As nifty as the Apple Silicon processors are, there’s currently an exploit present in the hardware that allows potential hackers to siphon private data. The processors, which offer a speculative execution feature that guesses what you’ll need next, are generally right as to what you’ll need. Still, when these guesses are incorrect, they can create vulnerabilities that hackers could use to access sensitive information, like emails and credit card details. SLAP & FLOP attacks
Researchers from the Georgia Institute of Technology have identified two new Apple Silicon security vulnerabilities in Apple’s recent CPUs, named SLAP and FLOP. These attacks exploit features in the M2, M3, A15, and A17 chips that are supposed to improve performance. The problem lies in how Apple’s processors try to predict memory operations to speed up tasks. When these guesses are wrong, they accidentally open the door for hackers. SLAP (speculative execution via Load Address Prediction) offers access to private data, like email content, by tricking the processor into using out-of-bounds memory. FLOP (False Load Output Prediction) bypasses memory safety checks even further.
The team has demonstrated how SLAP could be used to extract private emails from Safari and how FLOP could recover sensitive data like credit card details. While there’s no evidence of hackers exploiting these flaws in the wild yet, the potential is there.
The attacks are similar to other speculative execution attacks such as Spectre and Meltdown, which created widespread security concerns a few years ago. The difference this time is that the attacks specifically target Apple’s hardware.
Apple has yet to release a fix, but has stated that it’s aware of the Apple Silicon vulnerabilities. The researchers who found SLAP and FLOP notified Apple about a year ago for one flaw, and about six months ago for the other. Still, true fixes may have to be incorporated at the hardware level.
In the meantime, keep your devices patched with the latest software and updates, including security patches. Avoid untrusted websites and disable JavaScript when not needed. Browser extensions that block scripts can also help, and just follow your instincts if something seems off.
Stay tuned for additional details as they become available.
Via AppleInsider and predictors.fail