Lessons from an Obscure Apple Crypto Bug
3–25–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 25, 2024, and today we’re going to see what we can learn from a highly technical Apple vulnerability.
Lessons from an Obscure Apple Crypto Bug
Late last week, a new vulnerability was announced that’s present in Apple’s custom silicon chips, M1 and M2. If you haven’t been following the Apple processor saga over the past 15 years or so as they’ve transitioned away from the AIM PowerPC platform over Intel and then onto their own custom chips - first the A series in mobile devices and now M series in their desktops, laptops, and iPads.
Turns out that in their attempt to optimize these integrated chips - known as “SOCs” or System on a Chip that includes additional integrated capabilities that had traditionally been separate like graphics cards or cellular and wifi radios, etc. - they’ve introduced a subtle “side channel” vulnerability that allows attackers to expose certain data that should be encrypted at a time when it’s unencrypted for processing.
Being called “GoFetch” by its creators, it’s described as “a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers.”
The details of the vulnerability are highly technical - even for security pros and developers - and less important for our discussion.
What is important is to note that both Intel and AMD had side channel vulnerabilities discovered last year - some including this prefetch mechanism.
What we need to see here in terms of a pattern of evolution is that attackers will take a successful attack from one context and see if it’s successful in another. I’m not at all surprised that we’re seeing additional vulnerabilities discovered in this space because we’re now seeing additional security research in this space.
There’s a very direct correlation there between research conducted and vulnerabilities discovered. Furthermore, the stakes can be quite a bit higher in a hardware context because they may not be able to simply be “patched” the way that most software can be. In the case of this GoFetch vulnerability, Apple M1 and M2 processors cannot be updated and must be replaced if you’re looking to eliminate this vulnerability.
The vulnerability is not present in the new M3 generation of the chip, but in particular applications - say crypto wallet storage - the best practice is to avoid using the vulnerable hardware.
As an aside for you crypto whales out there, you should be using an offline cold storage hardware wallet anyway and not keeping it on your MacBook Pro.
We saw another hardware issue exposed last week, as well, where 3 million digital hotel locks were exposed as vulnerable to being unlocked using any Android phone. The attack vector itself has been known for 2 years - and was part of a hackathon in Las Vegas connected to the security conference Black Hat - but even with the disclosure this week, “only 36 percent of installed Safloks have been updated.”
Why?
Because they’re not networked devices and each one must be manually updated, door to door. Three. Million. Doors.
And you can bet that this attack technique, now that it’s public, will be used against other RFID based authentication mechanisms, including other building and automation technologies.
The takeaway for defenders is to continually look at new attacks in the contexts that are important to them. You need to go beyond just checking the software version of the vulnerable product (though still definitely keep doing that) - and expand your threat modeling.
Maybe you’re not vulnerable today, but what would happen if those type of tools or appliances in your environment were vulnerable?
What related attacks or environments might threat actors or security researchers pivot to next?
How would you detect this in your environment? Disrupt it? Deter it? Defend against it?
Do yourself the favor of getting the thinking done ahead of the incident - because once devices or accounts start getting compromised, it’s probably too late to make much of a difference.
Fundraising
Fundraising last week remained relatively subdued, though we did crack the $5B mark in terms of newly committed capital.
Reddit’s IPO, along with Truth Social’s SPAC, are going to remain front of mind for investors, as well as the rest of the macro mechanics around interest rates, Federal Reserve meetings, and other data points.
For now, seems like the calm before the storm - which may be the case for the foreseeable future given the election year here in the US. I expect markets outside the US to move a bit more independently in the rest of 2024, and focused funds and investments to continue. Smaller players, now is your time to act decisively!
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.scmagazine.com/brief/current-upcoming-cpus-face-slam-side-channel-attack-threat
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1017.html
https://www.wired.com/story/saflok-hotel-lock-unsaflok-hack-technique/