Vulnerabilities - NEWS POLITE

LeftoverLocals GPU Flaw Exposes AI Data in Devices Equipped with Apple, AMD, and Qualcomm Hardware

A security flaw affecting GPUs from four hardware manufacturers that exposed artificial intelligence (AI) data was unearthed by security researchers. The issue impacts several devices equipped with GPUs from these firms, including some iPhone, iPad, and Mac computers. Hackers can exfiltrate personal information being used in AI operations on the local memory of affected devices — including large language models (LLMs) used by services like Google, Meta, ChatGPT maker OpenAI, and Microsoft using a few lines of code, according to researchers.

Researchers at Trail of Bits uncovered a security flaw affecting GPUs from AMD, Apple, Imagination, and Qualcomm that has been dubbed LeftoverLocals. This vulnerability is related to the affected device’s GPU and allows hackers to access information via local memory created by another process. Arm, Intel, and Nvidia GPUs are reportedly unaffected by the same security flaw.

In a detailed disclosure published earlier this week, the researchers highlight how the security flaw affects LLMs and machine learning (ML) models that are run on impacted devices. They were able to build a proof of concept (PoC) of the attack that allowed them to access information from another user’s LLM session that was being run in a different process.

A demonstration of an attacker listening in on an interactive LLM chat session
Photo Credit: Screenshot/ Trail of Bits

By running a few lines of code, a hacker can use the LeftoverLocals security flaw to reconstruct the LLM response in an interactive session “with high precision”, according to the researchers. The flaw was discovered by Tyler Sorensen and is being tracked by CVE-2023-4969.

The researchers state that they reached out to Apple and received a response on January 13, while the company has patched some devices with the A17 Pro — that powers the iPhone 15 Pro and 15 Pro Max — and M3 chip series, but other devices have not been patched, such as the M2-powered MacBook Air.

Meanwhile, AMD has stated is still exploring ways to mitigate the security vulnerability and Qualcomm has issued a patch with its v2.07 firmware that fixes the flaw on some devices, while others could still remain impacted. Affected Imagination GPUs were patched last month as part of the recent DDK 23.3 release, according to the researchers.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

CERT-In Warns of Over 50 Security Flaws Affecting Android Smartphones: All You Need to Know

CERT-In — or Indian Computer Emergency Response Team — has warned of several security vulnerabilities affecting multiple versions of Android. These security flaws, if exploited by a malicious user, could be used to execute dangerous code, collect sensitive data, and launch a denial-of-service (DoS) attack on a victim. The security vulnerabilities affect three major versions of Android, across various parts of Google’s operating system (OS) — from the framework to components from Arm, MediaTek, Qualcomm, Unisoc, and others, according to the cybersecurity agency.

In a vulnerability note issued earlier this week, CERT-In lists out 51 security flaws affecting the Android OS. The nodal agency responsible for dealing with cybersecurity issues and threats has issued a critical severity rating for the vulnerability note. All the entries listed by CERT-In have been assigned a Common Vulnerabilities and Exposures (CVE) number.

According to CERT-In, these vulnerabilities affect Android 13, Android 12, Android 12L, and Android 11. It is currently unclear whether Android 14 is also affected as the source code for Android 14 was published a few days before the advisory was issued.

The 51 security flaws listed by CERT-In affect various parts of the Android operating system from the Android framework, the Android system, and Google Play system updates. Meanwhile, software for components not directly controlled by Google, including those from Arm, MediaTek, Unisoc, and Qualcomm, are also affected by these vulnerabilities.

Attackers who exploit these flaws could potentially elevate their privileges on a target’s smartphone, execute arbitrary (and malicious) code, extract sensitive information, and even perform a denial-of-service (DoS) attack, according to CERT-In.

Two of these flaws — CVE-2023-4863 and CVE-2023-4211 — could be actively exploited by attackers, and users should apply security patches “urgently”, according to the agency. These flaws relate to the Chromium engine that powers Google’s browser, and GPU memory processing operations on Android, respectively.

Users running on Pixel smartphones can install the latest update that includes the October security patches. Unfortunately, users who own smartphones from other manufacturers will have to wait until a security update is released along with fixes for these security flaws.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Policybazaar Vulnerabilities Exposed Personal Details of Lakhs of Customers, Defence Personnel: Report

Vulnerabilities in the system of online insurance broker Policybazaar led to exposure of personal details of lakhs of its customers, including defence personnel, a cyber security research firm claimed on Wednesday. CyberX9 said Aadhaar and PAN card details as well as addresses and phone numbers of customers were exposed due to the vulnerabilities and that the issue was reported to Policybazaar on July 18.

On July 24, Policybazaar informed stock exchanges that it had noticed the vulnerabilities on July 19 and that no significant customer data was exposed.

When contacted on Wednesday, a Policybazaar spokesperson referred to its filing to the stock exchanges made on July 24 and said the identified vulnerabilities have been duly fixed as confirmed by an external advisor.

“A thorough forensic audit of the incident has been initiated with external advisors. The incident was covered by the media. We have nothing further to add,” the spokesperson said in a statement.

The online broker’s parent PB Fintech is listed on the stock exchanges.

In its report, CyberX9 claimed Policybazaar exposed all confidential and sensitive personal information, including that of Aadhaar, PAN card and passport, of millions of the customers.

It also claimed that the vulnerabilities in Policybazaar’s system potentially exposed data of 56.4 million people who have transacted on the platform.

“The information exposed to the whole Internet included but not limited to, customer’s full name, date of birth, complete residential address, email address, mobile number, policy details, including nominee details, copies of user’s bank account statements, income tax returns documents, passport, Aadhaar card, PAN card, and so on,” it said.

In case of the defence personnel, information such as designation, location of their posting and activities they are engaged in were exposed, the report claimed.

After informing Policybazaar about the vulnerabilities on July 18, CyberX9 reported the incident to cyber security watchdog Cert-In on July 24.

“Cert-In confirmed to us on July 25 that Policybazaar has now admitted and fixed the reported vulnerabilities and asked us to retest if the vulnerabilities were fixed,” the report said.

CyberX9 said it also submitted the report to National Cyber Security Coordinator Rajesh Pant who promised to initiate action against Policybazaar.

“Rajesh Pant promptly reverted back to us after going through the information we shared, they thanked us for the information and informed us that they shall initiate action against Policybazaar,” the report said.

An email query sent to Pant on the issue remained unanswered.

“At the end of our analysis, we came to the conclusion that there is high potential that Policybazaar could be having these vulnerabilities as intentional backdoor vulnerabilities in order to potentially allow access to the Chinese government to sensitive data of Indian nationals and particularly defense personnel,” CyberX9 alleged.

China-based Tencent is one of the investors in Policybazaar.

Check out our Latest News and Follow us at Facebook

Original Source

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.