O'Grady's PowerPage

Tag: attack

Researchers discover “Augury” Apple Silicon exploit, state not to be worried in near-term

After digging into Apple Silicon hardware, a group of researchers have discovered a new vulnerability in both Apple’s latest M1 and A14 chipsets. The “Augury” Apple Silicon microarchitectural flaw has been demonstrated to leak data at rest but doesn’t appear to be “that bad” at this point.

Per the findings from Jose Rodrigo Sanchez Vicarte at the University of Illinois at Urbana Champaign and Michael Flanders at the University of Washington, a group of researchers has published details on their discovery. All of the details were shared with Apple prior to publishing).

The group uncovered that Apple chips use what’s called a Data-Memory Dependent Prefetcher (DMP) which looks at memory content to decide what to prefetch.

Apple’s M1, M1 Max, and A14 chipsets were tested and found to prefetch with an array-of-pointers dereferencing pattern. The researchers discovered that process can leak data that is “never read by any instruction, even speculatively!” They also believe the M1 Pro and possibly older A-series chips are vulnerable to the same flaw.

The researchers offered the following opinion as to how Apple’s DMP differs from traditional DMP vulnerabilities:

Once it has seen *arr[0] … *arr[2] occur (even speculatively!) it will begin prefetching *arr[3] onward. That is, it will first prefetch ahead the contents of arr and then dereference those contents. In contrast, a conventional prefetcher would not perform the second step/dereference operation.

According to the paper, data at rest attacks like this have proven troublesome in that most hardware or software defensive strategies to prevent “microarchitectural attacks assume there is some instruction that accesses the secret.” But data at rest vulnerabilities don’t work that way. Explaining further, the research says:

Any defense that relies on tracking what data is accessed by the core (speculatively or non-speculatively) cannot protect against Augury, as the leaked data is never read by the core!

The upside according to David Kohlbrenner, Assistant Professor at the University of Washington and principal investigator on the research team, is that this DMP “is about the weakest DMP an attacker can get.”

The researchers highlight that sentiment saying this vulnerability isn’t “that bad” for now and they haven’t demonstrated any “end-to-end exploits with Augury techniques at this time. Currently, only pointers can be leaked, and likely only in the sandbox threat model.”

In other words, the odds of this going wild and out into the world are pretty minimal, this exploit residing in the area of being largely academic.

Stay tuned for additional details as they become available.

Via 9to5Mac and prefetchers.info

May 3, 2022
Intel’s 12th-gen chips unable to play 4K Blu-ray content, SGX feature cited
This is a bit strange.

According to a discovery by Bleeping Computer, Intel’s 12th-gen chips don’t support Software Guard Extension (SGX), meaning the chips are unable to play Blu-ray disks in 4K resolution.

An explanation was offered via Intel’s website:

There is tremendous opportunity for application and solution developers to take charge of their data security using new hardware-based controls for cloud and enterprise environments. Intel® Software Guard Extensions (Intel SGX)1 2 offers hardware-based memory encryption that isolates specific application code and data in memory. Intel SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. Only Intel SGX offers such a granular level of control and protection.

It’s also been noted that the SGX feature has offered a choice attack vector for the following security trespasses:
- Prime+Probe attack discovered in 2017
- Spectre-like attack disclosed in 2018
- Enclave attack discovered by researchers in 2019
- MicroScope replay attack
- Plundervolt injection attack
- Load Value Injection (LVI)
- SGAxe attack on the CPU cache resulting in the leak of the enclave’s content
Intel 12th-gen chips may not support SGX but some chips from the company still do. These include those from the 7000, 8000, 9000, or 10000-series chips. Intel’s 12th-gen chips are the Alder Lake H-Series chips that were announced in 2021.

Stay tuned for additional details as they become available.

Via The Mac Observer, Intel, and Bleeping Computer
January 20, 2022
Researchers discover security flaw on some Intel processors that allows firmware to bypass security

This is why firmware updates exist.

A flaw has been discovered within certain Intel chips that allow an attacker with physical access to the computer, known as an “evil maid attack,” install malicious firmware onto the chip. The flaw was noted by Mark Ermolov, Dmitry Sklyarov (both from Positive Technologies) and Maxim Goryachy (an independent researcher).

The flaw, tracked as CVE-2021-0146, is found in Pentium, Celeron, and Atom CPUs on the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms. The attacker could use debug and testing modes to extract the decryption key from the TPM module. If TPM is also used to store a Windows BitLocker key, that can also be bypassed. Then, malicious firmware could be installed on the chip as a permanent backdoor.

According to Ermolov:

The vulnerability is a debugging functionality with excessive privileges, which is not protected as it should be. To avoid problems in the future and prevent the possible bypassing of built-in protection, manufacturers should be more careful in their approach to security provision for debug mechanisms.

The flaw can affect a wide range of devices with these processors, such as cars, notebooks, medical equipment, home appliances, and various Internet of Things (IoT) products.

Intel has stated that the company is actively working to patch the vulnerability so make sure you install the latest software or firmware updates for your devices.

It’s unknown as to exactly which Macs are affected by this.

Stay tuned for additional details as they become available.

Via The Mac Observer and Intel

November 19, 2021
Security researcher offers warning about Apple’s T2 chip and an unfixable vulnerability that could offer root access to an outside party

Well, this is sort of a mess.

A cybersecurity researcher has claimed that macOS devices with Intel processors and a T2 security chip are vulnerable to an unfixable exploit that could offer attackers root access.

The T2 chip, which is found in most modern macOS devices, is an Apple Silicon co-processor that handles boot and security operations alongside other features such as audio processing. According to Niels H., an independent security researcher, the T2 chip features a flaw that can’t be patched.

Per the report, since the T2 chip is based on an Apple A10 processor, it’s vulnerable to the same checkm8 exploit that affects iOS-based devices. That could allow attackers to circumvent activation lock and carry out other malicious attacks.

Under normal circumstances, the T2 chip will exit with a fatal error if it detects a decryption call while in DFU mode. Unfortunately, the exploit can be paired with another vulnerability developed by Pangu that can circumvent the DFU exit security mechanism.

Should an attacker gain access to the T2 chip, they’ll have full root access as well as kernel execution privileges. While they won’t be able to decrypt files protected by FileVault encryption, they could still inject a keylogger and steal passwords since the T2 chip manages keyboard access.

This vulnerability could also allow the intruder to manually bypass security locks through MDM or Find My, as well as maneuver around the built-in Activation Lock security mechanism. Installing a firmware password won’t resolve the issues, as this still requires keyboard access.

Apple won’t be able to patch the vulnerability without a hardware revision given that that T2’s operating system, known as “SepOS,” uses read-only memory as a security protocol. If there’s a bright side, it means that the vulnerability isn’t persistent and will require a hardware component, such as a malicious and specially-crafted USB-C cable to execute.

Niels H. has stated that he has reached out to Apple to disclose the exploits, but has yet to hear back from the company.

According to Niels H., the vulnerability affects all Mac products with a T2 chip and an Intel processor. Since Apple Silicon-based devices use a different boot system, it isn’t clear whether they are also impacted.

If there’s some relief to be had, it’s that given the nature of the vulnerability, physical access will be required for attacks to be carried out. This exempts the average user from being vulnerable to this, provided they can keep unwanted parties with USB-C devices away from their machines.

Stay tuned for additional details as they become available.

Via AppleInsider and IronPeak.be blog

October 6, 2020
Verizon reveals that all 3 billion existing Yahoo accounts were breached in 2013 attack

If you had a Yahoo account in 2013, there’s a 100 percent chance that you were hacked.

Yahoo’s parent company has revealed that the massive data breach that occurred in August of 2013 affective all three billion Yahoo accounts that existed at the time.

Previously, Yahoo said the hack affected 1 billion accounts, or a third of all accounts. Verizon now says new intelligence suggests the attack was much larger, compromising all Yahoo accounts in 2013.

(more…)

October 4, 2017