Tag Archive for: keys

Apple Chip Flaw Leaks Secret Encryption Keys

/in


The next time you stay in a hotel, you may want to use the door’s deadbolt. A group of security researchers this week revealed a technique that uses a series of security vulnerabilities that impact 3 million hotel room locks worldwide. While the company is working to fix the issue, many of the locks remain vulnerable to the unique intrusion technique.

Apple is having a tough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the United States Department of Justice and 16 attorneys general filed an antitrust lawsuit against the tech giant, alleging that its practices related to its iPhone business are illegally anticompetitive. Part of the lawsuit highlights what it calls Apple’s “elastic” embrace of privacy and security decisions—particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users.

Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites found that some sites are sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment about companies anonymously, has begun encouraging people to use their real names.

And that’s not all. Each week, we round up the security and privacy news we don’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Apple’s M-series of chips contain a flaw that could allow an attacker to trick the processor into revealing secret end-to-end encryption keys on Macs, according to new research. An exploit developed by a team of researchers, dubbed GoFetch, takes advantage of the M-series chips’ so-called data memory-dependent prefetcher, or DMP. Data stored in a computer’s memory have addresses, and DMP’s optimize the computer’s operations by predicting the address of data that is likely to be accessed next. The DMP then puts “pointers” that are used to locate data addresses in the machine’s memory cache. These caches can be accessed by an attacker in…

Source…

Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

/in


An unpatchable vulnerability has been discovered in Apple’s M-series chips that allows attackers to extract secret encryption keys from Macs under certain conditions, according to a newly published academic research paper (via ArsTechnica).

m1 vs m2 air feature toned down
Named “GoFetch,” the type of cyber attack described involves Data Memory-Dependent Prefetchers (DMPs), which try to predict what data the computer will need next and retrieve it in advance. This is meant to make processing faster, but it can unintentionally reveal information about what the computer is doing.

The paper finds that DMPs, especially the ones in Apple’s processors, pose a significant threat to the security provided by constant-time programming models, which are used to write programs so that they take the same amount of time to run, no matter what data they’re dealing with.

The constant-time programming model is meant to protect against side-channel attacks, or types of attacks where someone can gain sensitive information from a computer system without directly accessing it (by observing certain patterns, for example). The idea is that if all operations take the same amount of time, there’s less for an attacker to observe and exploit.

However, the paper finds that DMPs, particularly in Apple silicon, can leak information even if the program is designed not to reveal any patterns in how it accesses memory. The new research finds that the DMPs can sometimes confuse memory content, which causes it to treat the data as an address to perform memory access, which goes against the constant-time model.

The authors present GoFetch as a new type of attack that can exploit this vulnerability in DMPs to extract encryption keys from secure software. The attack works against some popular encryption algorithms that are thought to be resistant to side-channel attacks, including both traditional (e.g. OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum (e.g. CRYSTALS-Kyber and CRYSTALS-Dilithium) cryptographic methods.

In an email to ArsTechnica, the authors explained:

Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is…

Source…

Decoding the Mystery of Encryption: The Power of Public and Private Keys | by Yash Gupta | Sep, 2023

/in


“In the world of encryption, the key to understanding is just a public and private key away.” — Anonymous

In the digital world, the concept of encryption is as ubiquitous as it is vital. It is the bedrock of internet security, safeguarding our data from prying eyes. Encryption is the process of encoding information in such a way that only authorized parties can access it. It is a complex yet fascinating subject, and understanding it requires a deep dive into the realm of public and private keys.

Public and private keys form the basis of today’s encryption

The world of encryption is a labyrinth of complex algorithms and mathematical equations, but at its core, it is a simple concept. It is a method of transforming plain text into an unreadable format, known as ciphertext, to prevent unauthorized access. The process of converting the ciphertext back into its original form is known as decryption.

The two primary types of encryption are symmetric and asymmetric encryption. Symmetric encryption uses a single key for both encryption and decryption. However, it has a significant drawback: the key must be shared between the sender and receiver. This sharing can lead to potential security risks.

Asymmetric encryption, on the other hand, uses two keys: a public key for encryption and a private key for decryption. This method is also known as Public Key Infrastructure (PKI). The public key is available to everyone, while the private key is kept secret by the owner. This method eliminates the need to share keys, thereby enhancing security.

The concept of public and private keys is akin to a mailbox. Anyone can drop a letter (encrypt data) into the mailbox using the visible slot (public key), but only the person with the key to the mailbox (private key) can open it and read the letters (decrypt the data).

The process of generating these keys involves complex mathematical algorithms. The most common algorithm used is the RSA (Rivest-Shamir-Adleman) algorithm. It generates two large prime numbers and multiplies them. The complexity of factoring large prime numbers ensures the security of RSA encryption.

The beauty of public and private keys lies in their interdependence. The public key is used…

Source…

These devices can be a lifesaver for finding your keys. Victims say they also enabled their stalkers

/in


Apple’s Airtags and similar devices like Tile are marketed as a useful tool for people to keep track of their belongings, from house keys to luggage and even your car.

The small, button-shaped devices were popularised by savvy travellers hoping to avoid lost luggage during last year’s flight delays and cancellations.

Pet owners have also reported using the tiny gadgets to keep track of their beloved dog or cat, though Apple has discouraged people from using the device for this purpose.

Airtags work by using Bluetooth wireless signals to report their presence to nearby Apple devices that are connected to the internet.

Once detected, the Airtag can piggyback off iPhones or iPads to alert its owner of its location.

Apple’s Airtags can help people keep tabs on their keys, luggage and even pets. (ABC News: Rebecca Armitage)

At just $49, they are widely seen as cheap and accessible in comparison to other GPS devices on the market.

But just as Airtags have helped to ease people’s minds about their belongings and precious pets, they have also prompted concerns over stalking capabilities.

Survivors and domestic violence awareness groups claim in the wrong hands, the devices can be used to track people against their wishes.

‘The weapon of choice of stalkers and abusers’

Lauren Hughes’ life spiralled after she broke off a three-month relationship with her boyfriend in 2021.

She claims her ex began stalking her online, writing abusive posts on social media and creating fake profiles to try to follow her private accounts, in a class action complaint filed in California.

Two months later, his behaviour escalated to the point where he was calling her from blocked numbers and leaving threatening messages, as well as objects, at her house.

Ms Hughes feared for her safety and moved to a hotel nearby until she could find a new place to live.

She’d hoped to shake off her stalker, but she claims his behaviour did not stop.

After packing up her old apartment, she received a notification on her iPhone that an unknown Airtag was travelling near her at her hotel.

Apple launched Airtags two years ago and they were widely popular during the airport chaos last year. 

“Ms Hughes got the alert … but she didn’t know…

Source…