Apple Deploys Privacy and Security as an 'Elastic Shield' DOJ Says in Antitrust Lawsuit

Apple’s iMessage end-to-end encryption figures prominently in the Justice Department’s antitrust lawsuit against the Silicon Valley giant, which alleges that Apple's allegedly anticompetitive practices have denied users not only better prices, features, and innovation but also better digital security.

The DOJ’s lawsuit homes in on Apple's approach to security and privacy, arguing that it uses those principles as an excuse for its anticompetitive practices yet jettisons them whenever they might hurt the bottom line. “In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests,” the complaint reads.

In its privacy and security arguments, the DOJ faults Apple for decisions like its deal with Google to make Google's search engine the default on Apple products rather than a more privacy-preserving alternative or allowing data-harvesting apps into its App Store. But it repeatedly returns to iMessage as perhaps the clearest example of how Apple's anticompetitive practices directly harm users’ security.

The DOJ argues that refusing to allow users of other smartphone platforms like Android to use its end-to-end encryption iMessage protocol has significantly reduced the overall security of messaging worldwide, both for Android users and for the Apple users who communicate with them.

“Text messages sent from iPhones to Android phones are unencrypted as a result of Apple’s conduct,” the complaint reads. “If Apple wanted to, Apple could allow iPhone users to send encrypted messages to Android users while still using iMessage on their iPhone, which would instantly improve the privacy and security of iPhone and other smartphone users.”

Apple says it designs its products to “work seamlessly together, protect people’s privacy and security, and create a magical experience for our users.” It adds that the DOJ lawsuit “threatens who we are and the principles that set Apple products apart” in the marketplace. The company also says it hasn't released an Android version of iMessage because it couldn't ensure that third parties would implement it in ways that met the company's standards.

“If successful, [the lawsuit] would hinder our ability to create the kind of technology people expect from Apple—where hardware, software, and services intersect,” the statement continues. “It would also set a dangerous precedent, empowering government to take a heavy hand in designing people’s technology. We believe this lawsuit is wrong on the facts and the law, and we will vigorously defend against it.” (Andy Greenberg and Andrew Couts / Wired)

Related: Justice.gov, Justice.gov, TechCrunch, Wall Street Journal, New York Times, CNBC, 9to5Mac, US Department of Justice, United States District Court, Al Jazeera, Finbold, The Independent, Platformer, TechCrunch, 404 Media, Axios, MarketWatch, iMore, Tom's Guide, Investing.com, Blockonomi, Cryptopolitan, BGR, The Seattle Times, BBC, The Verge, Investor's Business Daily, Daring Fireball, Associated Press, NBC News, New York Times, New York Daily News, Android Authority, Neowin, Trak.in, Sammy Fans, Financial Times, TweakTown, Proactiveinvestors UK, Lowyat.NET, Business Today, The Hacker News, Phandroid, GSMArena.com, PBS NewsHour, InfoRiskToday.com, CBS News, SC Media, Forbes, The Verge, Semafor, Benzinga, Android Headlines, 404 Media, Proactive, Laptop Mag, MSPoweruser, London Evening Standard, iClarified, ABC News, Business Times, Yahoo Finance, PetaPixel, Business Insider

A team of academic researchers has devised a new side-channel attack called GoFetch that exploits a flaw that allows end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols.

The flaw can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.

The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before they are needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel's 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.

The new research's breakthrough is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes, they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “pointers,” meaning the reading of data and leaking it through a side channel, is a flagrant violation of the constant-time paradigm.

GoFetch works against classical encryption algorithms and a newer generation of encryption that has been hardened to withstand anticipated attacks from quantum computers. The GoFetch app requires less than an hour to extract a 2048-bit RSA key and a little over two hours to extract a 2048-bit Diffie-Hellman key. The attack takes 54 minutes to extract the material required to assemble a Kyber-512 key and about 10 hours for a Dilithium-2 key, not counting the offline time needed to process the raw data.

The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts. As it does this, it extracts the app's secret key to perform these cryptographic operations. This mechanism means the targeted app does not need to perform any cryptographic operations on its own during the collection period.

Like other microarchitectural CPU-side channels, the one that makes GoFetch possible can’t be patched in the silicon. Instead, the people developing code for Apple hardware are responsible for mitigating the harmful effects of the vulnerability. For developers of cryptographic software running on M1 and M2 processors, this means that in addition to constant-time programming, they will have to employ other defenses, almost all of which come with significant performance penalties.

End users who are concerned should check for GoFetch mitigation updates that become available for macOS software that implements any of the four encryption protocols known to be vulnerable. Out of an abundance of caution, it’s probably also wise to assume, at least for now, that other cryptographic protocols are likely also susceptible.

Related: GoFetch, Macworld, ZERO DAY, SecurityWeek, COINTURK NEWS, Cointelegraph, CoinGape, MSPoweruser, Cryptopolitan, SiliconANGLE, Tom's Hardware, Six Colors, iThinkDifferent, AppleInsider, TFTC, MacRumors, GizChina

Ian Carroll, an independent security researcher and founder of travel website Seats.aero, Lennert Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium, and a team of other security researchers revealed a hotel keycard hacking technique they call Unsaflok that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba installed on 3 million doors worldwide, inside 13,000 hotel properties in 131 countries.

Their technique starts with obtaining any keycard from a target hotel, then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.

Wouters, Carroll, and their colleagues shared the full technical details of their hacking technique with Dormakaba in November 2022. Dormakaba says it's been working since early last year to make hotels that use Saflok aware of their security flaws and help them fix or replace the vulnerable locks.

For many of the Saflok systems sold in the last eight years, no hardware replacement is necessary for each lock. Instead, hotels will only need to update or replace the front desk management system and have a technician manually reprogram each lock, door by door. (Andy Greenberg / Wired)

Related: Unsaflok, Cybernews, Bleeping Computer, TechSpot, PCMag, GBHackers on Security

Senators who received a classified briefing on the social media app TikTok say that China's government can use TikTok to spy on American users and push propaganda at alarming levels.

The senators hesitated to give details about Wednesday's briefing but said Americans would be frightened by TikTok's ability to access and track their personal data.

Sen. Richard Blumenthal (D-CT) told Axios the briefing's "level of detail and specificity was extremely impactful." "Their ability to track, their ability to spy is shocking," Sen. Eric Schmitt (R-MO) said. (Stephen Neukam, Stef W. Kight / Axios)

Related: Washington Post, Al Bawaba, Bloomberg, NPR, Newsweek, The Hill, USA Today

International Consolidated Airlines Group said the personal data of Air Europa consumers has been compromised due to a security incident discovered in October.

The parent company of British Airways and Iberia said in an email sent to Air Europa’s consumer base that the data breach exposed customers' names, birthdays, nationalities, ID cards or passport information, and phone numbers.

The company said it doesn’t have evidence of any fraudulent use of the leaked data. (Sabela Ojea / Wall Street Journal)

Related: Reuters

Ivanti warned customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers.

Standalone Sentry is deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers.

Tracked as CVE-2023-41724, the security flaw impacts all supported versions, and it allows unauthenticated bad actors within the same physical or logical network to execute arbitrary commands in low-complexity attacks.

Ivanti also fixed a second critical vulnerability (CVE-2023-46808) in its Neurons for ITSM IT service management solution that enables remote threat actors with access to an account with low privileges to execute commands "in the context of web application's user."

The company added that it found no evidence that these two security vulnerabilities are being exploited in the wild. (Sergiu Gatlan / Bleeping Computer)

Related: Ivanti, Dark Reading, SC Media, Decipher, Cyber Kendra, Help Net Security

Researchers at Mandiant report that a hacker they call UNC5174, allegedly connected to the People's Republic of China, has been exploiting two popular vulnerabilities to attack US defense contractors, UK government entities, and Asian institutions.

The researchers believe UNC5174 is a former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China's Ministry of State Security (MSS) focused on executing access operations.

“In February 2024, UNC5174 was observed exploiting ConnectWise ScreenConnect vulnerability (CVE-2024-1709) to compromise hundreds of institutions primarily in the U.S. and Canada,” the researchers said.

CVE-2024-1709 has caused alarm among cyber defenders since IT management software company ConnectWise warned its customers about the issue in February. The company confirmed that several customers had been compromised through the vulnerability, and the top U.S. cybersecurity agency added it to a list of exploited bugs on February 22.

ScreenConnect allows for secure remote desktop access and mobile device support, and researchers said both cybercriminals and nation-states were exploiting it.

Mandiant said it also found UNC5174 exploiting CVE-2023-4674m a vulnerability discovered in late October affecting F5 BIG-IP.

During the exploitation of both vulnerabilities, Mandiant says it saw a mix of custom tools and frameworks used to take advantage of the issues that were unique to UNC5174.

Mandiant accessed the hacker’s infrastructure, discovering “aggressive scanning for vulnerabilities on internet-facing systems belonging to prominent universities in the U.S., Oceania, and Hong Kong regions.”

While they could not confirm whether the hacker was successful, Mandiant also said they saw think tanks in the U.S. and Taiwan targeted.

Mandiant said it also found posts on a forum from a hacker they believe to be UNC5174 claiming to have exploited CVE-2024-1709 at hundreds of organizations in the U.S. and Canada. (Jonathan Greig / The Record)

Related: Mandiant, SC Media, Cyber Daily, Dailysecu

The Rhysida ransomware group claims it was responsible for the cyberattack at US luxury yacht dealer MarineMax earlier this month.

In a filing with the Securities and Exchange Commission following the attack, the company didn't mention any involvement of ransomware, and its operations were said to have "continued throughout this matter in all material respects."

Rhysida posted a snippet of the data it claims to have stolen from MarineMax to its website, but the montages of documents don't clearly or conclusively reveal their nature. Most of the leaked documents appear to be related to accounts and finances.

Rhysida says it is holding a seven-day auction on its site. If it receives a bid it deems fair for the value of the data it claims to have stolen, it will sell it to a third party exclusively rather than making it public. (Connor Jones / The Register)

Related: Cybernews, ReadWrite, SC Media

Last month, the critical government-sponsored CVE database hosted by the National Institute of Standards and Technology (NIST) posted on its website that users "will temporarily see delays in [our] analysis efforts" as the National Institute of Standards and Technology (NIST) implements improved tools and methods, putting security manager in a bind to stay on top of new threats.

No further explanation has been forthcoming. NIST is documenting a small percentage of CVEs, but by no means at the same velocity as in prior years.

More than 6,000 new CVEs have been posted since the beginning of the year, but nearly half of these have omitted any details in the NVD, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers.

Dan Lorenc, CEO of Chainguard, wrote a post on LinkedIn documenting the situation. "The [latest] CVE entries do not contain any metadata around what software is actually affected," he wrote. "This is a massive issue and the lack of any real statement on the problem [by NIST] is troubling."

"This is a data set of national importance," says Josh Bressers of Anchore, who also posted comments about the situation. "I would have expected clearer communications because no one knows anything. It is all a mystery."

Morphisec, a security tools vendor, said, "Smaller organizations are constantly chasing patches. The lack of metadata with NVD means they are losing the immediate benefits and will reduce their overall security,” says Michael Gorelik, CTO of Morphisec. “This means that potential business disruption is inevitable, especially in the ransomware-rich landscape we have today. This is a bigger immediate problem than the threats posed by GenAI."

NIST may be the agency responsible for NVD, but the lion's share of the actual work product that is behind it comes from the well-known defense contractor MITRE, since it takes care of the CVE collection. Tom Pace, CEO of Netrise, says, "It isn't technical — why isn't MITRE picking up the slack? NIST has a smaller crew anyway." He calls out MITRE for falling down on its mission and leaving security teams in the dark. (David Storm / Dark Reading)

Related: Dan Lorenc, Jerry Gamblin, Anchore, Tenable, Morphisec, SC Media, Help Net Security, Infosecurity Magazine, TechRadar, HackRead, RiskyBiz

In an open letter to Meta, The Mozilla Foundation and dozens of other research and advocacy groups are opposing the company’s decision to shut down its research tool, CrowdTangle, saying this will harm their ability to track election misinformation in a year when “approximately half the world’s population” is slated to vote.

The letter comes one week after Meta confirmed it would shut down the tool in August 2024. “Meta’s decision will effectively prohibit the outside world, including election integrity experts, from seeing what’s happening on Facebook and Instagram — during the biggest election year on record,” the letter writers say.

CrowdTangle has long been a source of frustration for Meta. It allows researchers, journalists, and other groups to track how content is spreading across Facebook and Instagram. Journalists often cite CrowdTangle in unflattering stories about Facebook and Instagram. (Karissa Bell / Engadget)

Related: Mozilla Foundation, TechTimes

The KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop's appearance.

The KDE Store allows anyone to upload new themes and various other plugins or add-ons without checking for malicious behavior.

KDE said it currently lacks the resources to review the code used by each global theme submitted for inclusion in its official store. If the themes are faulty or malicious, this can result in unexpected consequences.

“Global themes and widgets created by 3rd party developers for [graphical workspaces environment] Plasma can and will run arbitrary code,” KDE cautioned. “You are encouraged to exercise extreme caution when using these products.”

According to a Reddit post quoted by KDE, at least one user had their files wiped after installing one such global Plasma theme.

After it was installed, the theme deleted all personal data from mounted drives using 'rm -rf', a very dangerous UNIX command that forcefully and recursively deletes a directory's contents (including files and other folders) without any warnings and prompting for confirmation. (Sergiu Gatlan / Bleeping Computer)

Related: Linux.org, AskWoody, r/kde

Under the White House's 2025 budget request, federal civilian agencies would receive a 10% increase in cybersecurity funds.

The funding would bring the total federal civilian cyber spend to $12.33 billion for fiscal 2025, up from estimated current levels of $11.21 billion this year, as the U.S. works to secure federal networks and combat nation-state cyber threats and hacking campaigns from cyber criminals.

The Department of Homeland Security, which houses the Cybersecurity and Infrastructure Security Agency, takes the biggest share of the funds at $3.15 billion, an increase from around $3 billion in last year’s budget request. The other top-funded agencies include Health and Human Services and the Treasury Department, which are heavily involved in data privacy and financial security enforcement.

If passed into law, the allocations would mark a record high for IT and cyber spending at $75.13 billion in 2025, up from around $74.56 billion in the prior year. (David DiMolfetta / NextGov/FCW)

Related: White House, CPO Magazine, Cyberscoop, Federal News Network, CPO Magazine, The Register

According to an FBI affidavit, Jason Gray, an Air Force intelligence analyst, is alleged to have shared classified US intelligence on the chat platform Discord with followers of the anti-government extremist group Boogaloo.

Investigators said that analyst Jason Gray shared information that he “likely obtained” from his access to National Security Agency intelligence while he served at a base in Alaska.

At the time the FBI sought a warrant for his Discord account, Gray had already admitted to Air Force investigators that he had created a Facebook group for supporters of the loosely organized, anti-government Boogaloo movement. (Shane Harris, Samuel Oakford, and Aaron Schaffer / Washington Post)

Related: The Daily Beast, Axios, Daily Mail

Pwn2Own Vancouver 2024 has ended, and security researchers collected $1,132,500 after demoing 29 zero-days (and some bug collisions).

Competitors successfully gained code execution and escalated privileges on fully patched systems after hacking Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, three web browsers (Apple Safari, Google Chrome, and Microsoft Edge), and the Tesla Model 3.

Vendors have 90 days to release security fixes for zero-day vulnerabilities reported during Pwn2Own contests before TrendMicro's Zero Day Initiative discloses them publicly. (Sergiu Gatlan / Bleeping Computer)

Best Thing of the Day: The UK is Not China

The tech industry in the UK is pushing back against proposed changes to the Investigatory Powers Act, also known as the Snooper’s Charter, that would require messaging platforms to inform the Home Office about security updates before they are released.

Worst Thing of the Day: LLMs May Favor Adversaries

Gilbert Herrera, research director of the US National Security Agency, warned that, while useful, large language models may give adversaries an edge over the US because they don’t have to worry about the constraints the US intel community faces.

Closing Thought