Nvidia warns of Rowhammer attacks on GPUs • The Register

Infosec In Temporary Nvidia final week suggested clients to make sure they make use of mitigations towards Rowhammer assaults, after researchers discovered one in every of its workstation-grade GPUs is prone to the exploit.

Rowhammer is a technique of making an attempt to deprave reminiscence by repeatedly “hammering” rows of reminiscence cells with a burst of learn or write operations. The repeat operations can create electrical interference between rows of reminiscence cells, probably disrupting operations.

In a July 9 advisory, Nvidia famous that researchers on the College of Toronto not too long ago “demonstrated a profitable Rowhammer exploitation on a NVIDIA A6000 GPU with GDDR6 reminiscence the place System-Degree ECC [error correcting code] was not enabled.”

Observe the “not enabled”, as a result of Nvidia’s advisory factors out ECC is enabled by default in its Hopper and Blackwell Information Heart merchandise, and that lots of its different merchandise embody ECC.

The corporate subsequently beneficial clients guarantee System-Degree ECC is enabled on many fashions in its Blackwell, Ada, Hopper, Ampere, Jetson, Turing, and Volta merchandise.

– Simon Sharwood

Oh Lord, gained’t you hack me a Mercedes Benz?

A chained four-exploit assault on Bluetooth has left automobiles from firms like Mercedes-Benz, Volkswagen, and Skoda open to assault by their leisure programs.

The assault chain, dubbed PerfektBlue by bug hunters at automotive infosec outfit PCA Cyber Safety, makes use of 4 CVEs to get into OpenSynergy’s BlueSDK Bluetooth stack. The one-click assault might enable distant code execution on a automobile, maybe permitting attackers to trace a automobile or management autos’ engines, onboard microphones, and alarm controls.

Builders issued patches for the 4 flaws final yr however thousands and thousands of automobiles seemingly stay in danger. The failings are:

• CVE-2024-45434 – a CVSS 8.0 use after free situation.
• CVE-2024-45432 – a flaw within the Radio Frequency Communication (RFCOMM) perform management system.
• CVE-2024-45433 – One other RFCOMM gap with perform calls. Each this and the second flaw have a CVSS 5.7 score.
• CVE-2024-45431 – A CVSS 3.5 validation fault within the stack’s Logical Hyperlink Management and Adaptation Protocol.

It is as much as house owners to see that their programs are up to date correctly and so that somebody with a laptop computer and a little bit of technical information will not take their wheels for a spin.

Jack Dorsey’s Bluetooth issues

Twitter co-founder Jack Dorsey’s latest idea for a “safe” comms community that does not depend on a standard cell phone or Wi-Fi community, known as Bitchat, has run into a number of Bluetooth issues of its personal.

Dorsey’s concept is to create a mesh community utilizing Bluetooth, permitting these inside vary to ship and obtain messages in a type of range-limited digital CB radio community.

It seems he hasn’t subjected his concept to critical safety testing.

“This software program has not obtained exterior safety evaluate and will comprise vulnerabilities and doesn’t essentially meet its acknowledged safety targets. Don’t use it for manufacturing use, and don’t depend on its safety in any way till it has been reviewed,” he wrote on GitHub.

Alex Radocea, who’s labored on safety for Apple, Spotify, and CrowdStrike, noticed fundamental safety errors in what he politely called BitChat’s “ornamental” authentication programs that may enable an attacker to entry contact logs and presumably even messages despatched with the system. He steered BitChat’s builders used AI to code the app.

“There’s primarily no belief/auth in-built at present. So I might not likely take into consideration this as a safe messenger,” he suggested. Dorsey has mentioned the code is below evaluate.

Will the true Marco Rubio please get up?

US Secretary of State Marco Rubio has been doing his job, however it seems deepfaked model of the Floridian have been doing the rounds whereas he is away.

In line with a State Division memo seen by The Washington Publish, a US state governor, a congressperson, three international ministers, and 5 different state employees have obtained faked voice calls and textual content messages from a Sign account with the deal with [email protected].

“The actor left voicemails on Sign for at the very least two focused people and in a single occasion, despatched a textual content message inviting the person to speak on Sign,” the memo warns.

Sign is much loved by the present administration for its robust safety (paradoxically created by anarchist Moxie Marlinspike), with some officers utilizing it as an alternative of government-built safe comms apps.

Like many public figures, Rubio has appeared in media so typically that deepfake builders have enormous portions of footage and audio with which to create a digital pretend. If the Secretary of State messages you, confirm earlier than trusting it.

By no means cross the British tax authorities

Romanian police final week carried out armed raids and arrested 13 over claims that they had been operating a rip-off to steal cash from the UK’s His Majesty’s Income and Customs. One different suspect was arrested within the UK in Preston, Lancashire.

The criminals allegedly stole information from round 100,000 individuals and used it to file false claims for advantages and tax reduction. Experiences point out the police seized luxurious automobiles, jewellery, and enormous quantities of money within the raids.

World’s largest Bitcoin ATM community attacked

Bitcoin Depot, which says it runs the world’s largest community of bitcoin ATMs has filed breach notification warnings and knowledgeable round 27,000 customers attackers accessed their names, telephone numbers, and driver’s license numbers, and possibly their addresses, dates of beginning, and e-mail addresses too.

The digicash biz noticed uncommon actions on its servers on June 23 2024 and recognized in July that yr, however it took one other 12 months earlier than telling clients – and even then apparently solely after US authorities demanded it.

“Sadly, we weren’t capable of inform you sooner as a result of an ongoing investigation. Federal regulation enforcement requested that Bitcoin Depot wait to offer you discover till after they accomplished the investigation,” it mentioned. “Legislation enforcement suggested Bitcoin Depot on June 13, 2025, that their investigation was full.” ®