Security researchers from Georgia Institute of Technology and Ruhr University Bochum discovered two side-channel vulnerabilities in devices with Apple name-brand chips from 2021 or later that could expose sensitive information to attackers. Specifically, the vulnerabilities known as SLAP and FLOP skim credit card information, locations, and other personal data. Data can be gathered from sites like iCloud Calendar, Google Maps, and Proton Mail via Safari and Chrome.
As of Jan. 28, Apple is aware of the vulnerabilities.
“Based on our analysis, we do not believe this issue poses an immediate risk to our users,” an Apple representative told ArsTechnica. According to the researchers, Apple plans to release a patch at an undisclosed time.
The researchers have not found evidence of threat actors using these vulnerabilities.
Which Apple devices are affected?
The following Apple devices include vulnerable chips, according to the researchers:
- All Mac laptops from 2022 to the present (MacBook Air, MacBook Pro).
- All Mac desktops from 2023 to the present (Mac Mini, iMac, Mac Studio, Mac Pro).
- All iPad Pro, Air, and Mini models from September 2021 to the present (Pro 6th and 7th gen., Air 6th gen., Mini 6th gen.).
- All iPhones from September 2021 to the present (all iPhone 13, 14, 15, and 16 models, SE 3rd gen.).
What are the SLAP and FLOP vulnerabilities?
Both vulnerabilities are based on speculative execution, a cyberattack technique that uses indirect cues such as power consumption, timing, and sounds to extract information that would otherwise be secret. Contemporary Apple chips inadvertently enable speculative execution attacks because they use predictors that optimize CPU usage by “speculating.” In the case of SLAP, they predict the next memory address the CPU will retrieve data from. In FLOP, they predict the data value returned by the memory subsystem on the next access by the CPU core.
- SLAP enables an attacker to launch an end-to-end attack on the Safari web browser on devices with M2/A15 chips. From Safari, the attacker could access emails and see what the user has been browsing.
- FLOP lets threat actors break into Safari and Chrome web browsers on devices with M3/A17 chips. Once inside, they could read the device’s location history, calendar events, and stored credit card information.
SEE: Chinese company DeepSeek released the most popular AI chatbot on the App Store this week, ahead of OpenAI.
“There are hardware and software measures to ensure that two open webpages are isolated from each other, preventing one of them form (maliciously) reading the other’s contents,” wrote researchers Jason Kim, Jalen Chuang, Daniel Genkin, and Yuval Yarom on their Georgia Tech site about SLAP and FLOP. “SLAP and FLOP break these protections, allowing attacker pages to read sensitive login-protected data from target webpages. In our work, we show that this data ranges from location history to credit card information.”
The research highlights the dangerous potential of side-channel attacks, which both SLAP and FLOP take advantage of. Side-channel attacks are difficult to detect or mitigate because they rely on properties inherent to the hardware.
In March 2024, Apple silicon ran afoul of another side-channel attack called GoFetch.
What can users do about the vulnerabilities?
Users can’t apply mitigations to these vulnerabilities, since the vulnerabilities are rooted in the hardware.
“Apple has communicated to us that they plan to address these issues in an upcoming security update, hence it is important to enable automatic updates and ensure that your devices are running the latest operating system and applications,” the researchers wrote.
TechRepublic has reached out to Apple for more information.
