Next time you check into a hotel, you may want to use a door lock. A team of security researchers this week unveiled a technique that exploits a series of security vulnerabilities that affect the locks of 3 million hotel rooms around the world. While the company is working to address the issue, many locks are still susceptible to this unique intrusion technique.
Apple has had a rough week. In addition to security researchers revealing a major, nearly unpatchable vulnerability in its hardware (more on that below), the U.S. Department of Justice and 16 attorneys general filed antitrust lawsuits against the tech giant over its alleged ties to the iPhone business The relevant practices are illegal and anti-competitive. Parts of the lawsuit highlight Apple’s “resilient” embrace of privacy and security decisions, particularly end-to-end encryption of iMessage, which Apple refuses to offer to Android users.
Speaking of privacy, recent changes to cookie pop-up notifications show the number of companies each website shares your data with. A Wired analysis of the top 10,000 most popular websites found that some are sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to review companies anonymously, has begun encouraging people to use their real names.
That’s not all. Each week, we round up security and privacy news that we don’t cover in depth ourselves. Click on the title to read the full article. And stay safe out there.
New research shows that Apple’s M-series chips have a flaw that attackers could exploit to trick the processor into revealing secret end-to-end encryption keys on Macs. The vulnerability, called GoFetch, developed by a team of researchers, exploits the so-called data memory-dependent prefetcher (DMP) of M-series chips. Data stored in computer memory has addresses, and DMP optimizes the computer’s operation by predicting the addresses of data that may be accessed next. DMP will then use a “pointer” to locate the data address in the machine’s memory cache. Attackers can access these caches through so-called side-channel attacks. A flaw in the DMP could trick the DMP into adding data to the cache, potentially exposing encryption keys.
The flaw present in Apple’s M1, M2, and M3 chips is inherently unfixable because it resides in the chip itself. Crypto developers can create some mitigation techniques to make exploits less effective, but as Zero Day Group’s Kim Zetter writes, “The bottom line for users is that there’s nothing you can do to fix this problem.”
In a letter sent to governors across the country this week, officials from the Environmental Protection Agency and the White House warned that hackers from Iran and China could attack “water and wastewater systems across the United States.” The letter, sent by EPA Administrator Michael Regan and White House national security adviser Jake Sullivan, said hackers linked to Iran’s Islamic Revolutionary Guard Corps and China’s state-backed hacking group Volt Typhoon had attacked drinking water systems and other critical infrastructure. Future attacks “have the potential to disrupt critical lifelines of clean and safe drinking water and impose significant costs on affected communities,” the letter said.
Russian hackers appear to have used a new version of wipe malware to target multiple Ukrainian internet and mobile service providers. The malware, dubbed AcidPour by researchers at security firm SentinelOne, is likely an updated version of the AcidRain malware, which crippled the Viasat satellite system in February 2022, severely impacting Ukraine’s military communications. According to SentinelOne’s analysis of AcidPour, the malware has “expanded capabilities” that allow it to “better disable embedded devices, including networking, IoT, large storage (RAID), and possibly ICS running Linux x86 distributions device.” Researchers told CyberScoop that AcidPour could be used to conduct a broader attack.
Volt Typhoon is not the only China-linked hacking group causing widespread damage. Researchers at security firm TrendMicro revealed a hacking campaign by a group called Earth Krahang that targeted 116 organizations in 48 countries. Among them, Earth Krahang has successfully invaded 70 organizations, including 48 government entities. According to Trend Micro, hackers gained access through vulnerable internet-facing servers or through spear phishing attacks. They then use their access to target systems to conduct espionage and commandeer the victim’s infrastructure to conduct further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, also said it discovered “potential links” between the group and I-Soon. I-Soon is a Chinese hacker-for-hire company that was recently exposed after a mysterious leak of internal documents.