SLAP and FLOP Vulnerabilities Poke Holes in Apple's In-House Silicon
Speculative execution vulnerabilities as-yet unpatched, leaving all current Apple devices at risk.
Researchers from Georgia Tech and the Rurh University Bochum have highlighted speculative execution vulnerabilities in Apple's in-house Apple Silicon A- and M-family processors — allowing a malicious website to retrieve supposedly-protected memory contents including browsing history, email content, location history, and credit card details: SLAP and FLOP.
"There are hardware and software measures to ensure that two open webpages are isolated from each other, preventing one of them from (maliciously) reading the other's contents," the researchers explain. "SLAP and FLOP break these protections, allowing attacker pages to read sensitive login-protected data from target webpages. In our work, we show that this data ranges from location history to credit card information."
The two attacks, Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the Apple M3 CPU via False Load Output Predictions (FLOP), take a similar approach to the infamous SPECTRE vulnerability — taking advantage of processor features introduced to increase performance by retrieving data or executing instructions speculatively to infer or directly access supposedly-protected memory. In the case of SLAP and FLOP, the attacks run in the Safari browser — and can access a range of personal information, including credit card details and browsing history, simply by accessing a malicious website.
The attack exploits flaws in the Apple Silicon A- and M-series processors, meaning it affects all Mac laptops built from 2022 onwards, all Mac desktops built from 2023 onwards, all iPad Pro, Air, and Mini models built from 2021 onwards, and all iPhones built from 2021 onwards. In other words, if you have a modern Apple device you're almost certainly affected — and, at the time of writing, Apple had not yet released patches to mitigate the issues.
"While FLOP has an actionable mitigation," the researchers note, "implementing it requires patches from software vendors and cannot be done by users. Apple has communicated to us that they plan to address these issues in an upcoming security update, hence it is important to enable automatic updates and ensure that your devices are running the latest operating system and applications. So far, we do not have any evidence that either SLAP or FLOP has been used in the wild."
More information on the vulnerabilities, including demonstrations of the attacks in action and links to the researchers' SLAP and FLOP papers, is available on the predictors.fail website.