The next time you stay in a hotel, you may want to use the door deadbolt. A group of security researchers this week unveiled a technique that exploits a series of security vulnerabilities affecting 3 million hotel room locks worldwide. While the company works to resolve the issue, many locks remain vulnerable to the unique burglary technique.
Apple is having a rough week. In addition to security researchers revealing a major, virtually unpatchable vulnerability in its hardware (more on that below), the US Department of Justice and sixteen attorneys general have filed an antitrust lawsuit against the tech giant, alleging that its practices were related its iPhone activities are illegally anti-competitive. Part of the lawsuit highlights what Apple calls “elastic” embrace of privacy and security decisions, particularly iMessage’s end-to-end encryption, which Apple has refused to make available to Android users.
Speaking of privacy, a recent change to cookie pop-up notifications reveals the number of companies each website shares your data with. A WIRED analysis of the top 10,000 most popular websites found that some sites share data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor, which has long allowed people to comment on companies anonymously, has started encouraging people to use their real names.
And that’s not all. Every week we collect security and privacy news that we do not go into in detail ourselves. Click on the headlines to read the full stories. And stay safe out there.
Apple’s M-series chips contain a flaw that could allow an attacker to trick the processor into revealing secret end-to-end encryption keys on Macs, according to new research. An exploit developed by a team of researchers called Go get it, uses the so-called data memory-dependent prefetcher or DMP of the M-series chips. Data stored in a computer’s memory has addresses, and DMPs optimize the computer’s operation by predicting the address of the data that is likely to be used next. The DMP then places “pointers” that are used to locate data addresses in the machine’s memory cache. These caches can be accessed by an attacker through a so-called side-channel attack. A flaw in the DMP makes it possible to trick the DMP into adding data to the cache, potentially exposing encryption keys.
The flaw, which is present in Apple’s M1, M2 and M3 chips, is essentially unfixable because it resides in the silicon itself. There are mitigation techniques that cryptographic developers can create to reduce the effectiveness of the exploit, but such as Kim Zetter of Zero Day writes“The bottom line for users is there is nothing you can do to address this.”
In a letter sent to U.S. governors this week, officials from the Environmental Protection Agency and the White House warned that hackers from Iran and China could attack “water and wastewater systems throughout the United States.” The letter, sent by EPA Administrator Michael Regan and White House National Security Advisor Jake Sullivan, said hackers linked to Iran’s Islamic Revolutionary Guards Corps and the Chinese state-backed hacker group known as Volt Typhoon have already have attacked drinking water systems and other critical infrastructure. Future attacks, the letter said, “have the potential to disrupt the critical lifeline of clean and safe drinking water and impose significant costs on affected communities.”
There is a new version of a wiper malware that Russian hackers appear to have used in attacks on several Ukrainian internet and mobile service providers. Dubbed AcidPour by researchers from security company SentinelOnethe malware is likely an updated version of the AcidRain malware that crippled the Viasat satellite system in February 2022 and severely impacted Ukraine’s military communications. According to SentinelOne’s analysis of AcidPour, the malware has “extensive capabilities” that allow it to “better disable embedded devices, including networking, IoT, large storage (RAIDs), and potentially ICS devices running Linux x86 distributions.” The researchers tell CyberScoop that AcidPour may be used to launch more widespread attacks.
Volt Typhoon isn’t the only China-affiliated hacker group wreaking havoc. Researchers from security firm TrendMicro revealed a hacking campaign by a group known as Earth Krahang that targeted 116 organizations in 48 countries. Of those, Earth Krahang managed to breach 70 organizations, including 48 government agencies. According to TrendMicro, the hackers gain access through vulnerable Internet-facing servers or through spearphishing attacks. They then use access to the targeted systems to conduct espionage and capture the victims’ infrastructure to carry out further attacks. Trend Micro, which has been monitoring Earth Krahang since early 2022, also says it has found “potential links” between the group and I-Soon, a Chinese hack-for-hire company recently exposed by a mysterious leak of internal documents.