Apple is having a tough week with two major issues: A virtually unpatchable vulnerability in its hardware and an antitrust lawsuit filed by the United States Department of Justice and 16 attorneys general alleging that its practices related to iPhone business are illegally anticommon. The company's embrace of privacy and security decisions, particularly iMessage's end-to-end encryption, is also highlighted in the lawsuit.
Apple Faces Two Major Issues: Unpatchable Vulnerability and Antitrust Lawsuit
Apple, California, USA United States of AmericaApple is facing two major issues: a virtually unpatchable vulnerability in its hardware and an antitrust lawsuit filed by the United States Department of Justice and 16 attorneys general.
The company's embrace of privacy and security decisions, particularly iMessage's end-to-end encryption, is also highlighted in the lawsuit.
Confidence
70%
Doubts
- It's not clear if the vulnerability can be exploited by attackers.
- The antitrust lawsuit may face challenges in proving that Apple's practices are illegal.
Sources
80%
Vulnerability found in Apple's Silicon M-series chips – and it can't be patched
Mashable Inc. Matt Binder Friday, 22 March 2024 19:17Unique Points
- A new security vulnerability has been discovered in Apple's Mac and MacBook computers that allows hackers to gain access to secret encryption keys on Apple computers with the company's new Silicon M-Series chipset. This includes the M1, M2, and M3 models.
- The DMPs in Apple's Silicon chipsets can give hackers access to sensitive information like secret encryption keys.
Accuracy
No Contradictions at Time Of Publication
Deception (90%)
The article is deceptive in several ways. Firstly, the title claims that a vulnerability has been found in Apple's Silicon M-series chips and it can't be patched. However, this statement is not entirely accurate as the researchers were able to extract an RSA key of 2048 bits within one hour using GoFetch attack. Secondly, the article claims that prefetchers are meant to predictively retrieve data before a request to increase processing speed and open them for malicious attacks from bad actors. However, this statement is not entirely accurate as prefetchers do not make predictions based on values of accessed data but only addresses of accessed data.- The article claims that the vulnerability can be found in any new Apple computer released from late 2020 to today. This implies that all Mac and MacBook computers are vulnerable, which is not entirely accurate as some models may have been patched or updated with newer chipsets.
- The article states that prefetchers are meant to predictively retrieve data before a request to increase processing speed and open them for malicious attacks from bad actors. However, this statement is not entirely accurate as prefetchers do not make predictions based on values of accessed data but only addresses of accessed data.
Fallacies (85%)
The article reports on a security vulnerability found in Apple's Silicon M-series chips that allows hackers to gain access to secret encryption keys. The issue lies with prefetchers, components meant to predictively retrieve data before a request to increase processing speed. This attack is called 'GoFetch', which exploits the fact that DMPs (data memory-dependent prefetchers) in Apple's Silicon chipsets can give hackers access to sensitive information like secret encryption keys. The researchers were able to extract an 2048-bit RSA key in under one hour, and this vulnerability is unpatchable because it lies with the microarchitectural design of the chip.- The article reports on a security vulnerability found in Apple's Silicon M-series chips that allows hackers to gain access to secret encryption keys. The issue lies with prefetchers, components meant to predictively retrieve data before a request to increase processing speed.
Bias (85%)
The article reports on a security vulnerability found in Apple's Silicon M-series chips that allows hackers to gain access to secret encryption keys. The researchers have dubbed the attack 'GoFetch', which is a microarchitectural side-channel attack that exploits data memory-dependent prefetchers (DMPs). This issue can be found in any new Apple computer released from late 2020 to today, and it's unpatchable. The researchers explained how the DMPs in Apple's Silicon chipsets can give hackers access to sensitive information like secret encryption keys.- The vulnerability allows hackers to gain access to secret encryption keys on Apple computers with Apple’s new Silicon M-Series chipset. This includes the M1, M2, and M3 Apple MacBook and Mac computer models.
Site Conflicts Of Interest (50%)
None Found At Time Of Publication
Author Conflicts Of Interest (50%)
The author Matt Binder has a conflict of interest on the topics of Apple and MacBook as he is reporting for Mashable which covers these topics extensively. Additionally, there are no disclosures made in the article regarding any financial ties or personal relationships that may compromise his ability to act objectively.- The article mentions hackers, encryption keys, and security vulnerability which are topics covered by Mashable regularly.
- The author reports on a vulnerability found in Apple's Silicon M-series chips and its impact on MacBook models which is a topic he covers extensively for Mashable. This could be seen as an example of financial ties or personal relationships that may compromise his ability to act objectively.
83%
Apple Chip Flaw Leaks Secret Encryption Keys
Wired Magazine Andrew Couts Saturday, 23 March 2024 10:00Unique Points
- A group of security researchers revealed a technique that uses a series of security vulnerabilities to impact 3 million hotel room locks worldwide.
- Apple is having a tough week with two major issues: A virtually unpatchable vulnerability in its hardware and an antitrust lawsuit filed by the United States Department of Justice and 16 attorneys general alleging that its practices related to iPhone business are illegally anticompetitive. The company's embrace of privacy and security decisions, particularly iMessage's end-to-end encryption, is also highlighted in the lawsuit.
- A recent change to cookie pop-up notifications reveals that some websites share data with more than 1,500 third parties. Meanwhile, employer review site Glassdoor has begun encouraging people to use their real names for comments about companies.
Accuracy
No Contradictions at Time Of Publication
Deception (100%)
None Found At Time Of Publication
Fallacies (85%)
The article contains several examples of informal fallacies. The author uses inflammatory rhetoric when describing the security vulnerability in Apple's hardware as a 'major, virtually unpatchable vulnerability'. This is an example of hyperbole. Additionally, the author uses appeal to authority by citing sources such as WIRED and Zero Day without providing any context or explanation for why these sources are reliable. The article also contains examples of dichotomous depictions when describing the security researchers' technique as a 'unique intrusion technique'. This is an example of black-and-white thinking. Finally, the author uses inflammatory rhetoric again when describing the potential consequences of a cyberattack on water systems as having 'the potential to disrupt critical lifeline of clean and safe drinking water'. This is an example of exaggeration.- The security vulnerability in Apple's hardware is described as a 'major, virtually unpatchable vulnerability'
- , The author uses appeal to authority by citing sources such as WIRED and Zero Day without providing any context or explanation for why these sources are reliable.
- The security researchers' technique is described as a 'unique intrusion technique'
Bias (85%)
The article contains multiple examples of bias. The author uses inflammatory language to describe the security vulnerability in Apple's hardware as a 'major, virtually unpatchable vulnerability'. This is an exaggeration and not supported by any evidence provided in the article. Additionally, the author makes assumptions about Apple's privacy practices without providing any context or evidence. The author also uses sensationalist language to describe the potential consequences of this vulnerability on hotel room locks worldwide.- An exploit developed by a team of researchers, dubbed GoFetch, takes advantage of the M-series chips’ so-called data memory-dependent prefetcher (DMP). Data stored in a computer's memory have addresses, and DMP’s optimize the computer’s operations by predicting the address of data that is likely to be accessed next. The DMP then puts “pointers” that are used to locate data addresses in the machine's memory cache.
- The flaw, which is present in Apple’s M1, M2, and M3 chips, is essentially unpatchable because it is present in the silicon itself.
- The next time you stay in a hotel, you may want to use the door’s deadbolt
Site Conflicts Of Interest (100%)
None Found At Time Of Publication
Author Conflicts Of Interest (50%)
None Found At Time Of Publication
52%
Apple Silicon has a hardware-level exploit that could leak private data
Engadget Will Shanklin Saturday, 23 March 2024 13:47Unique Points
- . The exploit can bypass the computer's encryption and access its security keys, exposing private data to hackers.
- . Attackers can use the DMP to bypass encryption.
- . GoFetch is an app that can access a Mac's secure data without requiring root access.
- The M1 chip has two clusters: one containing four efficiency cores and the other four performance cores.
Accuracy
- As long as you have Gatekeeper turned on (the default), you won't likely install malicious apps in the first place.
Deception (30%)
The article is deceptive in several ways. Firstly, the title implies that there is a hardware-level exploit that could leak private data when in fact it only mentions an attack called GoFetch which can bypass encryption and access security keys on Apple Silicon Macs.- The article's title implies a hardware-level exploit, but the body of the article does not mention any such thing. Instead, it talks about an attack called GoFetch that can bypass encryption and access security keys.
Fallacies (0%)
The author is making a false dilemma by implying that the only two options are to accept or reject the exploit found in Apple Silicon Macs. The fallacy of false dilemma occurs when one presents only two alternatives and ignores other possible choices or solutions.- The researchers say this is a serious security threat, but it's not clear that users need to worry about the exploit in real-world scenarios.
Bias (100%)
None Found At Time Of Publication
Site Conflicts Of Interest (50%)
None Found At Time Of Publication
Author Conflicts Of Interest (50%)
Will Shanklin has a conflict of interest on the topics of private data and encryption and security keys as he is an author for Ars Technica Security Editor Dan Goodin.- .
- . . . ,. .
77%
Unpatchable vulnerability in Apple chip leaks secret encryption keys
Ars Technica Dan Goodin Thursday, 21 March 2024 14:40Unique Points
- A newly discovered vulnerability in Apple's M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.
- The threat resides in Apple's data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future.
- This vulnerability exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value used to load other data.
Accuracy
- Usually when a security flaw is discovered nowadays, a company can patch the issue with a software fix. However, this one is unpatchable because it lies with the microarchitectural design of the chip.
Deception (80%)
The article is deceptive in several ways. Firstly, the title implies that Apple has patched a vulnerability when in fact they have not been able to patch it directly due to its root cause being microarchitectural design of the silicon itself. Secondly, the author uses sensationalist language such as 'hackers can extract secret keys' and 'the threat resides in the chips', which is misleading as there are no hackers involved and only a small subset of Macs are affected by this vulnerability. Thirdly, the article implies that cryptographic engineers have devised constant-time programming to prevent attacks when in fact they did not create it but rather rely on it for security.- The author uses sensationalist language such as 'hackers can extract secret keys'
- Cryptographic engineers did not devise constant-time programming, they rely on it for security.
- The title is misleading as Apple has not patched a vulnerability
Fallacies (85%)
The article contains an example of a fallacy known as 'appeals to authority'. The author cites the work of academic researchers without providing any evidence or context for their findings. Additionally, the article uses inflammatory rhetoric by stating that this vulnerability is a major threat and could drastically degrade performance when executing cryptographic operations.- This memory-dependent prefetcher has teeth
- The DMP often reads data and attempts to treat it as an address to perform memory access.
Bias (85%)
The article reports on a vulnerability in Apple's M-series of chips that allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations. The flaw is a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols, which can't be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations.- The vulnerability is a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols
- This flaw can't be patched directly because it stems from the microarchitectural design of the silicon itself.
Site Conflicts Of Interest (50%)
Dan Goodin has a conflict of interest on the topics of 'Unpatchable vulnerability', 'Apple chip', and 'secret encryption keys' as he is an employee of Ars Technica which is owned by Condenast. Additionally, Dan Goodin has written multiple articles about Apple in the past.- Dan Goodin writes for Ars Technica which is owned by Condenast.
Author Conflicts Of Interest (50%)
Dan Goodin has a conflict of interest on the topics of unpatchable vulnerability and secret encryption keys as he is reporting on Apple's M-series chips. He also has a personal relationship with Aurich Lawson who was quoted in the article.- The author, Dan Goodin, reports that hackers can extract secret encryption keys from Apple's Mac chips.
78%
Hardware-level Apple Silicon vulnerability can leak cryptographic keys
The Register Brandon Vigliarolo Friday, 22 March 2024 00:00Unique Points
- A side-channel vulnerability has been found in the architecture of Apple Silicon processors that gives malicious apps the ability to extract cryptographic keys from memory.
- The issue stems from how processors equipped with data memory-dependent prefetchers (DMPs) can end up revealing sensitive information to malware running on a device.
- For decades, many processors have used some kind of prefetching to boost their performance by predicting what data the currently running program will need next and bringing it into cache from DRAM for near-immediate use.
- DMPs try to be smarter than regular prefetchers by predicting what will be fetched next based on memory contents.
- A vulnerable DMP can disclose sensitive information in a way that allows malware or other rogue observers to extract secret keys and other data from DRAM.
- The GoFetch team reverse-engineered DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that looks like pointers.
- To exploit the DMP, malicious code crafts chosen inputs for cryptographic operations in a way where pointer-like values only appear if certain bits of secret keys are guessed correctly.
- The GoFetch team successfully mounts key recovery attacks on popular constant-time implementations of classical and post-quantum cryptography using this approach.
- Malware or other rogue observers running in the same CPU cluster as targeted cryptographic operations can pull off this kind of exploit with nothing but user privileges.
- Similar vulnerabilities were reported in Apple Silicon chips under the name Augury, but GoFetch's analysis was overly restrictive and missed several DMP activation scenarios.
- The security threat from DMPs is significantly worse than previously thought as they can activate on behalf of potentially any program and attempt to dereference data that resembles pointers.
- Intel processors are also at risk, but less so due to more restrictive activation criteria for their DMPs.
- Microsoft, Google have found a fourth data-leaking Meltdown-Spectre CPU hole.
- Arm acknowledges side-channel attack but denies Cortex-M is crocked.
- AMD and boffins clash over chip data leak claims: New side-channel holes in decades of cores, CPU maker disagrees.
Accuracy
No Contradictions at Time Of Publication
Deception (80%)
The article reports on a vulnerability in the architecture of Apple Silicon processors that allows malicious apps to extract cryptographic keys from memory. The issue stems from how data-memory dependent prefetchers (DMPs) can reveal sensitive information to malware running on a device. This is an example of deception because it presents the reader with false security, as they may believe their devices are secure when in fact this vulnerability exists.- The article reports that malicious code on a vulnerable Apple Silicon device hoping to obtain a secret key from memory can attempt cryptographic operations involving that secret key and then piece together that key bit by bit by observing the DMP's activities. This is an example of deception because it presents the reader with false security, as they may believe their devices are secure when in fact this vulnerability exists.
- The article reports that DMPs try to be smarter by predicting what will be fetched next from the contents of memory. For instance, if it looks like the processor is preparing to fetch some data from a location based on what looks like a memory address at another location – think linked lists and the like in which one block of data has a pointer to another – then DMP may begin bringing into cache that next data. This is an example of deception because it presents the reader with false security, as they may believe their devices are secure when in fact this vulnerability exists.
Fallacies (80%)
The article discusses a hardware-level vulnerability in Apple Silicon processors that allows malicious apps to extract cryptographic keys from memory. The issue stems from how data memory-dependent prefetchers (DMPs) can reveal sensitive information to malware running on a device. The GoFetch team discovered this vulnerability by reverse engineering DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that looks like a pointer. To exploit the DMP, they crafted chosen inputs to cryptographic operations in a way where pointer-like values only appear if they have correctly guessed some bits of the secret key. The team was able to show end-to-end key extraction attacks on popular constant-time implementations of classical and post-quantum cryptography. This vulnerability affects base model M2 and M3 Apple Silicon CPUs, as well as Intel processors with less restrictive activation criteria.- The article discusses a hardware-level vulnerability in Apple Silicon processors that allows malicious apps to extract cryptographic keys from memory. The issue stems from how data memory-dependent prefetchers (DMPs) can reveal sensitive information to malware running on a device.
- The GoFetch team discovered this vulnerability by reverse engineering DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that looks like a pointer. To exploit the DMP, they crafted chosen inputs to cryptographic operations in a way where pointer-like values only appear if they have correctly guessed some bits of the secret key.
- The team was able to show end-to-end key extraction attacks on popular constant-time implementations of classical and post-quantum cryptography.
Bias (85%)
The article discusses a hardware-level vulnerability in Apple Silicon processors that allows malicious apps to extract cryptographic keys from memory. The author uses technical language and provides specific details about the issue, including how DMPs work and how they can be exploited. However, there is no clear indication of any political or religious bias in the article.- A vulnerable DMP can be manipulated into populating a cache preemptively in a way that discloses the contents of other memory.
Site Conflicts Of Interest (50%)
The author of the article has a conflict of interest with Apple Silicon vulnerability and cryptographic keys extraction as they are both topics that could affect the security and privacy of Apple's products. The author is also affiliated with Carnegie Mellon University which may have financial ties to companies in the tech industry.- The article mentions a hardware-level vulnerability in Apple Silicon, which can potentially leak cryptographic keys.
Author Conflicts Of Interest (50%)
The author has a conflict of interest on the topics of hardware-level Apple Silicon vulnerability and cryptographic keys extraction. The article mentions that the University of Illinois Urbana-Champaign is working with Apple to develop new security features for its chips, which could be seen as a potential financial gain for the university.- The article mentions that the University of Illinois Urbana-Champaign is working with Apple to develop new security features for its chips, which could be seen as a potential financial gain for the university.
- The article states 'University of Illinois Urbana-Champaign researchers are collaborating with Apple on developing new hardware and software protections against side-channel attacks.'