Tag: apple

Unpatchable vulnerability in Apple chip leaks secret encryption keys

A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday.

The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

Beware of hardware optimizations

The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.

Security experts have long known that classical prefetchers open a side channel that malicious processes can probe to obtain secret key material from cryptographic operations. This vulnerability is the result of the prefetchers making predictions based on previous access patterns, which can create changes in state that attackers can exploit to leak information. In response, cryptographic engineers have devised constant-time programming, an approach that ensures that all operations take the same amount of time to complete, regardless of their operands. It does this by keeping code free of secret-dependent memory accesses or structures.

The breakthrough of the new research is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “pointers”—meaning the reading of data and leaking it through a side channel—is a flagrant violation of the constant-time paradigm.

Keep reading

Apple Just Confirmed Governments Are Spying on People’s Phones With Push Notifications

Governments are spying on U.S. smartphone users through the push notifications that they receive from apps, Senator Ron Wyden wrote in a letter to the Department of Justice on Wednesday and Apple confirmed. 

Wyden wrote that the federal government had restricted Apple and other companies’ ability to share information about this process. The Senator’s office “received a tip” last year that “government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple,” Wyden, a Democratic senator from Oregon, wrote in the letter to Attorney General Merrick Garland. “My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.” 

Apple confirmed in a statement to Reuters on Wednesday that, “In this case, the federal government prohibited us from sharing any information. Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

The process by which push notifications are generated requires the phone company to serve as a “digital post office,” Wyden wrote. Push notifications are sent through Apple and Google’s servers, which means that the companies “serve as intermediaries in the transmission process,” and can therefore be made to hand over information to governments that request it. 

According to Wyden’s letter, the information that can be gleaned from push notification requests is mostly metadata. This includes information “detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered,” Wyden wrote. In some cases, requesters may even receive unencrypted content such as the text that was delivered in the notification. 

The senator said that companies can therefore “be secretly compelled by governments to hand over this information.” 

An unnamed source confirmed to Reuters that both foreign and U.S. government agencies had been asking the companies for push notification data, for example to tie anonymous users of messaging apps to specific accounts. They did not say which government agencies had participated in this, or for how long. 

Apple advises its developers to encrypt any sensitive data sent through a push notification, but does not require this practice. 

Keep reading

NEW GROUP ATTACKING IPHONE ENCRYPTION BACKED BY U.S. POLITICAL DARK-MONEY NETWORK

THE HEAT INITIATIVE, a nonprofit child safety advocacy group, was formed earlier this year to campaign against some of the strong privacy protections Apple provides customers. The group says these protections help enable child exploitation, objecting to the fact that pedophiles can encrypt their personal data just like everyone else.

When Apple launched its new iPhone this September, the Heat Initiative seized on the occasion, taking out a full-page New York Times ad, using digital billboard trucks, and even hiring a plane to fly over Apple headquarters with a banner message. The message on the banner appeared simple: “Dear Apple, Detect Child Sexual Abuse in iCloud” — Apple’s cloud storage system, which today employs a range of powerful encryption technologies aimed at preventing hackers, spies, and Tim Cook from knowing anything about your private files.

Something the Heat Initiative has not placed on giant airborne banners is who’s behind it: a controversial billionaire philanthropy network whose influence and tactics have drawn unfavorable comparisons to the right-wing Koch network. Though it does not publicize this fact, the Heat Initiative is a project of the Hopewell Fund, an organization that helps privately and often secretly direct the largesse — and political will — of billionaires. Hopewell is part of a giant, tightly connected web of largely anonymous, Democratic Party-aligned dark-money groups, in an ironic turn, campaigning to undermine the privacy of ordinary people.

Keep reading

Apple Tells Support Staff To Remain Silent On iPhone Radiation Concern

Apple plans to issue an over-the-air update in the coming days for iPhone 12 users in France after regulators ordered a halt in sales over concerns the device emits too much radiation. 

“We will issue a software update for users in France to accommodate the protocol used by French regulators,” Apple told Reuters in a statement. 

The company continued, “We look forward to iPhone 12 continuing to be available in France.”

Earlier this week, French regulators ordered a ban on iPhone 12 sales after a Specific Absorption Rate (SAR) test – how much radio frequency is absorbed into a body from a device – exceeded European radiation exposure limits. 

Besides the iPhone 12’s radiation levels, another controversy is brewing as Bloomberg said Apple instructed employees to stay ‘mum’ when customers ask about the radiation issue: 

If customers inquire about the French government’s claim that the model exceeds standards for electromagnetic radiation, workers should say they don’t have anything to share, Apple employees have been told. Staff should also reject customers’ requests to return or exchange the phone unless it was purchased in the past two weeks — Apple’s normal return policy.

Customers asking if the phone is safe should be told that all Apple products go through rigorous testing to ensure that they’re safe, according to the guidance.

Apple dismissed the radiation claims, indicating “this is related to a specific testing protocol used by French regulators and not a safety concern” for customers. “The ANFR [French regulator] is preparing to quickly test this update,” Noel Barrot, France’s digital affairs minister, told Reuters. 

Keep reading

How a Well-Regarded Mac App Became a Trojan Horse

In the early days of macOS Mojave in 2018, Apple hadn’t offered users a way to automatically switch to dark and light mode at different times of the day. As usual, there were third-party developers eager to pick up the slack. One of the more well-regarded night mode apps to fix this issue was NightOwl, first released in the middle of 2018, a small app with a simple utility that could run in the background during day-to-day use.

With more official macOS features added in 2021 that enabled the “Night Shift” dark mode, the NightOwl app was left forlorn and forgotten on many older Macs. Few of those supposed tens of thousands of users likely noticed when the app they ran in the background of their older Macs was bought by another company, nor when earlier this year that company silently updated the dark mode app so that it hijacked their machines in order to send their IP data through a server network of affected computers, AKA a botnet.

After some users noted issues with the app after a June update, web developer Taylor Robinson discovered the problem ran deep, as the program redirected users’ computers’ connections without any notification. The real dark mode turned out to be the transformation of a respectable Mac app into a playground for data harvesters.

In an email with Gizmodo, Robinson broke down their own investigation into the app. They found that NightOwl installs a launcher that turns the users’ computer into a kind of botnet agent for data that’s sold to third parties. The updated 0.4.5.4 version of NightOwl, released June 13, runs a local HTTP proxy without users’ direct knowledge or consent, they said. The only hint NightOwl gives to users that something’s afoot is a consent notice after they hit the download button, saying the app uses Google Analytics for anonymized tracking and bugs. The botnet settings cannot be disabled through the app, and in order to remove the modifications made to a Mac, users need to run several commands in the Mac Terminal app to excise the vestiges of the code from their system, per Robinson.

It’s currently unclear how many users were affected by the seemingly malicious code, especially as NightOwl has since become unavailable on both the website and app store. The NightOwl site claims the app was downloaded more than 141,000 times, and that there were more than 27,000 active users on the app. Even if the app lost most of its users after Apple installed new Dark Mode software, there were potentially thousands of users running NightOwl on their old Macs.

Keep reading

Apple turned off a private communication tool in China just before major protests broke out

Earlier this month, Apple restricted the use of AirDrop in China. The file-sharing tool for iOS was used by protesters to communicate freely without the risk of censorship, because the tool uses direct connections between devices, creating a local network that cannot be monitored by government internet regulators.

Initially, people could choose to receive AirDrops from everyone nearby. However, a recent iOS update has made that impossible. The update made a change to AirDrop’s usage that only applies in mainland China, while the rest of the world can still use it to communicate as before.

Users in China can only receive from everyone nearby for only ten minutes, putting restrictions on how it’s used.

AirDrop has been used by protesters in Hong Kong to communicate with other protesters and bystanders, as well as send messages to tourists from mainland China. On the mainland, protesters have used AirDrop to spread protest literature.

Keep reading

Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.

Snap Inc. received a forged legal request from the same hackers, but it isn’t known whether the company provided data in response. It’s also not clear how many times the companies provided data prompted by forged legal requests.

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co. and Nvidia Corp., among others, the people said. City of London Police recently arrested seven people in connection with an investigation into the Lapsus$ hacking group; the probe is ongoing.

Keep reading

Leaked Documents Show Apple’s Attempts to Silence Whistleblowers

Tech giant Apple previously told the SEC that it does not attempt to silence employees in relation to workplace harassment or discrimination, but a whistleblower’s nondisclosure agreement is bringing new scrutiny to this claim.

Business Insider reports that on October 18, tech giant Apple made a number of statements to the Securities and Exchange Commission (SEC) including claims that the company does not attempt to silence former employees or whistleblowers in relation to the company’s working conditions.

Now, a new nondisclosure agreement given to a company whistleblower is bringing greater scrutiny to these claims. Apple’s lawyers reportedly wanted former engineer Cher Scarlett to state only the following words upon her departure from the company: “After 18 months at Apple, I’ve decided it is time to move on and pursue other opportunities.”

This language was included in an extremely strict nondisclosure and non-disparagement agreement as part of a separation agreement that Apple offered Scarlett last month. Scarlett, who spent months working to improve pay equity at Apple allegedly resulting in harassment and intimidation from the company, said that when she received the nondisclosure agreement she was “shocked.”

She added: “In my mind, I should be able to say whatever I want as long as I’m not defaming Apple.” Scarlett refused to sign the gag order but was reminded of the agreement upon seeing Apple’s statements to the SEC.

Apple claimed that when it comes to NDAs “in the context of harassment, discrimination, and other unlawful acts,” its “policy is to not use such clauses.” Scarlett filed a whistleblower complaint with the SEC on October 25 in which she claims Apple made “false statements or misleading statements” to the SEC.

Keep reading

Scanning your iPhone for Pegasus, NSO Group’s malware

In collaboration with more than a dozen other news organizations The Guardian recently published an exposé about Pegasus, a toolkit for infecting mobile phones that is sold to governments around the world by NSO Group. It’s used to target political leaders and their families, human rights activists, political dissidents, journalists, and so on, and surreptitiously download their messages/photos/location data, record their microphone, and otherwise spy on them. As part of the investigation, Amnesty International wrote a blog post with their forensic analysis of several compromised phones, as well as an open source tool, Mobile Verification Toolkit, for scanning your mobile device for these indicators. MVT supports both iOS and Android, and in this blog post we’ll install and run the scanner against my iOS device.

Keep reading

Apple’s Plan to “Think Different” About Encryption Opens a Backdoor to Your Private Life

Apple has announced impending changes to its operating systems that include new “protections for children” features in iCloud and iMessage. If you’ve spent any time following the Crypto Wars, you know what this means: Apple is planning to build a backdoor into its data storage system and its messaging system.

Child exploitation is a serious problem, and Apple isn’t the first tech company to bend its privacy-protective stance in an attempt to combat it. But that choice will come at a high price for overall user privacy. Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.

To say that we are disappointed by Apple’s plans is an understatement. Apple has historically been a champion of end-to-end encryption, for all of the same reasons that EFF has articulated time and time again. Apple’s compromise on end-to-end encryption may appease government agencies in the U.S. and abroad, but it is a shocking about-face for users who have relied on the company’s leadership in privacy and security.

Keep reading