Today, we dusciss the Unsaflok hack by Ian Carroll and Lennert Wouters, exposing vulnerabilities in millions of hotel keycard locks. Then, switch gears to an unpatchable flaw in Apple’s M-series chips that’s left the tech world buzzing. We’ll also touch on a cautionary tale from KDE, highlighting the risks lurking in the themes and extensions we often take for granted.

Keywords: Unsaflok, Ian Carroll, Lennert Wouters, Saflok, Dormakaba, Apple M-series chips, encryption keys, KDE, cybersecurity

Original Articles:

• https://www.wired.com/story/saflok-hotel-lock-unsaflok-hack-technique/
• https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/
• https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/
• https://blog.davidedmundson.co.uk/blog/kde-store-content/

Engage with us as we dissect these groundbreaking discoveries, offering insights and practical advice on navigating the ever-evolving landscape of digital security.

Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/

Logo Design by https://www.zackgraber.com/

Tags for This Episode:

cybersecurity, hotel lock hack, Unsaflok, Apple M-series vulnerability, encryption keys, KDE theme incident, digital security, tech vulnerabilities, Ian Carroll, Lennert Wouters, Saflok, Dormakaba, Apple chip flaw, Linux security, KDE, RFID hacking, mobile security, password managers

Search Phrases That Should Lead to This Episode:

1. How to hack hotel keycard locks
2. Unsaflok vulnerability details
3. Apple M-series chip security flaw
4. Encryption key vulnerabilities in tech
5. KDE theme wipes user files incident
6. Latest cybersecurity threats and hacks
7. Saflok door lock hacking technique
8. Ian Carroll and Lennert Wouters research
9. Impact of Apple chip vulnerability on encryption
10. Preventing KDE theme-related data loss
11. Digital security insights and tips
12. Exploring RFID keycard vulnerabilities
13. Securing Apple devices against chip flaws
14. Understanding Linux theme security risks
15. Cybersecurity updates from Wired and Ars Technica

Transcript:

Mar 22

[00:00:00] offsetkeyz: Security researchers while partying in Las Vegas have cracked the code to unlock millions of hotel rooms. revealing a vulnerability in the widely used SAFLOCK keycards.

I tell you what, that sounds like my kind of party. And now I know how to get into their hotel room. What does this mean for your next trip to Las Vegas?

Other security researchers have just discovered a vulnerability in the Apple M Series chips

that allows attackers to extract secret encryption keys. What can MacBook users do to reduce their risk?

And a Linux user had his data wiped after installing a KDE theme for his personal computer.

What is KDE doing to prevent this from happening again?

So as reported by Wired Magazine, security researchers have revealed a hacking technique they’re calling UnsafeLock

that exposes an RFID [00:01:00] vulnerability in millions of SafeLock keycard locks.

which allows the door to be unlocked within seconds. Now, I know you guys have seen the TikToks and the Instagram reels or YouTube shorts of Flipper Zero’s unlocking hotel doors. Now, I hate to spoil it for you, but most of those are pre staged. They likely scanned their own hotel keycard. into their Flipper Zero and then just opened it, claiming they were hacking it. But this attack is real. It involves two key cards, which you can find laying around most Vegas hotels. In fact, the one I just stayed at lets you create your own hotel key in the lobby, and they just have them sitting around. So grab one of those, you can program it. It takes two. One rewrites a little bit of code in the lock, and then the second one unlocks it.

The maker of these locks is working on fixes, but as of right now, only 36 percent of these vulnerable door locks have been fixed, which leaves a lot of [00:02:00] doors open. This exploit is publicly available online.

So if you are staying in a Las Vegas hotel or any hotel that uses this type of locking mechanism,

you can use an app called NFC Tag Info to check if your door is vulnerable. If it is, I recommend locking up. any valuables in the safes provided. And when you’re in the room, use the deadbolt, or if you can, use that app to check if the hotel you’re about to stay in is vulnerable, and try to find another hotel that doesn’t use these safe lock locks.

[00:02:33] Transition: Do do do do do do do.

[00:02:38] offsetkeyz: A different group of security researchers just recently discovered a vulnerability in Apple’s M series chips, or the Silicon series chips that have widely replaced their use of Intel chips, that allows attackers to extract certain encryption keys used in specific Cryptographic operations

and the major bummer about this is that this [00:03:00] vulnerability is inherent to the chip and cannot be patched It’s a hardware vulnerability. Those are the worst kind

I’m learning this alongside you, and I’m recording onto a MacBook Pro with an M series chip, so I’m going to be doing my research on this one. Any mitigations to this would require changing the cryptographic software on the MacBook, which would seriously slow down the cryptographic processes. Specifically on the M1 and M2 models. I’m not sure what’s going on with M3, but this article from Ars Technica, linked in the show notes below, calls out M1 and M2.

The article by Ars Technica that reported this vulnerability doesn’t specify what specific keys this is in reference to, but it does specify that this is applicable to all encryption methods on your M series Mac, to include those hardened for the anticipation of quantum computing. So we’re thinking iMessage, end-to-end encryption,

iCloud, and even the Apple Password [00:04:00] Manager.

Sticking to the Las Vegas theme, this exploit does require a bit of luck. It requires an app to be installed and it to be running on the same cluster as the encryption.

There’s no evidence of this being exploited in the wild. Like I said, this was just security research, but hopefully Apple takes precautions to keep apps that might exploit this vulnerability off their app store. And you as the user be really careful when downloading apps that aren’t from the Apple app store.

And even if they are, do some research, don’t jump into an app. And if you do have unused apps, on your Mac, it’s probably best to remove them just as good practice.

[00:04:38] Transition: Uh, uh, uh, uh, uh, uh, uh.

[00:04:50] offsetkeyz: And finally, there was a recent incident on the KDE store, which is a Linux product of a user who downloaded a theme for their Linux [00:05:00] machine. When we’re saying theme, we’re literally talking like cute colors and new behaviors, but when you download these themes, and all operating systems are the same, code is run to set them up.

Like, a script will go in and change the colors, or change the background, or do all these things on your computer.

It just so happened that the theme this user downloaded wiped all of his data.

This was originally reported by Bleeping Computer, but one of the developers on the KDE store also published to their blog

saying they’re going to work on ways to prevent this, but he warns this is going to take a lot of resources that they don’t have at the moment, so he cautions to be extra careful when downloading these themes, or any themes, off the internet.

I’m gonna take it one step further and caution you to not download themes off the internet. I definitely recognize the appeal, especially as Linux users, the themes tend to be pretty bland, but the risk [00:06:00] just doesn’t quite add up to the reward of having a cool theme.

And that’s all we’ve got for you today. Happy Friday. Hope you have a great weekend and we will talk to you some more next week!