Researchers have discovered two newly identified vulnerabilities in Apple-designed chips that power Macs, iPhones, and iPads, exposing sensitive user data such as credit card information and location history through side-channel attacks exploiting flaws in speculative execution, according to Ars Tecnica.
Researchers identify vulnerabilities in Apple silicon chips
The vulnerabilities affect the CPU architectures in later generations of Apple A- and M-series chipsets and open them to side-channel attacks, which infer secrets based on observable physical phenomena such as timing, sound, and power consumption. The newly identified attacks are named FLOP and SLAP, which leverage issues related to the chips’ speculative execution, a method used to enhance processing speed by predicting the instruction path of operations.
FLOP, or False Load Output Prediction, targets flaws in the load value predictor (LVP) introduced in the M3 and A17 chipsets. This attack enables an adversary to retrieve unauthorized memory contents by manipulating the LVP into forwarding values derived from incorrect data, allowing extraction of information like location history from Google Maps and event details from iCloud Calendar.
SLAP, or Speculative Load Address Prediction, exploits vulnerabilities in the load address predictor (LAP) found in M2 and A15 chipsets. This attack involves forcing the LAP to mispredict memory addresses, which permits the unauthorized reading of data across open browser tabs. If a user visits an attacker’s site while logged into services like Gmail or Proton Mail, the attacker can access sensitive login-protected data hosted on those sites.
Researchers indicated that both attacks bypass the protections designed to isolate data between open browser tabs, leading to the unauthorized access of sensitive information. FLOP is particularly powerful as it can read any memory address associated with the browser process in both Safari and Chrome, while SLAP has a more limited capability confined to adjacent memory locations and only works with Safari.
The affected devices include all Mac laptops from 2022 onward, all Mac desktops from 2023 onward, every iPad Pro, Air, and Mini model from September 2021 onwards, and all iPhone models from September 2021 onward, including the iPhone 13, 14, 15, 16, and SE (3rd generation).
The researchers stated that to execute a successful FLOP attack, the target must be authenticated on a vulnerable site in one tab while another tab is open on an attacker-controlled site for an estimated period of five to 10 minutes. The attack is executed by embedding JavaScript within the vulnerable web page, which then trains the LVP to execute harmful operations on incorrect data.
For SLAP, an unprivileged remote attacker can recover secrets stored in various applications like Gmail and Amazon by manipulating the LAP. This vulnerability stems from the LAP’s ability to issue loads to previously unaccessed addresses and forwarding those values across a wide window of operations.
The researchers disclosed the vulnerabilities to Apple in March and September of 2024. In response, Apple acknowledged the findings and stated that it plans to address the issues. However, as of now, the vulnerabilities remain unmitigated.
9 security flaws fixed in iOS 18.3: Should you trust Apple Intelligence now?
In a statement, Apple expressed appreciation for the researchers’ collaboration and emphasized that, based on their analysis, they do not consider these issues an immediate risk for users.
An academic report detailing the FLOP attack is set to be presented at the 2025 USENIX Security Symposium, while SLAP will be showcased at the 2025 IEEE Symposium on Security and Privacy. The research team includes Jason Kim, Jalen Chuang, Daniel Genkin from the Georgia Institute of Technology, and Yuval Yarom from Ruhr University Bochum.
Featured image credit: Apple
Video credits: Georgia Institute of Technology
