A group of academic researchers on Wednesday released a study showing how they launched an attack that could force an Apple Safari browser to show personal information, passwords or credit card data by exploiting a side-channel vulnerability in Apple’s A-series or M-series CPUs.
In a side-channel attack, an exploit seeks to extract secrets from a chip or a computer system. The type of side-channel attack the researchers demonstrated is called speculative execution, a performance enhancement feature in modern chips that has led to a broad range of attacks over the past few years.
Dubbed iLeakage, the attack was developed by a team of academics from Georgia Tech, University of Michigan, and Ruhr University Bochum in Germany who aimed to study the security issues with Apple’s new Arm chip architecture.
“While significant effort has been invested analyzing x86 CPUs, the Apple ecosystem remains largely unexplored,” said the researchers in a very detailed research paper.
Researchers from the Georgia Tech School of Cybersecurity and Privacy said in an FAQ about iLeakage that code running in one web browser tab should be isolated and not able to infer anything about other tabs that a user has open. However, with iLeakage, the researchers said malicious JavaScript and WebAssembly code can read the content of a target webpage when a target visits and clicks on an attacker's webpage.
The researchers said that while Apple has implemented a mitigation for iLeakage in Safari, this mitigation is not enabled by default, and users can only enable it on the macOS. Because the mitigation has been marked as unstable, the Georgia Tech researchers said they will keep their FAQ updated as Apple pushes more iOS and macOS updates.
Devices vulnerable to iLeakage include machines running macOS or iOS with Apple’s A-series or M-series CPUs, which includes all recent iPhones and iPads, as well as Apple's Mac laptops and desktops from 2020 and onwards. To date, there’s no indication that iLeakage has been exploited in the wild.
Not as bad as it looks
On its face, the news from the academic researchers sounds horrible, said Craig Harber, security evangelist at Open Systems. However, Harber said it’s actually a highly complex attack that requires knowledge from attackers who have the technical skills to reverse-engineer the affected A-series and M-series chips. It also requires a hacker with significant experience studying and exploiting speculative execution vulnerabilities, like the vulnerabilities reported by Microsoft and Intel in 2019, said Harber.
“There are no indications this vulnerability has been exploited in the wild, which is good news,” said Harber. “The better news is Apple will likely have a patch available before hackers can use this researcher's work to exploit macOS or iOS devices in the future. Now that this vulnerability is published, it will be important for Apple to make sure this patch gets pushed to all affected devices as soon as it is available.”
Cyware Director Emily Phelps added that Apple's ecosystem often gets lauded for its security, and discovering this type of vulnerability could damage its reputation and shake user confidence. Phelps said side-channel attacks exploit subtle discrepancies in system operations, like power consumption or electromagnetic emissions, to infer data or operations, which means that patching or countering such attacks may not be straightforward.
“Users should be sure to keep their devices and software updated,” said Phelps. “Until the issue is resolved, consider using different browsers. Employ multi-factor authentication, stay informed, and exercise caution when accessing any sensitive information online.”