Security News

YubiKey Side-Channel Attack
2024-09-06 15:16

There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. It’s a complicated attack, requiring the victim’s username and password, and physical access to...

Latest Intel CPUs impacted by new Indirector side-channel attack
2024-07-01 14:24

Modern Intel processors, including chips from the Raptor Lake and the Alder Lake generations are susceptible to a new type of a high-precision Branch Target Injection attack dubbed 'Indirector,' which could be used to steal sensitive information from the CPU. Indirector exploits flaws in Indirect Branch Predictor and Branch Target Buffer, two hardware components found in modern Intel CPUs, to manipulate speculative execution for data extraction. The Indirect Branch Predictor is designed to predict the target addresses of indirect branches using historical execution information, while the Branch Target Buffer predicts the target addresses of direct branches using a set-associative cache structure.

ChatGPT side-channel attack has easy fix: token obfuscation
2024-03-18 02:31

In brief Almost as quickly as a paper came out last week revealing an AI side-channel vulnerability, Cloudflare researchers have figured out how to solve it: just obscure your token size. The paper [PDF], from researchers at the Offensive AI Institute at Israel's Ben Gurion University, found an issue with how all non-Google ChatGPT derivatives transmit chat sessions between LLM servers and users.

Side Channels Are Common
2024-01-23 12:09

Thus, we show, it is possible to conduct physical side-channel attacks on computation by remote and purely passive analysis of commonly-shared channels. These attacks require neither physical proximity, nor the ability to run code on the target or configure its hardware.

Side channel attacks take bite out of Apple silicon with iLeakage exploit
2023-10-26 17:45

The attack can be launched against Macs, iPhones, and iPads running Apple's A-series or M-series chips. For macOS, the attack only works on Safari, but for iOS and iPadOS, there's a much larger attack surface.

Modern GPUs vulnerable to new GPU.zip side-channel attack
2023-09-27 14:06

Researchers from four American universities have developed a new GPU side-channel attack that leverages data compression to leak sensitive visual data from modern graphics cards when visiting web pages. The GPU.zip researchers explain that all modern graphic processor units, especially integrated Intel and AMD chips, perform software-visible data compression even when not explicitly asked.

Researchers Uncover New GPU Side-Channel Vulnerability Leaking Sensitive Data
2023-09-27 12:55

A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage. "This channel exploits an optimization that is data...

Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs
2023-08-09 15:39

Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. "Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi, senior research scientist at Google, said.

New Collide+Power side-channel attack impacts almost all CPUs
2023-08-02 17:37

A new software-based power side-channel attack called 'Collide+Power' was discovered, impacting almost all CPUs and potentially allowing data to leak. The main concept of Collide+Power is to leak data from measured CPU power consumption values when a data "Collision" between the attacker's dataset and data sent by other applications to overwrite the former happens in CPU cache memory.

Power LED Side-Channel Attack
2023-06-19 10:52

The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader­or of an attached peripheral device­during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva.