Infosec In Brief Nvidia last week advised customers to ensure they employ mitigations against Rowhammer attacks, after researchers found one of its workstation-grade GPUs is susceptible to the exploit.
Rowhammer is a method of attempting to corrupt memory by repeatedly “hammering” rows of memory cells with a burst of read or write operations. The repeat operations can create electrical interference between rows of memory cells, potentially disrupting operations.
In a July 9 advisory, Nvidia noted that researchers at the University of Toronto recently “demonstrated a successful Rowhammer exploitation on a NVIDIA A6000 GPU with GDDR6 memory where System-Level ECC [error correcting code] was not enabled.”
Note the “not enabled”, because Nvidia’s advisory points out ECC is enabled by default in its Hopper and Blackwell Data Center products, and that many of its other products include ECC.
The company therefore recommended customers ensure System-Level ECC is enabled on many models in its Blackwell, Ada, Hopper, Ampere, Jetson, Turing, and Volta products.
– Simon Sharwood
Oh Lord, won’t you hack me a Mercedes Benz?
A chained four-exploit attack on Bluetooth has left cars from companies like Mercedes-Benz, Volkswagen, and Skoda open to attack through their entertainment systems.
The attack chain, dubbed PerfektBlue by bug hunters at automotive infosec outfit PCA Cyber Security, uses four CVEs to get into OpenSynergy’s BlueSDK Bluetooth stack. The one-click attack could allow remote code execution on a vehicle, perhaps allowing attackers to track a vehicle or control vehicles’ engines, onboard microphones, and alarm controls.
Developers issued patches for the four flaws last year but millions of cars likely remain at risk. The flaws are:
- CVE-2024-45434 – a CVSS 8.0 use after free issue.
- CVE-2024-45432 – a flaw in the Radio Frequency Communication (RFCOMM) function control system.
- CVE-2024-45433 – Another RFCOMM hole with function calls. Both this and the second flaw have a CVSS 5.7 rating.
- CVE-2024-45431 – A CVSS 3.5 validation fault in the stack’s Logical Link Control and Adaptation Protocol.
It’s up to owners to see that their systems are updated properly and so that someone with a laptop and a bit of technical knowledge won’t take their wheels for a spin.
Jack Dorsey’s Bluetooth problems
Twitter co-founder Jack Dorsey’s latest idea for a “secure” comms network that doesn’t rely on a traditional mobile phone or Wi-Fi network, called Bitchat, has run into a few Bluetooth problems of its own.
Dorsey’s idea is to create a mesh network using Bluetooth, allowing those within range to send and receive messages in a sort of range-limited electronic CB radio network.
It appears he hasn’t subjected his idea to serious security testing.
“This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed,” he wrote on GitHub.
Alex Radocea, who’s worked on security for Apple, Spotify, and CrowdStrike, spotted basic security errors in what he politely called BitChat’s “decorative” authentication systems that would allow an attacker to access contact logs and possibly even messages sent with the system. He suggested BitChat’s developers used AI to code the app.
“There’s essentially no trust/auth built in today. So I would not really think about this as a secure messenger,” he advised. Dorsey has said the code is under review.
Will the real Marco Rubio please stand up?
US Secretary of State Marco Rubio has been doing his job, but it appears deepfaked version of the Floridian have been doing the rounds while he’s away.
According to a State Department memo seen by The Washington Post, a US state governor, a congressperson, three foreign ministers, and five other state workers have received faked voice calls and text messages from a Signal account with the handle Marco.Rubio@state.gov.
“The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” the memo warns.
Signal is much loved by the current administration for its strong security (ironically created by anarchist Moxie Marlinspike), with some officials using it instead of government-built secure comms apps.
Like many public figures, Rubio has appeared in media so often that deepfake developers have huge quantities of footage and audio with which to create a digital fake. If the Secretary of State messages you, verify before trusting it.
Never cross the British tax authorities
Romanian police last week conducted armed raids and arrested 13 over claims that they were running a scam to steal money from the UK’s His Majesty’s Revenue and Customs. One other suspect was arrested in the UK in Preston, Lancashire.
The criminals allegedly stole data from around 100,000 people and used it to file false claims for benefits and tax relief. Reports indicate the police seized luxury cars, jewelry, and large amounts of cash in the raids.
World’s largest Bitcoin ATM network attacked
Bitcoin Depot, which says it runs the world’s largest network of bitcoin ATMs has filed breach notification warnings and informed around 27,000 users attackers accessed their names, phone numbers, and driver’s license numbers, and maybe their addresses, dates of birth, and email addresses too.
The digicash biz spotted unusual activities on its servers on June 23 2024 and identified in July that year, but it took another 12 months before telling customers – and even then apparently only after US authorities demanded it.
“Unfortunately, we were not able to inform you sooner due to an ongoing investigation. Federal law enforcement requested that Bitcoin Depot wait to provide you notice until after they completed the investigation,” it said. “Law enforcement advised Bitcoin Depot on June 13, 2025, that their investigation was complete.” ®