Security researchers from the Georgia Institute of Technology and Ruhr University Bochum discovered two side channels of vulnerabilities in devices with Apple-names brand chips from 2021 or later, which could postpone sensitive information to attackers. Specifically, the vulnerabilities known as slack and flop foam Credit Card information, locations and other personal data. Data can be collected from sites such as iCloud calendar, Google Maps and Proton Mail via Safari and Chrome.
From January 28, Apple is aware of the vulnerabilities.
“Based on our analysis, we don’t think this problem poses an immediate risk to our users,” an Apple representative told Arstechnica. According to the researchers, Apple plans to release a patch at a non -revealed time.
Researchers have not found evidence of threat actors using these vulnerabilities.
Which Apple devices are affected?
The following Apple devices include vulnerable chips, according to the researchers:
- All Mac -Bearable computers from 2022 to the present (MacBook Air, MacBook Pro).
- All Mac -Desktops from 2023 to the present (Mac Mini, IMAC, Mac Studio, Mac Pro).
- All iPad Pro, Air and Mini Models from September 2021 to the present (Pro 6. and 7th Gen., Air 6th Gen., Mini 6. Gen.).
- All iPhones from September 2021 to the present (all iPhone 13, 14, 15 and 16 models, see 3. General).
What are slack and flop vulnerabilities?
Both vulnerabilities are based on speculative performance, a cyberattack technique that uses indirect signals such as power consumption, timing and sounds to extract information that would otherwise be secret. Modern Apple chips enable unintentionally speculative execution attacks because they use predictors that optimize CPU use by “speculating.” In case of slack, they predict that the next memory address from which the CPU will retrieve data. In Flop, they predict the data value returned by the memory system at the next access with the CPU core.
- Slap allows an striker to launch an end-to-end attack on safari web browser on devices with M2/A15 chips. From Safari, the striker could access E emails and see what the user has searched.
- Flop lets threat actors break into safari and chrome web browsers on devices with M3/A17 chips. Once inside, they could read the device’s location history, calendar events and stored credit card information.
See: Chinese company Deepseek released the most popular AI -Chatbot in the App Store this week in front of Openai.
“There are hardware and software goals to ensure that two open web pages are isolated from each other, preventing one of them form (malicious) to read the content of others,” scientists Jason Kim, Jalen Chuang, Daniel Genkin and Yuval wrote Yarom on their Georgia Technical Site about Relax and Flop. “Relax and flop breaks these protections so the striker can read sensitive login protected data from Target Websides. In our work, we show that this data ranges from location history to credit card information. “
The research highlights the dangerous potential of side channel attacks that both clap and flopp benefit. Side channel attacks are difficult to detect or mitigate because they are dependent on properties associated with hardware.
In March 2024, Apple Silicon Raised Afoul from another side channel attack called Gofetch.
What can users do about the vulnerabilities?
Users cannot apply mitigation to these vulnerabilities as the vulnerabilities are rooted in hardware.
“Apple has communicated to us that they are planning to tackle these problems in an upcoming security update, and therefore it is important to activate automatic updates and ensure that your devices run the latest operating system and applications,” the researchers wrote.
TechPublic has reached Apple for more information.