Next time you stay at a hotel, you might want to use the deadbolts on your doors. This week, a group of security researchers revealed a technique that exploits a series of security vulnerabilities affecting locks on 3 million hotel rooms around the world. While companies work to fix the problem, many locks remain vulnerable to unique intrusion techniques.
Apple is having a tough week. In addition to security researchers uncovering virtually unpatchable vulnerabilities in the hardware (more on that below), the U.S. Department of Justice and 16 attorneys general have filed an antitrust lawsuit against the tech giant. It is illegally anti-competitive. Part of the lawsuit highlights Apple’s “flexible” embrace of privacy and security decisions, particularly end-to-end encryption for iMessage, which Apple has refused to provide to Android users.
When it comes to privacy, recent changes to cookie pop-up notifications let you know how many companies each website is sharing your data with. A WIRED analysis of the top 10,000 most popular websites found that some were sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment anonymously about companies, has started encouraging people to use their real names.
And that’s not all. Each week, we round up security and privacy news that we don’t cover in depth. Click on the headline to read the full article. And stay safe out there.
A new study shows that Apple’s M-series chips have a flaw that could allow attackers to trick the processor into revealing a Mac’s secret end-to-end encryption keys. The exploit, developed by a team of researchers called GoFetch, leverages the so-called data memory-dependent prefetcher (DMP) of M-series chips. Data stored in a computer’s memory has an address, and DMP optimizes the computer’s operation by predicting the address of data that is likely to be accessed next. The DMP then places a “pointer” that is used to locate the data address in the system’s memory cache. These caches can be accessed by attackers through side-channel attacks. A flaw in the DMP could trick the DMP into adding data to its cache, potentially exposing encryption keys.
This flaw, which exists in Apple’s M1, M2, and M3 chips, is essentially unpatchable because it exists in the silicon itself. Although there are mitigation techniques crypto developers can create to reduce the effectiveness of the exploit, Zero Day’s Kim Zetter wrote, “The bottom line for users is that there is nothing they can do to fix this problem.”
In a letter to governors across the U.S. this week, Environmental Protection Agency and White House officials warned that hackers from Iran and China could attack “water and wastewater systems across the United States.” The letter from EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan said hackers linked to Iran’s Islamic Revolutionary Guard Corps and the Chinese government-backed hacker group Volt Typhoon have already attacked drinking water systems and other critical infrastructure. Yes. The letter states that future attacks “have the potential to disrupt the critical lifeline of clean, safe drinking water, as well as to incur significant costs to affected communities.”
There is a new version of Wiper malware that Russian hackers appear to have used to attack several internet and mobile service providers in Ukraine. The malware, dubbed AcidPour by researchers at security firm SentinelOne, is likely an updated version of the AcidRain malware, which crippled a Viasat satellite system in February 2022 and had a major impact on military communications in Ukraine. According to SentinelOne’s AcidPour analysis, the malware has “extended capabilities” that allow it to “better disable networking, IoT, mass storage (RAID), and embedded devices, including ICS devices running Linux x86 distributions.” . Researchers told CyberScoop that AcidPour could be used to carry out broader attacks.
Volt Typhoon is not the only China-linked hacker group causing widespread damage. Researchers at security firm TrendMicro have revealed a hacking campaign by a group known as Earth Krahang that targeted 116 organizations in 48 countries. Among them, Earth Krahang compromised 70 organizations, including 48 government agencies. According to TrendMicro, hackers gain access through vulnerable Internet-facing servers or spear-phishing attacks. They then use their access to target systems to engage in espionage activities and take over victims’ infrastructure to carry out further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, said it had discovered “potential links” between the group and Chinese hacking company I-Soon, which was recently exposed in a leak of mysterious internal documents.