Security News
There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. It’s a complicated attack, requiring the victim’s username and password, and physical access to...
Modern Intel processors, including chips from the Raptor Lake and the Alder Lake generations are susceptible to a new type of a high-precision Branch Target Injection attack dubbed 'Indirector,' which could be used to steal sensitive information from the CPU. Indirector exploits flaws in Indirect Branch Predictor and Branch Target Buffer, two hardware components found in modern Intel CPUs, to manipulate speculative execution for data extraction. The Indirect Branch Predictor is designed to predict the target addresses of indirect branches using historical execution information, while the Branch Target Buffer predicts the target addresses of direct branches using a set-associative cache structure.
In brief Almost as quickly as a paper came out last week revealing an AI side-channel vulnerability, Cloudflare researchers have figured out how to solve it: just obscure your token size. The paper [PDF], from researchers at the Offensive AI Institute at Israel's Ben Gurion University, found an issue with how all non-Google ChatGPT derivatives transmit chat sessions between LLM servers and users.
Thus, we show, it is possible to conduct physical side-channel attacks on computation by remote and purely passive analysis of commonly-shared channels. These attacks require neither physical proximity, nor the ability to run code on the target or configure its hardware.
The attack can be launched against Macs, iPhones, and iPads running Apple's A-series or M-series chips. For macOS, the attack only works on Safari, but for iOS and iPadOS, there's a much larger attack surface.
Researchers from four American universities have developed a new GPU side-channel attack that leverages data compression to leak sensitive visual data from modern graphics cards when visiting web pages. The GPU.zip researchers explain that all modern graphic processor units, especially integrated Intel and AMD chips, perform software-visible data compression even when not explicitly asked.
A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage. "This channel exploits an optimization that is data...
Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. "Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi, senior research scientist at Google, said.
A new software-based power side-channel attack called 'Collide+Power' was discovered, impacting almost all CPUs and potentially allowing data to leak. The main concept of Collide+Power is to leak data from measured CPU power consumption values when a data "Collision" between the attacker's dataset and data sent by other applications to overwrite the former happens in CPU cache memory.
The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card readeror of an attached peripheral deviceduring cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva.