Enlarge (credit: Evgen_Prozhyrko via Getty )

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or reroute trains.

Enlarge (credit: Getty Images | NurPhoto)

Apple has joined the growing number of organizations opposed to the UK's pending Online Safety Bill , saying the proposed law threatens the end-to-end encryption that protects private messages.

"End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats," Apple said in a statement reported by the BBC yesterday. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

The BBC quoted a government spokesperson as saying that "companies should only implement end-to-end encryption if they can simultaneously prevent abhorrent child sexual abuse on their platforms."

Enlarge (credit: Bet_Noire/Getty )

From TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans—and the US government—increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West.

In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named trade restrictions list that highlights companies “acting contrary to the foreign policy interests of the United States.” Specifically, the bureau noted that Hualan had been added to the list for “acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army.”

Enlarge / Left: a smart card reader processing the encryption key of an inserted smart card. Right: a surveillance camera video records the reader's power LED from 60 feet away. (credit: Nassi et al.)

Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on.

The attacks enable a new way to exploit two previously disclosed side channels, a class of attack that measures physical effects that leak from a device as it performs a cryptographic operation. By carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm.

Side-channel exploitation made simple

As Wired reported in 2008 , one of the oldest known side channels was in a top-secret encrypted teletype terminal that the US Army and Navy used during World War II to transmit communications that couldn’t be read by German and Japanese spies. To the surprise of the Bell Labs engineers who designed the terminal, it caused readings from a nearby oscilloscope each time an encrypted letter was entered. While the encryption algorithm in the device was sound, the electromagnetic emissions emanating from the device were enough to provide a side channel that leaked the secret key.

Enlarge / Anker's Eufy division has said its web portal was not designed for end-to-end encryption and could allow outside access with the right URL. (credit: Eufy)

After two months of arguing back and forth with critics about how so many aspects of its "No clouds" security cameras could be accessed online by security researchers, Anker smart home division Eufy has provided a lengthy explanation and promises to do better.

In multiple responses to The Verge , which has repeatedly called out Eufy for failing to address key aspects of its security model, Eufy has plainly stated that video streams produced by its cameras could be accessed, unencrypted, through the Eufy web portal, despite messaging and marketing that suggested otherwise. Eufy also stated it would bring in penetration testers, commission an independent security researcher's report, create a bug bounty program, and better detail its security protocols.

Prior to late November 2022, Eufy had enjoyed a distinguished place among smart home security providers. For those willing to trust any company with video feeds and other home data, Eufy marketed itself as offering "No Clouds or Costs," with encrypted feeds streamed only to local storage.

Enlarge

Three weeks ago, panic swept across some corners of the security world after researchers discovered a breakthrough that, at long last, put the cracking of the widely used RSA encryption scheme within reach by using quantum computing.

Scientists and cryptographers have known for two decades that a factorization method known as Shor’s algorithm makes it theoretically possible for a quantum computer with sufficient resources to break RSA. That’s because the secret prime numbers that underpin the security of an RSA key are easy to calculate using Shor’s algorithm. Computing the same primes using classical computing takes billions of years.

The only thing holding back this doomsday scenario is the massive amount of computing resources required for Shor’s algorithm to break RSA keys of sufficient size. The current estimate is that breaking a 1,024-bit or 2,048-bit RSA key requires a quantum computer with vast resources. Specifically, those resources are about 20 million qubits and about eight hours of them running in superposition. (A qubit is a basic unit of quantum computing, analogous to the binary bit in classical computing. But whereas a classic binary bit can represent only a single binary value such as a 0 or 1, a qubit is represented by a superposition of multiple possible states.)

Enlarge / Proton Calendar's iOS app aims to offer most of the same niceties as other calendar apps, but with more peace of mind about your data. (credit: Proton)

Proton Calendar, which claims to be the "world's only" calendar using end-to-end encryption and cryptographic verification, has arrived on iOS , giving those seeking a more secure work suite an alternative to Google, Apple, and the like.

Proton Calendar is pitched as offering encryption for all event details, as well as "high-performance elliptic curve cryptography (ECC Curve25519)" to lock it. The web app version of Proton Calendar is open source , with the code for mobile apps to come next, Proton says. Proton also notes that it never finds out who you've invited to an event, and it allows for inviting people outside the Proton ecosystem, letting people "cryptographically verify that it was you who invited them."

Andy Yen, CEO of Proton, said in an interview with Wired in May that calendars are an "extremely sensitive" record of your life and that protecting them is essential. Encryption protects your calendar data from government requests, data leaks, or "a change in business model of your cloud provider."

Enlarge (credit: matrix.org)

Developers of the open source Matrix messenger protocol are releasing an update on Thursday to fix critical end-to-end encryption vulnerabilities that subvert the confidentiality and authentication guarantees that have been key to the platform's meteoric rise.

Matrix is a sprawling ecosystem of open source and proprietary chat and collaboration clients and servers that are fully interoperable. The best-known app in this family is Element, a chat client for Windows, macOS, iOS, and Android, but there's a dizzying array of other members as well.

(credit: Hodgson)

Matrix roughly aims to do for real-time communication what the SMTP standard does for email, which is to provide a federated protocol allowing user clients connected to different servers to exchange messages with each other. Unlike SMTP, however, Matrix offers robust end-to-end encryption, or E2EE, designed to ensure that messages can't be spoofed and that only the senders and receivers of messages can read the contents.