Secure Implementation Of Post-Quantum Crypto In The Spotlight

The US-based NIST body takes a leading role in the migration to Post-Quantum Crypto (PQC). After a multi-year selection process, in 2022 they preliminarily identified a number of Post Quantum algorithms, which were recommended to replace the current public key algorithms (RSA, ECC). While the process of scrutiny is still ongoing, they now took another important step by putting emphasis on imple... » read more

ChatGPT vs Security Analyst

At Riscure, we like to explore new technologies that can help us better help our customers. Undoubtedly, the latest famous new applications are various versions of ChatGPT, a recently accessible chatbot that you can interact with in natural language, and which has been trained on a large section of the knowledge available on the internet. Adversarially-minded people soon published the many f... » read more

Security Highlight: Ascon

The contest for standardization of a lightweight crypto (LWC) algorithm has just finished. US standards body NIST selected Ascon as the winner. Ascon is an algorithm proposed by an international team of scientists that delivers strong performance and security at a low cost. How does that work? Lightweight crypto is symmetric encryption technology, that runs well on constrained systems, lik... » read more

Security Highlight: Exploiting Persistent Faults In Crypto

At the most recent CHES workshop, Hossein Hadipour of the Graz University of Technology presented an important step forward in exploiting persistent faults in crypto. Differential Fault Analysis (DFA) is a well-known attack class that can lead to the compromise of a secret key when faults are injected during the execution of a cryptographic implementation. However, injecting transient fault... » read more

Security Highlight: Compromising Printers Via Malicious Third-Party Cartridges

This fall, HP Inc. published an article describing a buffer overflow vulnerability in their printer software which would allow an attacker to obtain persistent remote code execution on the printer. Buffer overflow vulnerabilities are common, but what makes this one noteworthy is that it can be exploited remotely by a malicious third-party printer cartridge. In the printer ecosystem, there ... » read more

Glitched On Earth By Humans

The Black Hat conference always brings up interesting and current research within the device security industry. Lennert Wouters of COSIC studied the security of the Starlink User Terminal. After some PCB-level reverse engineering, he found a serial port and observed various boot loaders, U-boot, and Linux running on the device. However, there was no obvious way to gain further access. The... » read more

DRM Security Trends And Future

Digital rights management (DRM) is known to protect and encrypt content in order to deliver it to the device. DRM’s main purpose is to close the gaps in content protection strategies and enable content consumption on different devices to be easily accessible. As DRM technologies have matured, it is expected that their security capabilities will follow. The security measures implemented on ... » read more

Security Highlight: Honda Rolling-PWN Attack

The attack known as Rolling-PWN (CVE-2021-46145) [1] is the latest of a recent series of security issues affecting the car’s immobilizers and RKEs (Remote Keyless Entry, also known as the keyfob or remote control). Over the past years, we have seen how security researchers identified attacks that could open and even start cars from vendors like Tesla [2], Hyundai-Kia [3], VAG (Volkswagen, ... » read more

Hertzbleed: Prime Time For Power Side Channel Countermeasures Or Novelty Attack?

Hertzbleed is a new side-channel attack that turns a power side channel into a timing side channel. That timing side channel may be exploitable even if the algorithm runs in a constant number of clock cycles. The novel observation is that the duration of a clock cycle can vary depending on the data processed on a CPU that uses dynamic frequency scaling. This allows a remote attacker to extract... » read more

Security Highlight: Evil Never Sleeps

Recently, Apple introduced a useful but potentially dangerous feature to its iPhones. Most of us would assume that a phone becomes inactive when switched off by the user or due to low power. Surprisingly, newer phones continue limited functionality for several hours in low power mode or even if it is off. This includes cards in your Wallet and the Find My service. This feature caught the attent... » read more