SLAP and FLOP Vulnerabilities Poke Holes in Apple's In-House Silicon

Speculative execution vulnerabilities as-yet unpatched, leaving all current Apple devices at risk.

Gareth Halfacree
24 days agoSecurity

Researchers from Georgia Tech and the Rurh University Bochum have highlighted speculative execution vulnerabilities in Apple's in-house Apple Silicon A- and M-family processors — allowing a malicious website to retrieve supposedly-protected memory contents including browsing history, email content, location history, and credit card details: SLAP and FLOP.

"There are hardware and software measures to ensure that two open webpages are isolated from each other, preventing one of them from (maliciously) reading the other's contents," the researchers explain. "SLAP and FLOP break these protections, allowing attacker pages to read sensitive login-protected data from target webpages. In our work, we show that this data ranges from location history to credit card information."

Researchers have uncovered speculative execution vulnerabilities in all Apple Silicon-powered devices, from Macs to iPhones. (📹: Kim et al)

The two attacks, Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the Apple M3 CPU via False Load Output Predictions (FLOP), take a similar approach to the infamous SPECTRE vulnerability — taking advantage of processor features introduced to increase performance by retrieving data or executing instructions speculatively to infer or directly access supposedly-protected memory. In the case of SLAP and FLOP, the attacks run in the Safari browser — and can access a range of personal information, including credit card details and browsing history, simply by accessing a malicious website.

The attack exploits flaws in the Apple Silicon A- and M-series processors, meaning it affects all Mac laptops built from 2022 onwards, all Mac desktops built from 2023 onwards, all iPad Pro, Air, and Mini models built from 2021 onwards, and all iPhones built from 2021 onwards. In other words, if you have a modern Apple device you're almost certainly affected — and, at the time of writing, Apple had not yet released patches to mitigate the issues.

The vulnerabilities can be used to read the contents of protected memory, pulling in data which should remain private. (📹: Kim et al)

"While FLOP has an actionable mitigation," the researchers note, "implementing it requires patches from software vendors and cannot be done by users. Apple has communicated to us that they plan to address these issues in an upcoming security update, hence it is important to enable automatic updates and ensure that your devices are running the latest operating system and applications. So far, we do not have any evidence that either SLAP or FLOP has been used in the wild."

More information on the vulnerabilities, including demonstrations of the attacks in action and links to the researchers' SLAP and FLOP papers, is available on the predictors.fail website.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles