Security Now #1043: Memory Integrity Enforcement & The Crypto ATM Scam Epidemic
Date: September 17, 2025
Hosts: Steve Gibson & Leo Laporte
Podcast: Security Now (TWiT Network)
Episode Overview
This episode tackles two major cybersecurity themes:
- Memory Integrity Enforcement (MIE): Apple’s breakthrough in hardware-backed memory protection built into their A19 chips—possibly marking an end to most classic software exploitation methods.
- Crypto ATM Scam Epidemic: New revelations show that Bitcoin ATMs are overwhelmingly used by scammers, with legal action against a major ATM operator.
- Plus: Updates on ransomware attacks (Uvalde School District, Jaguar Land Rover), legislative battles over encrypted messaging (EU & Germany), student hackers in schools, massive DDoS attack trends, data privacy enforcement, and more.
Steve and Leo provide expert analysis, contextual anecdotes, technical deep-dives, and actionable advice for both IT pros and general listeners.
Key Discussions & Insights
1. Picture of the Week (Fire Hydrant Fencing)
- [11:01] Steve presents a photo of a fire hydrant surrounded by a custom fence, ironically blocking access for firefighters.
- Listener theories included: the fence’s purpose is probably to prevent dogs from urinating on the hydrant since "the grass was brown in front of it."
“Presumably in case of fire, throw fence.” — Steve Gibson [13:53]
2. Crypto ATM Scam Epidemic ([14:06]–[22:53])
- The DC Attorney General sues Athena Bitcoin, the largest crypto ATM operator.
- Of all Bitcoin ATM transactions in DC, 93% were tied to scams, with only 7% legitimate.
- Victims were mostly elderly (median age: 71); median loss was $8,000.
- Athena allegedly imposed hidden fees up to 26% (compared to competitors’ 0.24–3%), refused refunds; their business model profited from victimization, both from scammers and their own surcharges.
"The scammers were deliberately specifically targeting the less technical elderly population in Washington D.C." — Steve Gibson [19:31]
Notable quote:
“Scammed individuals were victimized essentially twice: first by the scammers themselves and then by Athena.” — Steve Gibson [18:36]
3. Ransomware: Uvalde School District & Jaguar Land Rover
Uvalde School District Shutdown ([22:55]–[28:50])
- The district was shut for a week due to ransomware: vital systems including phones, cameras, and climate controls were down.
- Emphasis: Most incidents boil down to internal staff clicking malicious links.
- Steve’s thesis: Internal network security must assume someone will always click a phishing link—the only solution is to harden internal segmentation and limit potential damage.
"Regardless of how much training employees receive... They are. Somebody is going to click on a malicious link. It’s inevitable.” — Steve Gibson [26:38]
Jaguar Land Rover Supply Chain Meltdown ([32:24]–[34:46])
- Massive ransomware halted Jaguar's global production for over three weeks.
- Not just Jaguar was crippled—small suppliers faced bankruptcy, and the incident is expected to impact Britain’s national economic growth stats.
4. Hacker Group News: Scattered Lapsus Hunters Say Goodbye ([34:53])
- The combined “Scattered Lapsus Hunters” group posts a rambling 'goodbye' note after attacking Jaguar and threatening Google.
- Steve's take: "We’re almost certainly never going to know what really happened here." [36:34]
5. Policy & Privacy News
Germany’s Firm Stance Against “Chat Control” ([39:12]–[45:04])
- Germany firmly opposes EU-led attempts to mandate scanning or breaking encrypted messaging for CSAM (child sexual abuse material) detection.
- Stresses privacy rights, national law, and EU's own legal boundaries.
"Germany is opposed to breaking encryption. The goal is to produce a unified compromise proposal." — German Gov’t Statement (translated) [43:06]
Russian State Messenger Hacked on Launch ([45:05]–[50:56])
- Russia’s forced-encrypted messenger “MAX” quickly compromised; hackers sell account access for $250 an hour.
- Russian officials scramble to ban accounts and fight spam/malware.
"Even with many Western models to follow, still not an easy thing to do." — Steve Gibson [46:49]
Student Hackers in UK Schools ([50:56]–[55:55])
- Over 57% of school insider hacks in the UK are committed by students (97% where a stolen password was used).
- Main motives: dares, notoriety, pranks—not organized crime.
"I think they're just having some fun, accepting a dare and so forth... You are trying to herd a wild bunch of cyber-enabled kids." — Steve Gibson [50:49, 55:46]
HackerOne Bug Bounty Platform Hacked ([55:56]–[62:50])
- Not a direct breach—result of a supply chain vulnerability (via SalesLoft Drift chat widget integration).
- Steve's Security Lesson: Strong network segmentation containing third-party access is essential.
“[This] increasing, at least for me, annoying use of automated conversational AI chat windows... that's been the root cause of all of this pain.” — Steve Gibson [61:06]
6. IoT & DDoS: Hacked Washing Machines and Record-Breaking Attacks
Coin-Op Hacks—Amsterdam Style ([62:50]–[66:07])
- Students in Amsterdam hack smart laundry machines for months; university switches back to coin-op “dumb” machines.
- Steve confesses to similar 'hacks' as a student (“not that I had anything to do with that”).
“Let's just say I never needed to bring laundry home on the weekends for my mom to wash.” — Steve Gibson [65:17]
1.5 Billion Packet/sec DDoS Attack ([66:07]–[77:02])
- Record DDoS targets a security company, with over 11,000 networks’ devices involved in the botnet.
- Steve laments: The Internet's design makes it impossible to fundamentally stop such attacks without breaking key principles.
“To this day, and probably forever more, that incredibly elegant system is utterly and completely vulnerable to packet generation abuse. And there is no way to fix it. None.” — Steve Gibson [75:23]
7. Age Verification & Online Content Laws ([80:02]–[91:08])
- Social networks like BlueSky, OpenAI/ChatGPT, and others adapt to new state, national, and international laws requiring age verification—usually for adult content.
- Mississippi’s overbroad law leads BlueSky to depart entirely, whereas South Dakota and Wyoming allow only adult content restrictions.
- UK investigating dozens of porn sites for lack of “highly effective age assurance”—significant traffic drops on sites introducing ID checks.
- Stina Ehrensvärd (Yubico founder) leads a new non-profit effort to develop a privacy-respecting, cryptographically verifiable age proof standard.
“We need a privacy-forward age verification system where all it does is challenge you for: ‘Are you at least this old?’ and you just get a go/no-go reply…” — Steve Gibson [90:52]
GPC (Global Privacy Control) Enforcement ([91:08]–[100:30])
- US states (CA, CO, CT) now pursue legal action against web trackers not honoring GPC signals, making privacy compliance enforceable by law.
“Without enforcement, the law means nothing and will likely suffer the same fate as befell DNT.” — Steve Gibson [91:18]
8. Listener Feedback Highlights ([100:30]–[108:18])
- Synology vs. SyncThing: Some users are happy with Synology’s built-in sync tools, but Steve found it far less efficient than SyncThing for real-time file sync.
- Memory Wiping: Zeroing memory upon release is theoretically helpful (for security), but performance costs prevent such practice; tags and hardware approaches are now much more efficient.
- Age Proofing & Cross-Jurisdictional Laws: Clever feedback on how moving across jurisdictions could inadvertently reveal actual ages to aggressive web trackers.
Feature Deep Dive: Apple’s Memory Integrity Enforcement (MIE)
[115:04]–[161:48] Propeller Hat Section—The Technical Deep Dive
What is MIE?
- Memory Integrity Enforcement (MIE) is Apple’s new, always-on hardware feature in the A19 chips, designed to block the majority of modern software exploits stemming from memory misuse (use-after-free, buffer overruns, etc.).
- Described by Apple as:
“The most significant upgrade to memory safety in the history of consumer operating systems.” — Apple SEAR Group [119:43]
Why Is This a Big Deal?
- Nearly all “state actor”–grade exploits used memory corruption bugs.
- Even with Apple’s existing tight security, rare high-dollar attacks (like recent spyware incidents) succeeded only because of these flaws.
- Apple’s new chips and OS make such attacks nearly impossible—possibly eliminating most iOS zero-days.
What’s New in the Hardware?
- Memory Tagging: Inspired by the ARM Memory Tagging Extension (MTE), improved as Enhanced MTE (EMTE), and further customized by Apple.
- How It Works:
- Each memory allocation gets a secret (4-bit “tag”).
- The tag is required for every subsequent access (read or write), checked directly in hardware.
- On pointer mismatch, or use after free (since tags are changed on deallocation), access is instantly blocked, and the process is terminated.
- Key Advancement: Tags are always checked synchronously in hardware, not at “debug” time nor with any asynchronous exception.
- **Adjacent allocations always use different tags, blocking classic overflows.
- **Kernel and user-space processes all protected—over 70 Apple userland processes now on by default.
Broader Implications:
- Previous flaws (like the DNG decompression bug + WhatsApp exploit) would have been neutered by MIE.
- Apple committed “an unprecedented percentage of silicon real estate” to enforcement, prioritizing security over features like faster neural networks.
Notable quotes:
-
"Apple has clearly essentially taken the second generation of MTE known as EMTE and moved it to always-on synchronous and as strong as possible." — Steve Gibson [147:22]
-
"There will come a time, and we might now be there today, when the cost to develop any new exploit, if it’s even possible, has become so high that even the highest and most capable exploit developers…give up on Apple and switch to more attackable platforms." — Steve Gibson [157:25]
Will Any Exploits Remain?
- “Not every type of security problem is a use after free or a buffer overflow…but I don't know what the percentage is. 95% of them probably are.” — Steve Gibson [154:47]
- Steve predicts far fewer iOS emergency security updates in the future.
Notable Quotes & Moments
- On phishing-resistant internal security:
"The only sane recourse is for enterprises to get very, very, very serious about hardening their internal security against anyone who might click on anything they receive over the Internet." — Steve Gibson [26:19] - On the futility of DDoS prevention:
“There is nothing to prevent bad guys with thousands of remotely scattered devices under their control, all sending as much packet traffic as they can to anyone they choose. The result of this is that frequently targeted companies are choosing to hide behind the growing number of companies who are able to provide comprehensive DDoS protection…” — Steve Gibson [76:02]
Timestamps for Major Segments
| Segment | Start Time | |--------------------------------------------------------------|------------| | Picture of the Week (Fire Hydrant Fence) | 11:01 | | Crypto ATM Scam Epidemic & Athena Lawsuit | 14:06 | | Uvalde School District Ransomware | 22:55 | | Internal Network Security Needs Rethink | 28:50 | | Jaguar Land Rover Attack & Supply Chain Impact | 32:24 | | Scattered Lapsus Hunters Bow Out | 34:53 | | Germany’s Stance on Chat Control | 39:12 | | Russia's Bungled State Messenger Launch | 45:05 | | Student Hackers in UK Schools | 50:56 | | HackerOne Supply Chain Breach | 55:56 | | Record 1.5 Billion PPS DDoS Attack | 66:07 | | Age Verification Laws / GPC Enforcement | 80:02 | | Listener Feedback & Memory Security Preliminaries | 100:30 | | Deep Dive: Apple’s Memory Integrity Enforcement (MIE) | 115:04 | | Technical Summary, Future Exploit Landscape | 158:29 |
Final Thoughts
- Apple’s Memory Integrity Enforcement is a paradigm shift: most classic exploits against iOS should be neutralized by design.
- Ransomware and scam threats remain rampant—humans are still the weak link.
- The battle over privacy, age verification, and encryption is intensifying, as is the arms race between attackers and defenders at every layer of the software-hardware stack.
- Steve predicts a significant reduction in iOS emergency security updates as a result of these innovations.
For More
- Show notes, full transcripts, and more: grc.com/sn
- Podcast (audio/video) downloads: twit.tv/sn
- Steve’s software & tools: grc.com
- Listener questions, feedback, or Picture of the Week submissions: grc.com/email
Summary written in the original language and tone of the episode. For completeness, advertisements and non-content sections are omitted. Timestamps provided for key content segments.