A group of cybersecurity experts, including Daniel Genkin and Jason Kim from Georgia Tech, Stephan van Schaik from the University of Michigan, and Yuval Yarom from Ruhr University Bochum, has published a research paper uncovering a critical vulnerability in Apple devices, affecting both Macs and iPhones.
Termed “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” the vulnerability, known as iLeakage, has silently plagued Apple devices since 2020. This flaw predominantly impacts devices featuring Apple’s Arm-based A-series and M-series chips.
In their research, the team devised an attack that manipulates Apple’s Safari browser to divulge sensitive data, including passwords and Gmail content, by exploiting a side-channel vulnerability within the CPUs.
iLeakage is an offshoot of a long-standing CPU attack technique. In 2018, security researchers revealed that virtually all modern CPUs could be exploited to leak sensitive data by taking advantage of a key CPU feature called Speculative Execution. In this approach, modern CPUs aim to enhance performance by executing instructions ahead of their actual need. iLeakage exploits a timerless speculative execution flaw unique to Apple devices, allowing the CPU to execute instructions in the absence of time constraints. Attackers can harness this to conduct malicious activities without detection.
The core of an iLeakage attack involves tricking the CPU into executing speculative code, accessing sensitive data from memory, and surreptitiously exfiltrating it. Notably, this attack doesn’t necessitate user interaction, such as clicking on malicious links or opening compromised documents, making it particularly insidious.
The vulnerability resides in the way the Safari browser manages JavaScript timers, enabling attackers to craft malicious JavaScript code to pilfer critical data. The stolen information encompasses passwords, personal identification details (PII), and credit card numbers. Such ill-gotten data could be leveraged for nefarious purposes like identity theft and fraud.
iLeakage attacks are presently effective on Apple devices using Safari. However, it remains plausible that other platforms or browsers may harbor similar vulnerabilities. Therefore, users are urged to exercise vigilance by keeping their software updated and deploying security solutions capable of detecting and thwarting speculative execution attacks.
The research findings were responsibly disclosed to Apple on September 12, 2022. Apple acknowledged the issue and collaborated with the researchers to develop countermeasures. As a result, Apple has restructured Safari’s multi-process architecture. These modifications are actively in development and accessible in Safari Technology Preview versions 173 and above.
Apple has also introduced a new inter-process communication API to spawn processes for pages launched with window.open(). This patch has been verified to mitigate iLeakage attacks by preventing domain consolidation across security boundaries, though it has certain limitations.
For in-depth details, the complete report can be accessed here, and a dedicated site is available for demonstrating the iLeakage attack.
Lionel Litty, Chief Security Architect at Menlo Security in Mountain View, California, a browser security provider, emphasized that this attack underscores a paradigm shift where browsers become the new operating system. He noted that web primitives, like origins and web workers, mirror OS primitives, such as applications and threads, making it essential for security professionals to familiarize themselves with this evolving attack surface.
John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View-based automated IoT cyber hygiene provider, highlighted the evolving nature of threats, underscoring that the attack method itself isn’t as significant as the broader trend of threats adapting in response to the trade-off between speed and security. Gallagher pointed out that prefetching information to accelerate CPU execution has been exploited before, making this development part of a larger cycle.
However, Gallagher reassured that organizations are not at high risk from this particular attack, as it demands a high level of sophistication from threat actors, and no instances of it being exploited in the wild have been reported. He advised that organizations, especially high-value targets, consider activating lockdown mode or using available MacOS patches as precautionary measures.