Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 31 March 2024

Feedback & Followups

  • Watering hole attacks targeting Python developers are continuing, with attacks targeting the PyPi package repo getting so bad the site has temporarily suspended new account signups —…
  • Attackers are continuing to succeed in getting malicious ads pushing Trojanised versions of legitimate software into Google, the latest targeted apps include CleanMyMac, the Arc browser, Notion & Putty —… &…
  • 🇪🇺 As expected, the European Commission has launched formal Digital Markets Act compliance investigations against Apple, Google & Meta —…

Deep Dive — 🧯The ‘Unpatchable’ GoFetch Hardware Flaw in M-Series Chips That Isn’t

Security researchers did find a new way to use chip optimisation features to leak secret keys, slowly, when an attacker can run their malware on the same Apple Silicon M1, M2, or M3 CPU core as some current implementations of some cryptographic algorithms, but the screaming headlines are utterly misleading IMO (and in Steve Gibson’s opinion).

Firstly, this is just another side-channel attack a bit like Spectre and Meltdown, but milder, because it’s not information being leaked, but an assumption about timing being violated. And, like all of these side-channel attacks, it falls into the “if your computer is already hacked then an attacker can …” category.

What’s going on here is that some cryptographic algorithms need to be implemented using a so-called constant time approach — the content of the secret key can’t change how long the code takes to execute. What researchers found is that one of the optimisations in Apple’s chips can be used to cause code that runs fixed time without the optimisation to run variable time, and hence, slowly leak the contents of cryptographic keys.

The fix is trivially simple, now that we know this technique exists — simply update the code to tell the CPU to temporarily disable the optimisation when executing a cryptographic function that needs to be constant-time. This will of course slow down those functions, but only those functions! This is the kernel of truth at the heart of the breathless claims that the only fix is to slow down Apple’s CPUs massively.

As I understand it, Apple’s own cryptographic implementations already do this, and the M3 makes it easier for code to toggle the optimisation on and off, so the remediation of this low-risk vulnerability seems well in hand.

Unless something changes, I’m not gonna be losing any sleep over this, no matter how calamitous the headlines are!


❗ Action Alerts

Worthy Warnings

  • ‼️ If this happens to you, don’t click Allow: Recent ‘MFA Bombing’ Attacks Targeting Apple Users —…
  • ❗️ Twitter/X users beware – because of a poor design choice, it’s trivially easy for a link to lead you somewhere utterly different to the preview, and in the mobile app you can’t see the URL, so you can’t tell you’re on a malicious site —…
    • Advice from Bart: if you still want to use X despite its many problems, configure it to open links in Safari so you at least have a fighting chance of spotting attacks!
  • 🇺🇸 We still don’t understand how it happened, but AT&T have confirmed that the leak of 73M of their customer records is real —…
    • The data appears to be from 2019, so only 7.6M of the records are for current AT&T customers, the rest are for now former customers
    • This appears to be the data set that was offered for sale on the dark web in 2021, when AT&T denied they had been breached
    • AT&T continued their denials when the data resurfaced a few weeks ago, but after security researchers independently validated the data, they eventually confirmed its veracity
    • AT&T continue to insist they can see no evidence any of their systems were breached, so the suspicion is that something went wrong on a system belonging to an AT&T partner
    • The records include names, addresses, phone numbers, social security numbers (not for everyone), dates of birth (not for everyone), and passcodes (for current customers only)
    • AT&T say they have reset 7.6M passcodes and will be contacting all 73M users affected
    • Related: Troy Hunt from Have-I-Been-Pwned’s description of his investigation of the data —…
  • Be extra careful when logging into popular cloud services, there are a lot of active attacks using fake login pages for these services ATM: New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts —…
  • If you travel, be extra careful of what you leave in your room for the next few months (or years 🙁): Unsaflok flaw can let hackers unlock millions of hotel doors —… (only one-third of locks patched since the flaw was responsibly disclosed in September 2022!)
  • A good reminder of why routers that can’t be patched need to be binned: TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service —…

Notable News

  • At this year’s Pwn2Own Vancouver security researchers earned over $1M and a Tesla Model 3 demonstrating and responsibly disclosing 27 zero-day vulnerabilities in fully patched systems, which the affected vendors have 90 days to fix before the conference sponsors, TrendMicro’s Zero Day Initiative, publish the details —…
  • Court filings have revealed more details about just how shady the Onavo VPN Facebook paid teens to install was — via ‘Project Ghostbusters’, the app intercepted Snapchat data before/after the OS encrypted/decrypted the secure transmission over HTTPS to perform analytics and report back to Facebook HQ. This was later expanded to include other competitors, including Amazon & YouTube —…
    • These snippets from emails by Mark Zuckerberg make the motivations behind this move very clear:

    “Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them.”

    “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

    • A particularly galling detail is that management knew how wrong this was, as evidenced by this snippet from an email sent by their then-head of security Pedro Canahuati:

    “I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,”

  • Mozilla’s latest attempt to bolster their financing has backfired spectacularly, after just a few weeks they have had to abandon their identity protection offering when their chosen partner was found to be playing both sides, running both sites hoovering up and selling personal data, and service for removing users data from those same services —…

  • Telegram are offering users free premium subscriptions in exchange for using their phones to send 2FA SMS messages to other users, exposing users to carrier fees and exposing their numbers to random Telegram users —…

    • Bart’s Advice: don’t!
  • 🧯 AMD’s Zen architecture joins the RowHammer club – it was thought Zen was immune to this attack, but researchers from Zurich University have released details of their ZenHammer attack which can successfully flip bits on AMD Zen systems —…
    • As with other RowHammer attacks, this falls into the “if your computer is already hacked …” category
    • This bug is difficult to exploit
    • Firmware updates are in the way for server environments
  • 🇺🇸 U.S. EPA Forms Task Force to Protect Water Systems from Cyberattacks —…

Top Tips

Excellent Explainers

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top