Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

Researchers have discovered a vulnerability in Apple’s self-made M-series processors. Under certain conditions, this vulnerability allows cryptographic information to be stolen from the processor cache. Modern computing devices use a hardware optimization called the DMP (data memory-dependent prefetcher). It reduces latency between the main memory and the CPU by predicting memory addresses and loading their contents into the CPU cache before they’re needed. By exploiting the flawed mechanism of cryptography operations handling, attackers can recover private encryption keys piece-by-piece.

Unlike more common vulnerabilities, developers can’t directly fix this flaw with a software patch. This issue at hand is linked to the microarchitecture design of the silicon itself. The only way to mitigate this vulnerability is to build defenses into third-party cryptographic software. Yet this workaround may have serious performance impact, with older M1 and M2 chips suffering the worst losses.

Understanding GoFetch Attack

Let’s take a closer look at how this attack works. The attack is called GoFetch, and relies on classical and quantum-resistant encryption algorithms. As mentioned, it exploits a vulnerability in Apple processors related to DMP (data memory-dependent prefetcher). This next-generation prefetcher is only used in Apple and Intel Raptor Lake processors, loading memory contents into the cache before they are needed. So, GoFetch can be exploited if the target cryptographic operation is a malicious application with standard user privileges. By the way, these privileges are available to most applications running in the same CPU cluster.

The vulnerability stems from the prefetcher’s ability to load data into the CPU cache with a pointer to load other data. DMP sometimes confuses memory contents and loads the wrong data into the CPU cache. The problem is that the vulnerability completely neutralizes the effect of constant-time protection. This should by design protect against side-channel and cache-related CPU attacks. This protection ensures that all operations take the same time, regardless of their operands. However, due to the vulnerability, applications exploiting GoFetch can put sensitive data in the cache, and a malicious application can steal it.

How Dangerous It Really Is?

When executed on the same core cluster (efficient or performance) with cryptographic operations, GoFetch reaches its peak efficiency. As far as analysis shows, it can effectively hack both current and next-gen encryption techniques.

As for exact numbers, GoFetch takes less than an hour to extract a 2048-bit RSA key and just over two hours to extract a 2048-bit Diffie-Hellman key. An attack to extract the material needed to assemble a Kyber-512 key takes 54 minutes. The Dilithium-2 key would require about 10 hours, not counting the time needed to process the raw data offline.

Unpatchable Vulnerability

The main problem is that fixing this vulnerability by patching is impossible. This flaw sits in the Apple Silicon chip architecture. The only way out is through software protections and embedding patches in third-party cryptographic software, that avoids using the vulnerable mechanism. However, as I said, this will slow down cryptography operations on M1 and M2 and will throw a spanner in the developers’ work.

Aside from purely software workarounds, it is theoretically possible to run cryptographic processes on efficiency cores, which do not have DMP. Though this will impact performance as well, as E-cores were never meant to be fast, and the flawed mechanism itself brought quite a bit of speed-up. Experts emphasize that the performance drop will be felt if the affected software performs certain cryptographic operations only. At the same time, when working in browsers and many other types of applications, users will never notice changes.

It is worth noting that Intel Raptor Lake architecture (which includes 13th and 14th generation processors) does not have this vulnerability despite using the same prefetching mechanism as Apple’s M-series processors. The M3 processor is less susceptible, as it has a special “switch” that developers can use to disable DMP. However, it is still unclear how much performance degradation will occur when this functionality is disabled.

The post GoFetch Vulnerability in Apple Silicon Uncovered appeared first on Gridinsoft Blog.

What is a calendar virus?

App calendar malware, also called Calendar Virus for iOS or iPhone calendar virus, is a kind of spam targeted on Apple devices, that adds fake subscribed calendar accounts to a user’s device without their consent. Affected devices could be iPads, Mac computers, Watches or iPhones. As a result of the spam, users receive notifications for “events” containing malicious links. Its effects are similar to what adware brings to the system it runs in. The terms “iPhone calendar spam” and “iOS calendar spam” refer to this Apple OS activity. This type of notification may contain disturbing headers to force you to follow the link. Here are examples of similar messages:

Virus on iPhone? Clean up now!

Ensure your online protection, click now!

Your phone is not protected! Click to protect

Keep your iPhone safe from malicious attacks!

Your iPhone is infected with a virus! delete it now

Some messages will arouse the user’s curiosity and sense of urgency. Usually, after a user follows something like this and clicks a link, it launches malicious sites or questionable software on his device. Alternatively, it can redirect the victim to phishing pages.

Where does the iPhone Calendar Virus come from?

After all the above characteristics, you probably wonder where fake invitations appear on the calendar. Like most other malware and viruses, calendar viruses are often spread through the same malicious sites as they advertise, or social engineering. So, how to get rid of the calendar virus? Here are some typical ways of being infected by that nasty thing:

1. Attackers have got hold of your email address.

If the attacker has your email address, it means that in the future, you will be a target of email spam. This happens after you enter your email address on unfamiliar websites to confirm something or to buy a product. Usually, such shady sites can sell your information to make money – and they don’t care about customers’ comfort. In rare cases, emails leak when companies suffer from data leaks.

2. You inadvertently clicked on a malicious link.

Some scam websites might use fake captcha puzzles to bypass site warnings and trick you into downloading malware. Alternatively, they can use disguised calendars as captchas to trick you into subscribing to them. If you’re in a hurry, clicking OK might be easier than selecting any other option.

3. Receiving a spam link by text message

After clicking on a spam text that directs you to “track a package”, you subscribe to a calendar full of appointments, like “critical threats” and similar warnings. One of these spam messages might request tracking information and provide a link for accessing the Calendar.

How to clear calendar virus iPhone

Apple products are linked within the ecosystem. Once you get spam on your iPhone calendar, it will also show up on your other Apple devices. The tips below should help you get rid of calendar spam on your iPhone, iPad, Mac, and anywhere else. But how to remove the iPhone calendar virus from all devices simultaneously?

For Newer iPhones:

• Go to Settings→Calendar→Accounts
• Find an account you don’t recognize and delete it. Calendar virus account name may be something like "Calendar Events", "Events Calendar", "Calendar Events Viewer", or similar.
• Delete all calendar accounts you don’t know.
• After removing, your event should be normalized.

For Older iPhones:

• Go to the Calendar app.
• Press Calendar at the bottom of the screen
• Find a calendar you need. Click the More info button next to it, then scroll down and click Delete Calendar.

Cleaning Calendar Virus From your Mac:

• Run Calendar (or iCal)
• Press Calendar in the menu bar and select Settings
• At the General tab, from the Default Calendar menu, select only the Calendar you want to use. Click “Save”.
• Make sure that calendars you do not want to recognize or use are not selected or saved. This will delete them.

Cleaning Calendar Virus from iCloud.com:

• Go to Calendar> Click the gear icon > Settings
• From the default menu, select only the Calendar you want to use. Opt for "Save"
• Make sure calendars you don’t know or don’t want to use are not selected or saved

How to stop iPhone calendar spam?

Successful counteraction requires proactive action and increased preparedness for the virus to be caught at any time you visit third-party sites. Therefore, below is a guide to reducing the risk of hacking your account.

1. Block pop-ups in Safari

You can enable warnings for fraudulent websites on your iPhone or iPad by going to Settings > Safari, then navigating to the Websites tab. On a Mac, you can access this functionality by navigating to Safari > Preferences. Inside the Preferences section, find the Security tab and toggle Fraudulent Websites Warnings. Keep in mind the security of your Safari web browser pages, this is important.

2. Be careful where you click.

Do not interact with fake calendar notifications; instead, delete them. Also, be wary of links and attachments in messages that indicate text or email with unknown content. And when encountering captchas, avoid tapping or clicking on them. For example, when responding to an appointment, it’s imperative not to click on any links or active sections of the message. Instead, respond by swiping from right to left and selecting Delete. Your iPhone may prompt you to Report Junk; if this happens, report the message by tapping Report Junk and then pressing Confirm.

3. Review and change your calendar settings

One of the best ways to reduce calendar spam is to block notifications. However, it’s also a good idea to make sure none of your devices are set to accept calendar invitations automatically. While this setting is convenient for busy people, it can be used as a loophole to inject unwanted spam into the Calendar. To change your calendar preferences:

• Sign in to your iCloud account and select Calendar
• Click the gear icon in the bottom left corner of the app screen and select Settings.
• Press at the Advanced tab.
• In the "Invitation" subsection, click the radio button next to the "Send an email to [your email address]" option to make this your default instead of "In-App Notifications."

The post Calendar Virus Removal on iPhones & Mac appeared first on Gridinsoft Blog.

Then, not everyone understood what exactly Torvalds saw as the problem, and now, in an interview with ZDNet journalists, the Linux creator explained what he meant.

Torvalds now says that in theory he would like to use Linux on newer Macs:

The main problem of the M1 chip he calls the graphics processor and other devices around it, which, most likely, will not have support for Linux, unless Apple suddenly decides to support the operating community (which is unlikely to happen).

Torvalds also hopes that “there will be more cores” and admits that in a laptop he is primarily concerned not with 20 hours of battery life (which is barely achievable), but at least 8 large cores. At the same time, 16 GB of memory does not bother him:

Let me remind you that recently Linus Torvalds approved exclusion of the terms slave, blacklist and others from the Linux kernel code.

The post Linus Torvalds doubts that Linux will run on Apple M1 appeared first on Gridinsoft Blog.

So, in March, ESET experts wrote that they tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as for Wi-Fi routers from Asus and Huawei. In total, the Kr00k vulnerability was thought to threaten about a billion different gadgets.

“The Kr00k problem is associated with encryption, which is used to protect data packets transmitted over Wi-Fi. Typically, such packets are encrypted with a unique key, which depends on the Wi-Fi password, which established the user. However, for vulnerable chips, this key is reset to zero in case of the disassociation process, for example a temporary shutdown, which usually occurs due to a bad signal”, – told ESET researchers.

Thus, attackers can provoke the transition of the device into a long dissociation state and receive Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a “zero” key.

Following the release of ESET’s February report, Broadcom and Cypress engineers have released fixes for their products.

However, ESET experts have now warned that the chips from Qualcomm and MediaTek are vulnerable to similar flaws.

In the case of Qualcomm, the vulnerability received the identifier CVE-2020-3702, and using this bug, an attacker (after dissociation) can get access to confidential data.

“The difference with the attack described above is that the data captured in this case is not encrypted at all, while exploiting the original Kr00k problem at least requires the use of a “zero” key”, – said the experts.

Researchers tested this vulnerability using the D-Link DCH-G020 Smart Home Hub and Turris Omnia wireless router as examples. However, any other devices that use vulnerable Qualcomm chips, can be also affected by the new issue.

Qualcomm released a patch for its proprietary driver in July 2020, but the situation is complicated by the fact that some vulnerable devices are using open source Linux drivers, and it is unclear if the problem will be fixed there. Qualcomm said they have already provided OEMs with all the necessary instructions, and users can only wait for the release of patches from specific manufacturers.

In addition, ESET experts found that MediaTek chips, which are widely used in Asus routers, as well as in the Microsoft Azure Sphere development kit, also do not use encryption at all.

“Azure Sphere uses the MediaTek MT3620 microcontroller and targets a wide variety of IoT applications, including smart homes, commercial, industrial and many other sectors”, — write the researchers.

MediaTek released fixes for this issue in March and April, and Azure Sphere received patches in July 2020.

Amid release of a number of exploits for the original Kr00k vulnerability, the researchers have published a special script that will help to find out if the device is vulnerable to the original Kr00k or new variations of this attack.

The post Kr00k problem threatens devices with Qualcomm and MediaTek Wi-Fi chips appeared first on Gridinsoft Blog.

A “text bomb” will affect the operation of the device, even if the user simply received a notification from Messages or WhatsApp, or from social networks (for example, Twitter). That is, the problem can affect thousands of people.

After receiving such a malicious notification, the device freezes, sometimes stops responding at all, and eventually crashes.

“The string of text, which we aren’t going to share here, includes the Italian flag emoji and characters in the Sindhi language. When an iPhone, iPad, Mac, or Apple Watch receives a notification with this text string, things get wonky. Sometimes, your device will crash, while other times it completely stops responding to touch input, and much more”, — report 9to5Mac magazine journalists.

According to 9to5Mac, now malfunctioning characters are increasingly spreading on Twitter and other social networks, and for the first time they were published on an unnamed channel or group in Telegram.

“Details of where this text string originated are somewhat unclear, but the original source seems to have been a Telegram group. It’s now going viral on Twitter and other social media platforms, though, so it’s worth being aware of it. It can spread through theoretically any application, including Twitter, Messages, and more…”, — said in 9to5Mac.

Initially, it was reported that in order to provoke a failure, the notification should contain emoji of the Italian flag, as well as Sindhi symbols. However, the well-known blogger EverythingApplePro demonstrated that the Italian flag is not necessary for this.

Since there is no fix yet, and it is unclear when Apple will release the patch, users are advised to temporarily turn off notifications.

Let me remind you that this is not the first bug of this kind. For example, in 2018, iOS users suffered from a similar error related to the Telugu language symbol, common in the Indian states of Andhra Pradesh and Tellingan. Then all these applications reacted to the problematic symbol (జ్ఞా), like to the classic “text bomb”, that is, they “hung up” and went into an endless cycle of reboots.

And recently for iOS was discovered a new exploit, with the help of which China traced the Uyghurs.

The post Sindhi Language Symbols Disable iPhone and iPad appeared first on Gridinsoft Blog.

In total, Picren discovered seven vulnerabilities in the Apple browser and the Webkit browser engine (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 , CVE-2020-9787), three of which can be linked together and used to track users through the camera and microphone on an iPhone, iPad or Mac.

For such an attack, just a little is required: for the victim to enter a malicious site. No other interaction is required, and a malicious site can pretend to be a popular legitimate resource and abuse the permissions that the victim would grant only to a trusted domain.

“If a malicious site needs to access the camera, all that it needs to mask itself as a reliable site for video conferencing, such as Skype or Zoom”, — the researcher notes.

Corrections for bugs found by the specialist were released as part of Safari 13.0.5 (release dated January 28, 2020) and Safari 13.1 (release dated March 24, 2020).

Picren explains that Safari creates access to devices that require specific permissions (such as camera, microphone, location, and so on) for each individual site. This allows individual sites, such as the official Skype site, to access the camera without asking for user permission with each start.

In iOS, there are exceptions to this rule: if third-party applications must require user’s consent to access the camera, then Safari can access the camera or photo gallery without any permissions.

Exploitation of the problems became possible due to the way the browser parses URL schemes and processes the security settings for each site. In this case, the researcher’s method works only with sites already open in the browser.

“The most important fact is that the URL scheme is completely ignored,” the expert writes. – This is a problem, as some schemes do not contain a meaningful host name at all, for example file:, javascript: or data:. Simply, the error makes Safari think that the malicious site is actually trusted one. This is due to exploitation of a number of shortcomings (how the browser parses the URI, manages the web origin and initializes the secure context).”

In fact, Safari cannot verify that the sites adhered to Same Origin policies, thereby granting access to another site that should not have been granted permission at all. As a result, the site https://example.com and its malicious counterpart fake://example.com may have the same permissions. Therefore, you can use file: URI (for example, file:///path/to/file/index.html) to trick the browser and change the domain using JavaScript.

“Safari believes we are on skype.com and I can download some kind of malicious JavaScript. Camera, Screen Sharing microphone will be compromised after opening my local HTML file”, — Ryan Pickren writes.

Similarly works the blob URL: (for example, blob://skype.com) can be used to run arbitrary JavaScript code, using it to directly access the victim’s webcam without permission.

Even worse, the study showed that unencrypted passwords can be stolen in the same way, since Safari uses the same approach to detect sites that require automatic password completion.

PoC exploits and a demonstration of the attacks described are available on the specialist blog.

I should also remind you that recently researcher remotely hacked iPhone using only one vulnerability.

The post Vulnerabilities allowed access to cameras on Mac, iPhone and iPad appeared first on Gridinsoft Blog.