home.social

#sidechannel — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #sidechannel, aggregated by home.social.

  1. Websites have a new way to #spy on visitors: #analyzing their #SSD activity

    source: arstechnica.com/security/2026/…

    The #attack that #FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a #visitor is using, the researchers were able to determine the #websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.

    #news #web #www #browser #hardware #software #sidechannel #tracking #surveillance #privacy #internet #online #security #problem #computer #surfing #hack #hacker #software #cybersecurity

  2. Websites have a new way to #spy on visitors: #analyzing their #SSD activity

    source: arstechnica.com/security/2026/…

    The #attack that #FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a #visitor is using, the researchers were able to determine the #websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.

    #news #web #www #browser #hardware #software #sidechannel #tracking #surveillance #privacy #internet #online #security #problem #computer #surfing #hack #hacker #software #cybersecurity

  3. Websites have a new way to #spy on visitors: #analyzing their #SSD activity

    source: arstechnica.com/security/2026/…

    The #attack that #FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a #visitor is using, the researchers were able to determine the #websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.

    #news #web #www #browser #hardware #software #sidechannel #tracking #surveillance #privacy #internet #online #security #problem #computer #surfing #hack #hacker #software #cybersecurity

  4. Air gaps don't stop sound.

    USAT (Ultrasonic Sub-Audible Trojan) — acoustic covert channel operating at 17–22kHz, inaudible, cross-device, no physical access required.

    Full research: researchgate.net/publication/404012350

    #infosec #redteam #airgap #sidechannel #acoustics #research

  5. Air gaps don't stop sound.

    USAT (Ultrasonic Sub-Audible Trojan) — acoustic covert channel operating at 17–22kHz, inaudible, cross-device, no physical access required.

    Full research: researchgate.net/publication/404012350

    #infosec #redteam #airgap #sidechannel #acoustics #research

  6. Air gaps don't stop sound.

    USAT (Ultrasonic Sub-Audible Trojan) — acoustic covert channel operating at 17–22kHz, inaudible, cross-device, no physical access required.

    Full research: researchgate.net/publication/404012350

    #infosec #redteam #airgap #sidechannel #acoustics #research

  7. Air gaps don't stop sound.

    USAT (Ultrasonic Sub-Audible Trojan) — acoustic covert channel operating at 17–22kHz, inaudible, cross-device, no physical access required.

    Full research: researchgate.net/publication/404012350

    #infosec #redteam #airgap #sidechannel #acoustics #research

  8. Air gaps don't stop sound.

    USAT (Ultrasonic Sub-Audible Trojan) — acoustic covert channel operating at 17–22kHz, inaudible, cross-device, no physical access required.

    Full research: researchgate.net/publication/404012350

    #infosec #redteam #airgap #sidechannel #acoustics #research

  9. Ich kann meinen Account noch so stark absichern, #MFA, #biometrie, #faceid – es braucht manchmal bloß eine einzige Rechnungsnummer, um Zugang zu erhalten.

    gamepro.de/artikel/psn-account

    Gutes Vergleichsbeispiel, um einen #sidechannel-Angriff auf Software zu erklären, denke ich.

  10. @kuketzblog Die Einstellung gibt es bei molly.im/ jedoch nicht bei Signal(Android), Herr Kuketz.

    Um dies gänzlich zu beheben, muss es von Signal (Client + Server) gepatched werden.

    Die Molly-Entwickler wollen jedoch ebenfalls Custom-Fixes bereitstellen.

    github.com/mollyim/mollyim-and

    Signals Antwort lässt sich hier finden.

    github.com/signalapp/Signal-An 

    archive.is/DNZG9

    #sidechannel #CarelessWhisper

    P.S.: Signal ist nach wie vor sicher. Coole Kids nutzen Molly. 😁 MfG 🙏

  11. This is a fascinating use of a #sidechannel timing attack against calls to an #AI model.

    By capturing encrypted TLS traffic and measuring timing, they can very accurately determine which streams corresponded to an LLM conversation about a pre-selected topic.

    TLS is intact. So their ability to recover the conversation is limited to their ability to break TLS. But they can, with high confidence, sift out all the TLS traffic for the only conversations that reference the thing they care about. They don't have to worry about spending resources breaking TLS on traffic that is unrelated. Neat #security research from #Microsoft.

    #cybersecurity #infosec #LLM

  12. I have just presented our paper on Zero Click SnailLoad at ESORICS 2025 in Toulouse. Thank you to all who attended my talk, also for the nice discussion!

    Also thanks to @c1t for taking the picture!

    #ESORICS2025 #Toulouse #SnailLoad #sidechannel

  13. Security is hard.

    The TL;DR is: Do not lose possesion of your private key.

    Addendum: This is from a year ago to be clear. But, there are many people that have older Yubikeys that Can Not be fixed.

    ninjalab.io/eucleak/

    The attack requires physical access to the secure element (few local electromagnetic side-channel acquisitions, i.e. few minutes, are enough) in order to extract the ECDSA secret key. In the case of the FIDO protocol, this allows to create a clone of the FIDO device.

    All YubiKey 5 Series (with firmware version below 5.7) are impacted by the attack and in fact all Infineon security microcontrollers (including TPMs) that run the Infineon cryptographic library (as far as we know, any existing version) are vulnerable to the attack.

    yubico.com/support/security-ad

    #2FA #SideChannel #ConstantTime

  14. New research reveals timing side channels can leak ChatGPT prompts, exposing confidential info through subtle delays. AI security needs to consider more than just inputs.
    Read more: dl.acm.org/doi/10.1145/3714464
    #AIsecurity #SideChannel #LLM

  15. Безопасности не существует: как NSA взламывает ваши секреты

    Конечные поля, хэш-мясорубки, скрытые радиоканалы и трояны, запаянные в кремний. Пока мы гордимся замками AES-256, спецслужбы ищут обходные тропы: подменяют генераторы случайности, слушают писк катушек ноутбука и вывозят ключи через незаметные ICMP-пакеты. Эта статья собирает мозаичную картину современных атак — от математических лазеек до физических побочных каналов — и задаёт неудобный вопрос: существует ли вообще абсолютная безопасность? Если уверены, что да, проверьте, не трещит ли ваш щит по швам.

    habr.com/ru/articles/918068/

    #криптография #безопасность #NSA #шифрование #конечные_поля #sidechannel #аппаратные_бэкдоры #генератор_случайности #covert_channels #киберпанк

  16. Безопасности не существует: как NSA взламывает ваши секреты

    Конечные поля, хэш-мясорубки, скрытые радиоканалы и трояны, запаянные в кремний. Пока мы гордимся замками AES-256, спецслужбы ищут обходные тропы: подменяют генераторы случайности, слушают писк катушек ноутбука и вывозят ключи через незаметные ICMP-пакеты. Эта статья собирает мозаичную картину современных атак — от математических лазеек до физических побочных каналов — и задаёт неудобный вопрос: существует ли вообще абсолютная безопасность? Если уверены, что да, проверьте, не трещит ли ваш щит по швам.

    habr.com/ru/articles/918068/

    #криптография #безопасность #NSA #шифрование #конечные_поля #sidechannel #аппаратные_бэкдоры #генератор_случайности #covert_channels #киберпанк

  17. Безопасности не существует: как NSA взламывает ваши секреты

    Конечные поля, хэш-мясорубки, скрытые радиоканалы и трояны, запаянные в кремний. Пока мы гордимся замками AES-256, спецслужбы ищут обходные тропы: подменяют генераторы случайности, слушают писк катушек ноутбука и вывозят ключи через незаметные ICMP-пакеты. Эта статья собирает мозаичную картину современных атак — от математических лазеек до физических побочных каналов — и задаёт неудобный вопрос: существует ли вообще абсолютная безопасность? Если уверены, что да, проверьте, не трещит ли ваш щит по швам.

    habr.com/ru/articles/918068/

    #криптография #безопасность #NSA #шифрование #конечные_поля #sidechannel #аппаратные_бэкдоры #генератор_случайности #covert_channels #киберпанк

  18. Безопасности не существует: как NSA взламывает ваши секреты

    Конечные поля, хэш-мясорубки, скрытые радиоканалы и трояны, запаянные в кремний. Пока мы гордимся замками AES-256, спецслужбы ищут обходные тропы: подменяют генераторы случайности, слушают писк катушек ноутбука и вывозят ключи через незаметные ICMP-пакеты. Эта статья собирает мозаичную картину современных атак — от математических лазеек до физических побочных каналов — и задаёт неудобный вопрос: существует ли вообще абсолютная безопасность? Если уверены, что да, проверьте, не трещит ли ваш щит по швам.

    habr.com/ru/articles/918068/

    #криптография #безопасность #NSA #шифрование #конечные_поля #sidechannel #аппаратные_бэкдоры #генератор_случайности #covert_channels #киберпанк

  19. SCA4PQC – die @Cyberagentur startet ein Forschungsprogramm zur Entwicklung seitenkanalresistenter Post-Quanten-Kryptographie. Ziel: Schutz vor Quantenangriffen und physischen Seitenkanalangriffen. Fokus: Cloud/Desktops, IoT und Smartcards. Forschung und Wirtschaft sind eingeladen.
    Mehr Informationen: t1p.de/b52np
    #PostQuantum #CyberSecurity #SCA4PQC #PostQuantumCrypto #SideChannel #ITSecurity #OpenScience

  20. SCA4PQC – die @Cyberagentur startet ein Forschungsprogramm zur Entwicklung seitenkanalresistenter Post-Quanten-Kryptographie. Ziel: Schutz vor Quantenangriffen und physischen Seitenkanalangriffen. Fokus: Cloud/Desktops, IoT und Smartcards. Forschung und Wirtschaft sind eingeladen.
    Mehr Informationen: t1p.de/b52np
    #PostQuantum #CyberSecurity #SCA4PQC #PostQuantumCrypto #SideChannel #ITSecurity #OpenScience

  21. SCA4PQC – die @Cyberagentur startet ein Forschungsprogramm zur Entwicklung seitenkanalresistenter Post-Quanten-Kryptographie. Ziel: Schutz vor Quantenangriffen und physischen Seitenkanalangriffen. Fokus: Cloud/Desktops, IoT und Smartcards. Forschung und Wirtschaft sind eingeladen.
    Mehr Informationen: t1p.de/b52np
    #PostQuantum #CyberSecurity #SCA4PQC #PostQuantumCrypto #SideChannel #ITSecurity #OpenScience

  22. SCA4PQC – die @Cyberagentur startet ein Forschungsprogramm zur Entwicklung seitenkanalresistenter Post-Quanten-Kryptographie. Ziel: Schutz vor Quantenangriffen und physischen Seitenkanalangriffen. Fokus: Cloud/Desktops, IoT und Smartcards. Forschung und Wirtschaft sind eingeladen.
    Mehr Informationen: t1p.de/b52np
    #PostQuantum #CyberSecurity #SCA4PQC #PostQuantumCrypto #SideChannel #ITSecurity #OpenScience

  23. SCA4PQC – die @Cyberagentur startet ein Forschungsprogramm zur Entwicklung seitenkanalresistenter Post-Quanten-Kryptographie. Ziel: Schutz vor Quantenangriffen und physischen Seitenkanalangriffen. Fokus: Cloud/Desktops, IoT und Smartcards. Forschung und Wirtschaft sind eingeladen.
    Mehr Informationen: t1p.de/b52np
    #PostQuantum #CyberSecurity #SCA4PQC #PostQuantumCrypto #SideChannel #ITSecurity #OpenScience

  24. Someone found a clever #sidechannel to abuse #Cloudflare CDN caching to reveal the approximate location (~location of next big datacenter) of #Signal and #Discord users by sending them a message/notification with an image in it that is fetched from the CDN:

    gist.github.com/hackermondev/4

    @signalapp

  25. Hardware #SideChannel attacks like "electromagnetic fault injection" bypass Apple’s chip defenses. The result? Jailbreaks & #malware on iDevices. #Apple needs to rethink its shielding fast. 🛡️

  26. Cracking encrypted communication with #AI Chatbots like ChatGPT using, ironically, LLMs.

    youtu.be/I1RqhGGRmHY

    Responses were sent back one word-sized token at a time📨

    Merely knowing word lengths is enough to infer whole response paragraphs.

    The opening responses sentences are so formulaic you can use an LLM to guess the topic, punctuation was singled out with a special token 😬

    This shows how encrypted information is still vulnerable to #sidechannel attacks.

    #defcon #cybersecurity

  27. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  28. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  29. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  30. Side-channel #EUCLEAK attack discovered on devices using the Infineon cryptographic library, like the YubiKey 5 series (firmware <5.7) and Feitian A22 JavaCard.

    But it does require a fair amount of factors to succeed: username, password, physical access, additional equipment, and for the cryptographic operations to involve modular inversions, like ECDSA.

    There are two phases to the attack:

    (1) The online phase requires opening the device to access the microcontroller, then using an electromagnetic probe, an oscilloscope, and a computer to capture the electromagnetic side-channel signals during operation.

    (2) The offline phase (physical access no longer necessary) supposedly takes time varying from one hour to one day for each secret to uncover.

    ninjalab.io/wp-content/uploads

    #ninjalab #eucleak #sidechannel #attack #infineon #yubikey #feitian

  31. Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

    Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

    #WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

    sekurak.pl/mozna-klonowac-kluc

  32. Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

    Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

    #WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

    sekurak.pl/mozna-klonowac-kluc

  33. Można klonować klucze Yubikey 5. Podatne są klucze z firmware < 5.7. Wymagany fizyczny dostęp.

    Piekło zamarzło, Yubikey’e zhackowane – tak moglibyśmy opisać wczorajszy komunikat wydany przez Yubico, czyli producenta najpopularniejszych na świecie fizycznych kluczy bezpieczeństwa. Moglibyśmy, ale pomimo że jest w tym nieco prawdy, to nie ma powodu do paniki, przynajmniej dla większości użytkowników popularnych yubikey’ów. Dlaczego nie ma? Zacznijmy od teorii. Badacze z...

    #WBiegu #Atak #EUCLEAK #Infineon #Klonowanie #SideChannel #U2f #Yubikey

    sekurak.pl/mozna-klonowac-kluc