Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label hardware vulnerabilities. Show all posts

Why Passkeys Are the Future of Digital Authentication

 

Passwords have been a fundamental aspect of digital security for years, but they come with significant drawbacks. They are not only a hassle to remember but also vulnerable to various hacking techniques. Passkeys have emerged as a robust alternative, offering a more secure and user-friendly approach to account authentication. This new method utilizes your device, such as a smartphone or laptop, as an authenticator, employing either a PIN or biometric verification like fingerprint or facial recognition. 

The primary advantage of passkeys is that they eliminate the need for passwords entirely. This reduces the risk of phishing attacks, as there is no password for hackers to steal or guess. Additionally, passkeys are tied to the user’s device, making unauthorized access much more difficult. Without passwords to remember, users can enjoy a more streamlined and secure login experience. Major tech companies are already supporting the adoption of passkeys. For instance, setting up passkeys on a Google account involves visiting the Google Passkeys page and configuring the passkey with your device. Microsoft accounts can similarly be secured with Windows Hello or a PIN. Apple integrates passkeys with iCloud Keychain, making it easy for users to transition. These companies are not alone. Other platforms like Amazon, Adobe, Discord, eBay, GitHub, LinkedIn, Shopify, and WhatsApp have also embraced passkeys. 

This widespread support highlights the growing recognition of passkeys as the future of digital security. One concern with passkeys is the potential for losing access if the device is lost. Fortunately, most major tech companies allow passkeys to be synced across devices or securely stored in the cloud with end-to-end encryption. This means that users can restore their passkeys on a new device if their original one is lost. 

However, if a hardware security key is lost and not backed up, access to accounts could be permanently lost. Despite these concerns, device-based authentication is inherently secure. Modern devices are equipped with advanced security measures that make unauthorized access extremely difficult. Even if a device is stolen, the thief would need to bypass biometric or PIN verification to access sensitive information. Passkeys are stored in a Trusted Platform Module (TPM), ensuring that they are securely protected. In summary, passkeys represent a significant advancement in digital security. 

They offer a more secure, user-friendly alternative to traditional passwords, addressing many of the vulnerabilities associated with password-based authentication. As more services and devices adopt this technology, passkeys are poised to become the standard for secure online access. This shift not only enhances security but also simplifies the user experience, making it easier for individuals to protect their digital identities.

Fresh SLAM Attack Extracts Sensitive Data from AMD CPUs and Upcoming Intel Processors

 

Academic researchers have unveiled a novel side-channel attack named SLAM, designed to exploit hardware enhancements meant to bolster security in forthcoming CPUs from major manufacturers like Intel, AMD, and Arm. The attack aims to retrieve the root password hash from the kernel memory through a transient execution technique.

SLAM takes advantage of a memory feature allowing software to utilize untranslated address bits in 64-bit linear addresses for metadata storage. Diverse CPU vendors implement this feature differently, with Intel calling it Linear Address Masking (LAM), AMD labeling it Upper Address Ignore (UAI), and Arm referring to it as Top Byte Ignore (TBI). 

The SLAM attack, an abbreviation for Spectre based on LAM, was identified by researchers at Vrije Universiteit Amsterdam's Systems and Network Security Group (VUSec Group). They demonstrated the attack's viability by emulating the upcoming LAM feature from Intel on a previous-generation Ubuntu system.

According to VUSec, SLAM primarily affects future chips meeting specific criteria due to a lack of robust canonicality checks in their designs. Despite advanced hardware features like LAM, UAI, and TBI improving memory security, they introduce exploitable micro-architectural race conditions.

The attack hinges on a new transient execution technique focusing on exploiting a previously unexplored class of Spectre disclosure gadgets, particularly those involving pointer chasing. Gadgets are manipulable instructions in software code that, when exploited, trigger speculative execution, revealing sensitive information. The SLAM attack specifically targets "unmasked" gadgets using secret data as a pointer, commonly found in software, allowing attackers to leak arbitrary ASCII kernel data.

To demonstrate the attack, researchers developed a scanner identifying hundreds of exploitable gadgets on the Linux kernel. While executing the attack, an attacker must run code on the target system that interacts with unmasked gadgets, measuring side effects with sophisticated algorithms to extract sensitive information like passwords or encryption keys from the kernel memory.

The SLAM attack impacts various processors, including existing vulnerable AMD CPUs, future Intel CPUs supporting LAM, future AMD CPUs supporting UAI and 5-level paging, and future Arm CPUs supporting TBI and 5-level paging. 

In response to SLAM, Arm asserted its systems already mitigate against Spectre v2 and Spectre-BHB, with no further action planned. AMD referenced existing Spectre v2 mitigations, while Intel announced plans for software guidance and the deployment of security extensions before releasing future processors supporting LAM. Meanwhile, Linux engineers have devised patches to disable LAM until further guidance becomes available.