Researchers have discovered a vulnerability in Apple’s A and M chips that makes iPhones, iPads and Macs susceptible to data loss. According to Apple, there is no acute threat.
All iPhones, iPads and Macs with a home-made A or M processor on board are theoretically vulnerable to data leaks. That is the conclusion of research by Georgia Institute of Technology and the University of Bochum. The researchers discovered two vulnerabilities that can be exploited to steal information from Web applications.
read also
Apple chips vulnerable to attacks that leak sensitive data
Both vulnerabilities stem from the technique of speculative execution built into Apple’s processors. Speculative execution is a technique where a processor tries to predict a future instruction where the answer is obvious so as not to disrupt the process. If the processor guesses correctly, there is time savings, and if the guess is wrong, the processor tries again.
FLOP
The technique serves to boost performance, but thus can also leave processors vulnerable. The researchers discovered two ways this can be exploited. A first vulnerability is named FLOP, languit False Load Output Predictions, and is the most dangerous, according to the researchers.
The FLOP vulnerability targets the Load Value Predictor (LVP) in the chips, which when given an ambiguous load instruction tries to predict the value and executes speculatively. An attacker can fool the LVP with a specific constant value. Then the attacker can change that value in memory, but the LVP still believes the old value. This can lead to type confusion attacks where the processor executes code that was never intended to be executed, including code with malicious intent.
By provoking errors in this mechanism, attackers can read memory data that is not normally accessible. This makes it possible to steal location history from Google Maps, emails from Gmail and calendar appointments from iCloud, to give just a few examples. The researchers say they were able to successfully exploit the vulnerability in the Chrome and Safari browsers.
SLAP
The second vulnerability is called SLAP, short for Speculative Load Address Prediction, targets the Load Address Predictor LAP). This mechanism predicts not the value, but which memory address the load instruction will use. The prediction is done based on pattern analysis.
The modus operandi is quite similar to FLOP. This time, the attackers try to confuse the LAP with a series of memory addresses that follow a certain pattern. By then disrupting that pattern, it loads addresses that should not be accessible. This can expose email content stored address and payment information, for example.
Vulnerable devices
According to researchers, the vulnerabilities apply to all recent Apple devices equipped with an A or M home processor. For iPhones, it applies to all devices from the iPhone 13 and newer and all iPad models released since 2021. Owners of a Macbook no older than 2022 or a desktop from 2023 or newer should also be concerned. The two vulnerabilities are described in detail in two papers.
In a response to Ars Technica, Apple said it had been informed of the vulnerabilities but that they did not pose an “immediate risk” to users. In private, Apple did say it would roll out a patch. In the papers, the researchers suggest a list of mitigations. Because these are hardware-related vulnerabilities, they are more difficult to patch.