Macs, iPhones, and iPads made during and after 2021 may be at risk. However, no attackers have taken advantage. Apple is aware of the security vulnerabilities.
Security researchers from Georgia Institute of Technology and Ruhr University Bochum discovered two side-channel vulnerabilities in devices with Apple name-brand chips from 2021 or later that could expose sensitive information to attackers. Specifically, the vulnerabilities known as SLAP and FLOP skim credit card information, locations, and other personal data. Data can be gathered from sites like iCloud Calendar, Google Maps, and Proton Mail via Safari and Chrome.
As of Jan. 28, Apple is aware of the vulnerabilities.
“Based on our analysis, we do not believe this issue poses an immediate risk to our users,” an Apple representative told ArsTechnica. According to the researchers, Apple plans to release a patch at an undisclosed time.
The researchers have not found evidence of threat actors using these vulnerabilities.
The following Apple devices include vulnerable chips, according to the researchers:
Both vulnerabilities are based on speculative execution, a cyberattack technique that uses indirect cues such as power consumption, timing, and sounds to extract information that would otherwise be secret. Contemporary Apple chips inadvertently enable speculative execution attacks because they use predictors that optimize CPU usage by “speculating.” In the case of SLAP, they predict the next memory address the CPU will retrieve data from. In FLOP, they predict the data value returned by the memory subsystem on the next access by the CPU core.
SEE: Chinese company DeepSeek released the most popular AI chatbot on the App Store this week, ahead of OpenAI.
“There are hardware and software measures to ensure that two open webpages are isolated from each other, preventing one of them form (maliciously) reading the other’s contents,” wrote researchers Jason Kim, Jalen Chuang, Daniel Genkin, and Yuval Yarom on their Georgia Tech site about SLAP and FLOP. “SLAP and FLOP break these protections, allowing attacker pages to read sensitive login-protected data from target webpages. In our work, we show that this data ranges from location history to credit card information.”
The research highlights the dangerous potential of side-channel attacks, which both SLAP and FLOP take advantage of. Side-channel attacks are difficult to detect or mitigate because they rely on properties inherent to the hardware.
In March 2024, Apple silicon ran afoul of another side-channel attack called GoFetch.
Users can’t apply mitigations to these vulnerabilities, since the vulnerabilities are rooted in the hardware.
“Apple has communicated to us that they plan to address these issues in an upcoming security update, hence it is important to enable automatic updates and ensure that your devices are running the latest operating system and applications,” the researchers wrote.
TechRepublic has reached out to Apple for more information.
Megan Crouse has a decade of experience in business-to-business news and feature writing, including as first a writer and then the editor of Manufacturing.net. Her news and feature stories have appeared in Military & Aerospace Electronics, Fierce Wireless, TechRepublic, and eWeek. She copyedited cybersecurity news and features at Security Intelligence. She holds a degree in English Literature and minored in Creative Writing at Fairleigh Dickinson University.
