Apple chips in Macs, iPhones, iPads can be hacked: Report
What's the story
A recent discovery has unearthed two critical vulnerabilities in Apple's custom-made chips, as reported by ArsTechnica.
The flaws could potentially expose sensitive user data including credit card details, location information, and other sensitive details from Apple Safari and Google Chrome browsers.
The affected chips are those used in Macs, iPhones, and iPads. The vulnerabilities specifically affect the CPUs of later generations of Apple A- and M-series chipsets, making them vulnerable to side channel attacks.
Attack mechanism
Understanding the nature of side channel attacks
Side channel attacks are a form of exploit that infer confidential information by looking at indicators like timing, sound, and power consumption.
These vulnerabilities arise from the chips' reliance on speculative execution — a performance optimization method.
This technique improves speed by predicting the control flow the CPUs should take and following that path, instead of the instruction order in the program.
Exploits
FLOP and SLAP: The 2 side-channel attacks on Apple chips
The two side-channel attacks in question are called FLOP and SLAP.
FLOP takes advantage of a kind of speculative execution in the chips' load value predictor (LVP), which predicts contents of memory when they aren't readily available.
By tricking LVP to forward values from corrupted data, an attacker can read memory contents that would otherwise remain inaccessible.
This can be used to steal target's location history from Google Maps, inbox content from Proton Mail, and events stored in iCloud Calendar.
SLAP exploit
How SLAP attack exploits Apple chips
The second attack, SLAP, exploits the load address predictor (LAP). While LVP predicts memory content values, LAP predicts memory locations where instruction data can be accessed.
SLAP manipulates LAP to predict wrong memory addresses. Specifically, it forwards the value at an older load instruction's predicted address to younger arbitrary instructions.
When Safari has one tab open on a targeted website like Gmail and another on an attacker site, sensitive strings of JavaScript code can be accessed by the latter site.
Attack comparison
Researchers reveal FLOP's power over slap
FLOP is more potent than SLAP for two reasons. It can read any memory address in the browser process' address space and works against both Safari and Chrome.
However, SLAP is limited to reading strings belonging to another webpage allocated adjacently to the attacker's own strings and only works against Safari.
The following Apple devices are affected by one or both of these: All Mac laptops from 2022-present, all Mac desktops from 2023-present, all iPad Pro models from September 2021-present.