Recent iPhone, Mac Models Susceptible to Side Channel Exploitation, Putting Sensitive Information at Risk: Report

Security researchers have discovered new vulnerabilities in Apple's in-house Silicon chipsets which may leave it exposed to exploitation, according to a report. The Cupertino-based technology company's A and M-series chipsets, which power the iPhone/iPad and Mac, respectively, are said to be susceptible to side channel attacks which may allow threat actors to access the memory contents, including data from apps like Google Maps and iCloud Calendar, that may otherwise be off limits. The report reveals that even the latest iPhone 16 models and M4 Macs could fall prey to this exploitation.

Apple Devices are at Risk

In an Ars Technica report, security researchers highlighted that the following Apple devices are at risk of being prone to sensitive data theft:

1. All Mac laptops from 2022–present
2. All iMac models from 2023–present
3. All iPad Pro, Air, and Mini models from September 2021–present
4. All iPhone models from September 2021–present

What Causes the Vulnerability

Security researchers revealed that threat actors can exploit Apple's A and M-series chipsets by executing two types of side channel attacks. Rather than directly targeting algorithms or cryptographic defenses, these attacks involve exploitation of unintended system information, such as electromagnetic emissions, power consumption, timing, and even sound. The problem in Apple Silicon chips arises due to an optimisation technique used by the CPU called speculative execution. It predicts and executes instructions in advance, and even predicts the data flow to improve the processing speed.

The most dangerous of the two attacks is dubbed Floating-point Operations or FLOP, explain researchers. It exploits the speculative execution in the chips' load value predictor (LVP) — a component which predicts memory contents when they are not readily accessible. It induces forward values from malformed data to LVP to gain access to off-limit memory contents. With FLOP, threat actors can reportedly steal sensitive information like location history from Google Maps and events from the iCloud Calendar. This requires the victim to be logged in to Gmail or iCloud in one tab and the attacker site in another for an estimated five to 10-minute duration.

Highlighting the danger, researchers noted, “If the LVP guesses wrong, the CPU can perform arbitrary computations on incorrect data under speculative execution. This can cause critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory.”

The second attack, called Speculative Load Address Prediction or SLAP, is reported to misuse load address predictor (LAP) on the Apple Silicon chips. It is a component which predicts the memory location from which the instruction set can be accessed. SLAP exploits this security feature by forcing it to load inaccurate memory addresses. This occurs when older load instruction values are forwarded to recently scheduled arbitrary instructions. Thus, when a user opens a Gmail tab on Safari and another one on an attacker website, the latter is capable of accessings JavaScript code's sensitive strings which may enable them to read the contents of the email.

FLOP is said to be more dangerous than SLAP as it can not only read memory addresses in the browser address bar, but also works against both Google Chrome and Safari.