Security Bits logo

Security Bits — 29 October 2023

Feedback & Followups

Deep Dive 1 — iLeakage

TL;DR While the threat is real, at least for now, the risk is low for regular users.

A new speculative execution bug has been found, and unlike most, this one can theoretically be exploited remotely. Most speculative execution bugs require the attacker and the victim to share a CPU, so they are only really relevant in multi-customer cloud environments, but this one is different — it can run entirely within Safari, so it can run from a malicious web page, and data can leak between two tabs sharing the same CPU.

This issue affects all A-series and M-series CPUs from Apple, so basically all iOS devices, and all non-Intel Macs.

There are a few silver linings though — first and foremost, this is not a quick attack, and it’s not easy to deploy, so the real-world risk for regular folks is low. However, if you’re important enough to be of interest to a nation-state, you need to be very concerned about this.

Secondly, Apple have a fix in the works. There is an experimental feature already in Safari on the Mac that can be enabled with a little terminal trickery that prevents code from two tabs sharing the same CPU, and hence, blocks the side-channel. The expectation is that this fix will soon be put live for all Safari users.

Finally, Lockdown Mode protects against this vulnerability, so if you’re important enough to be in the cross-hairs of a nation-state, you should be sure you’ve enabled that. TBH, anyone likely to be threatened by this attack should already have been running in Lockdown mode, regardless of this latest bug.

Links

Deep Dive 2 — iOS Private WiFi Address Fixed

Since the iPhone 5, Apple have supported randomised MAC addresses on their wifi cards when phones are scanning for available networks. This means that as you walk about, your iPhone is constantly changing MAC address, so you can’t be tracked over time.

This feature was not broken and didn’t need a fix.

Until iOS 14, once you connected to a WiFi network your device would revert to its true MAC address. But, in iOS 14 that changed, when Apple introduced the Private WiFi Address feature. With this feature enabled, iOS uses a different randomly chosen, permanent MAC address for each network you join. This means your device does not keep changing MAC within a network, so static DHCP assignments still work, but your device has a different MAC on each network, preventing cross-network tracking.

From the point of view of low-leave network protocols this worked perfectly, but researchers discovered that until iOS 17.1, the true MAC address was leaked by the metadata in a bonjour UDP packet sent by iOS devices when they join a network.

This means that from the point of view of network management tools our phones did appear to be different devices on each network, anyone we shared a network with could have run a network sniffer to find and decode the Bonjour broadcasts from our phones and map our random MAC addresses to our true MAC addresses.

The fact that the MAC address was being leaked within joined networks is not good, but it’s nowhere near as bad as it would have been if it was leaking while not joined to a network, or, if it was leaking at the lower ethernet or IP levels.

It should be noted that the entire Private WiFi Address feature is a nice to have, not a critical security feature, so there’s definitely no need to lose any sleep over this.

Links

❗ Action Alerts

Worthy Warnings

Notable News

Excellent Explainers

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top