A few years ago, Apple decided to abandon third-party chips in favor of ARM-based designs in its Macs. The move was a huge success for the company, offering high-performance and energy-efficient devices while reducing manufacturing costs. However, it seems that Apple’s modern CPUs have some vulnerabilities that could put your data at risk from potential attacks.
Vulnerabilities on some Apple CPUs allow attacks to steal your data while browsing
A team of security researchers from Georgia Institute of Technology and Ruhr University found vulnerabilities based on FLOP (False Load Output Prediction) and SLAP (Speculative Load Address Prediction) in some of Apple’s latest chips. The security holes affect not only M-series SoCs but also some of the A-series that power iPhones.
Both methods target faulty speculative execution implementation in the chips under certain conditions. In other words, attackers could take advantage of the chips’ predictive properties to manipulate them and make them enter a state of “confusion.” This makes them take erroneous or manipulated predictions/calculations as accurate, allowing certain actions. Attackers can use this to breach user private data.
“Starting with the M2/A15 generation, Apple CPUs attempt to predict the next memory address that will be accessed by the core,” the researchers told BleepingComputer. “Moreover, starting with the M3/A17 generation, they attempt to predict the data value that will be returned from memory. However, mispredictions in these mechanisms can result in arbitrary computations being performed on out-of-bounds data or wrong data values,” they added.
The riskiest thing about these vulnerabilities is that they do not require malware to be executed. All that is needed is for the user to access a website with malicious JavaScript or WebAssembly code embedded.
FLOP and SLAP attacks “confuse” Apple chips
Starting with the FLOP-based method, the M3, M4, and A17 chips are susceptible to it. The hardware attempts to predict the memory addresses that will be accessed next and the values stored there. Attackers could manipulate the chip’s readings to obtain incorrect values and, from there, access sensitive data. Researchers demonstrated the vulnerability by running a loop that loaded a specific value constantly, which at some point triggered an incorrect prediction.
This vulnerability could enable a malicious actor to do multiple things. The list includes “escaping Safari’s sandbox, retrieving sender and subject information from Proton Mail inbox, stealing Google Maps location history, and recovering private events from iCloud Calendar,” the report reads.
Then there are SLAP-based attacks that also take advantage of the predictive capabilities of hardware. In this case, the list of affected chips includes Apple’s M2, A15, and “many of the later models.” This method specifically targets the moment when the chip predicts the memory address that will be accessed next. An attacker could have the CPU anticipate a specific pattern to alter the memory layout. This “confuses” the SoC by calculating erroneous data, but trust it, enabling access to sensitive data. By the time the chip “realizes” the error, it’s too late.
By using this particular vulnerability repeatedly, attackers “can reconstruct stolen information such as retrieving Gmail inbox data, Amazon orders and browsing data, and Reddit user activity.”
The vulnerabilities were reported last year, but no fix is in sight
The Cupertino giant has not yet submitted a fix for the vulnerabilities described above. “Based on our analysis, we do not believe this issue poses an immediate risk to our users,” the company said in this regard. If you are concerned about potential related attacks, you can disable JavaScript in Safari and Chrome. However, naturally, this will negatively impact your browsing experience. Lastly, researchers disclosed the SLAP and FLOP vulnerabilities on March 24 and September 3, 2024, respectively.
