Month: October 2023

Enlarge (credit: Kim et al.)

Researchers have devised an attack that forces Apple’s Safari browser to divulge passwords, Gmail message content, and other secrets by exploiting a side channel vulnerability in the A- and M-series CPUs running modern iOS and macOS devices.

iLeakage, as the academic researchers have named the attack, is practical and requires minimal resources to carry out. It does, however, require extensive reverse-engineering of Apple hardware and significant expertise in exploiting a class of vulnerability known as a side channel, which leaks secrets based on clues left in electromagnetic emanations, data caches, or other manifestations of a targeted system. The side channel in this case is speculative execution, a performance enhancement feature found in modern CPUs that has formed the basis of a wide corpus of attacks in recent years. The nearly endless stream of exploit variants has left chip makers—primarily Intel and, to a lesser extent, AMD—scrambling to devise mitigations.

Exploiting WebKit on Apple silicon

The researchers implement iLeakage as a website. When visited by a vulnerable macOS or iOS device, the website uses JavaScript to surreptitiously open a separate website of the attacker’s choice and recover site content rendered in a pop-up window. The researchers have successfully leveraged iLeakage to recover YouTube viewing history, the content of a Gmail inbox—when a target is logged in—and a password as it’s being autofilled by a credential manager. Once visited, the iLeakage site requires about five minutes to profile the target machine and, on average, roughly another 30 seconds to extract a 512-bit secret, such as a 64-character string.

Enlarge / A GM Ultium battery pack. (credit: Santa Fabio for General Motors)

Bad news for fans of cheaper electric vehicles: The planned collaboration between Honda and General Motors on a range of cheaper EVs has been canceled. The joint project, which was announced in April 2022, was supposed to develop a new platform for use in lower-cost EVs for North America, South America, and China, with cars appearing in 2027. But on Thursday, the two companies revealed that the plan is no more.

"After extensive studies and analysis, we have come to a mutual decision to discontinue the program. Each company remains committed to affordability in the EV market," Honda and GM said in a joint statement.

"After studying this for a year, we decided that this would be difficult as a business, so at the moment we are ending development of an affordable EV," said Honda CEO Toshihiro Mibe in an interview with Bloomberg. "GM and Honda will search for a solution separately. This project itself has been canceled," Mibe said.

Enlarge / A 2020 file photo of a Starship Technologies food delivery robot. Food is stored inside the robot's housing during transportation and opened upon delivery. (credit: Leon Neal/Getty Images)

On Tuesday, officials at Oregon State University issued a warning on social media about a bomb threat concerning Starship Technologies food delivery robots, autonomous wheeled drones that deliver food orders stored within a built-in container. By 7 pm local time, a suspect had been arrested in the prank, and officials declared there had been no bombs hidden within the robots.

"Bomb Threat in Starship food delivery robots," reads the 12:20 pm initial X post from OSU. "Do not open robots. Avoid all robots until further notice." In follow-up posts, OSU officials said they were "remotely isolating robots in a safe location" for investigation by a technician. By 3:54 pm local time, experts had cleared the robots and promised they would be "back in service" by 4 pm.

In response, Starship Technologies provided this statement to the press: "A student at Oregon State University sent a bomb threat, via social media, that involved Starship’s robots on the campus. While the student has subsequently stated this is a joke and a prank, Starship suspended the service. Safety is of the utmost importance to Starship and we are cooperating with law enforcement and the university during this investigation."

Enlarge (credit: Bloomberg / Contributor | Bloomberg)

Less than three months after the California Public Utilities Commission approved robotaxi-service Cruise's plan to provide around-the-clock driverless rides to passengers in San Francisco, the California Department of Motor Vehicles (DMV) has shut down Cruise's driverless operations in the state.

Yesterday, the California DMV suspended Cruise's permits for autonomous vehicle deployment and driverless testing "effective immediately" over pedestrian safety concerns.

"Public safety remains the California DMV’s top priority, and the department’s autonomous vehicle regulations provide a framework to facilitate the safe testing and deployment of this technology on California public roads," the DMV's announcement said. "When there is an unreasonable risk to public safety, the DMV can immediately suspend or revoke permits."

Enlarge / Sam Bankman-Fried’s former flatmates (from top) Caroline Ellison, NIshad Singh and Gary Wang have given evidence against him (credit: FT montage/Bloomberg/AP)

Early last summer, Adam Yedidia took Sam Bankman-Fried to one side after a game of paddle tennis. In the shadow of a hut in the grounds of the Bahamian penthouse they and others shared, he asked the crypto tycoon: “Are we OK?”

Yedidia told a New York court this month that he was worried FTX, the crypto exchange that Bankman-Fried had co-founded and at that time led, was in financial trouble. He recounted his old friend’s reply: “We were bulletproof last year, but we’re not bulletproof this year.”

FTX collapsed a few months later, sending shockwaves through the cryptocurrency industry. US prosecutors hope this chat, which they have taken to calling the “bulletproof conversation,” will help to show Bankman-Fried knew about, and concealed, an $8 billion cash shortfall for months at least before it was exposed.