The next time you stay in a hotel, you may want to use the door’s deadbolt. A group of security researchers this week revealed a technique that uses a series of security vulnerabilities that impact 3 million hotel room locks worldwide. While the company is working to fix the issue, many of the locks remain vulnerable to the unique intrusion technique.
Apple is having a tough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the United States Department of Justice and 16 attorneys general filed an antitrust lawsuit against the tech giant, alleging that its practices related to its iPhone business are illegally anticompetitive. Part of the lawsuit highlights what it calls Apple’s “elastic” embrace of privacy and security decisions—particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users.
Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites found that some sites are sharing data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment about companies anonymously, has begun encouraging people to use their real names.
And that’s not all. Each week, we round up the security and privacy news we don’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Apple’s M-series of chips contain a flaw that could allow an attacker to trick the processor into revealing secret end-to-end encryption keys on Macs, according to new research. An exploit developed by a team of researchers, dubbed GoFetch, takes advantage of the M-series chips’ so-called data memory-dependent prefetcher, or DMP. Data stored in a computer’s memory have addresses, and DMP’s optimize the computer’s operations by predicting the address of data that is likely to be accessed next. The DMP then puts “pointers” that are used to locate data addresses in the machine’s memory cache. These caches can be accessed by an attacker in what’s known as a side-channel attack. A flaw in the DMP makes it possible to trick the DMP into adding data to the cache, potentially exposing encryption keys.
The flaw, which is present in Apple’s M1, M2, and M3 chips, is essentially unpatchable because it is present in the silicon itself. There are mitigation techniques that cryptographic developers can create to reduce the efficacy of the exploit, but as Kim Zetter at Zero Day writes, “the bottom line for users is that there is nothing you can do to address this.”
In a letter sent to governors across the US this week, officials at the Environmental Protection Agency and the White House warned that hackers from Iran and China could attack “water and wastewater systems throughout the United States.” The letter, sent by EPA administrator Michael Regan and White House national security adviser Jake Sullivan, says hackers linked to Iran’s Islamic Revolutionary Guard and Chinese state-backed hacker group known as Volt Typhoon have already attacked drinking water systems and other critical infrastructure. Future attacks, the letter says, “have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”
There’s a new version of a wiper malware that Russian hackers appear to have used in attacks against several Ukrainian internet and mobile service providers. Dubbed AcidPour by researchers at security firm SentinelOne, the malware is likely an updated version of the AcidRain malware that crippled the Viasat satellite system in February 2022, heavily impacting Ukraine’s military communications. According to SentinelOne’s analysis of AcidPour, the malware has “expanded capabilities” that could allow it to “better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions.” The researchers tell CyberScoop that AcidPour may be used to carry out more widespread attacks.
Volt Typhoon isn’t the only China-linked hacker group wreaking widespread havoc. Researchers at security firm TrendMicro revealed a hacking campaign by a group known as Earth Krahang that’s targeted 116 organizations across 48 countries. Of those, Earth Krahang has managed to breach 70 organizations, including 48 government entities. According to TrendMicro, the hackers gain access through vulnerable internet-facing servers or through spear-phishing attacks. They then use access to the targeted systems to engage in espionage and commandeer the victims’ infrastructure to carry out further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, also says it found “potential links” between the group and I-Soon, a Chinese hack-for-hire firm that was recently exposed by a mysterious leak of internal documents.