard consumer-grade air quality monitor to collect data on air temperature, relative humidity, and concentrations of particulate matter and VOCs. They also collected data on outdoor air temperature and particulate matter concentration from the Texas Commission on Environmental Quality. Participants were also asked how often they experienced symptoms like dry, itchy or watery eyes, stuffy nose, and dry or irritated skin.

The study found that the fine particulate matter concentrations were significantly higher in the participants’ homes than in their offices, and the home levels were greater than the standard for a healthy work environment. The researchers also found that VOC concentrations were higher in homes compared to offices, though still well below the limit set by health standards.

Source: Texas A&M University

6. Plug and get hacked.

In January, the FBI issued a public warning about an attack campaign that sends USB drives containing malicious software to employees, according to CSO Online.

The FBI said that numerous USB drives laced with malicious software were sent to employees at organizations in the transportation, defense and insurance sectors between August and November 2021. The USBs came with fake letters impersonating the Department of Health and Human Services and Amazon, sent via the U.S. Postal Service and UPS. The campaign has been dubbed “BadUSB,” and the FIN7 hacker organization has been named as the culprit.

“The BadUSB attack provides the victim with what looks like a physical USB stick and a lure to plug it into the victim’s system, such as promising a gift card as a thank you or invoices that need to be processed,” Karl Sigler, senior security research manager at Trustwave SpiderLabs, told CSO.

“The USB drive is actually configured as a USB keyboard, and the computer will identify it and configure it as such,” he told CSO. “Once inserted, the USB keyboard will automatically start typing and will typically invoke a command shell and inject commands to download malware.”

Experts said this could be an attempt to take advantage of the work-from-home trend.

Source: “BadUSB explained: How rogue USBs threaten your organization,” CSO Online, Jan. 20, 2022

7. A leaking threat.

Gas stoves are contributing more to global warming than previously thought because of constant tiny methane leaks while they’re off, according to a new study published in the journal Environmental Science & Technology.

The same study raised new concerns about indoor air quality and health because of levels of nitrogen oxides measured, notes the Associated Press.

Even when they are not running, U.S. gas stoves are putting 2.6 million tons of methane—in carbon dioxide equivalent units—into the air each year, researchers found. That’s equal to the annual amount of greenhouse gases from 500,000 cars. And that’s on top of the 6.8 million tons of carbon dioxide that gas stoves emit into the air when in use, the study said.

The researchers examined 53 home kitchens in California—many in bed and breakfasts they rented. They sealed most of the rooms in plastic tarps and then measured emissions when the stoves were working and when they were not. Surprisingly, three-quarters of the methane released happened while the stoves were off, said Rob Jackson, a Stanford University climate scientist and co-author of the study.

The methane leak isn’t dangerous to human health or as a possible explosive, Jackson said. But the researchers also found high levels of nitrogen oxides—greater than 100 parts per billion. Jackson said the Environmental Protection Agency doesn’t have indoor air quality standards for that gas, but the measurements exceed its outdoor air quality standards. The nitrogen oxides are byproducts of the combustion in natural gas ovens, he said.

Source: “Study: Gas stoves worse for climate than previously thought,” Associated Press, Jan. 27, 2022

8. Are BPA replacements just as harmful?

Bisphenol-S (BPS), a replacement chemical for bisphenol-A (BPA), may increase the risk of cardiovascular disease, according to a new study published in Environmental Sciences Europe.

The study tapped into data from the National Health and Nutrition Examination Survey between 2013 and 2016 conducted by the Centers for Disease Control and Prevention (CDC). After examining more than 1,200 participants with available bisphenol and cardiovascular disease data, the scientists derived a significant association between urinary BPS and an increased risk of cardiovascular disease, especially in people aged 50-80 years. Specifically, the researchers found a positive correlation between urinary BPS and coronary heart disease risk.

A key ingredient in polycarbonate, a hard, clear plastic, and epoxy resins, which act as a protective lining in food and beverage packaging, BPA can be found in all corners of our lives—including shatterproof windows, eyeglasses, water bottles, metal food cans, water pipes and medical supplies.

Studies have linked BPA to heart disease, obesity, diabetes, hypertension, brain and reproductive system damages, and children’s behavior problems. Bisphenols seems to have a similar effect on the heart, according to experts.

This means BPA-free labels on products might not really mean all that much for consumers, since they often contain BPA replacements, which might also be harmful.

Source: “BPA replacement linked to increased cardiovascular disease,” Environmental Health News, Feb. 1, 2022