October 26, 2023 at 02:06PM
A group of academics has discovered a new side-channel attack called iLeakage that targets Apple’s A- and M-series CPUs on iOS, iPadOS, and macOS devices. By exploiting a weakness in Safari, sensitive information can be extracted. The attack could be used to retrieve Gmail inbox content and autofilled passwords from malicious web pages. Apple was notified of the findings in September 2022, and the vulnerability affects Apple devices released from 2020. Despite the technical expertise required, this highlights the ongoing threat posed by hardware vulnerabilities.
Key takeaways from the meeting notes:
– A group of academics has discovered a novel side-channel attack called iLeakage that targets Apple iOS, iPadOS, and macOS devices running on A- and M-series CPUs. The attack allows sensitive information to be extracted from the Safari web browser.
– iLeakage is the first speculative execution attack against Apple Silicon CPUs and affects all Apple devices released from 2020.
– The attack takes advantage of a performance optimization mechanism called speculative execution, which has been targeted in previous attacks like Spectre.
– iLeakage can be used to recover sensitive information, such as Gmail inbox content and autofilled passwords, by inducing Safari to render a malicious webpage.
– The attack works on all third-party web browsers available for iOS and iPadOS due to Apple’s App Store policy.
– Apple was informed of the findings on September 12, 2022.
– While the technical expertise required to carry out the attack makes real-world exploitation unlikely, the discovery highlights the ongoing threat of hardware vulnerabilities.
– The iLeakage attack is the latest in a series of side-channel attacks targeting modern CPUs, including Collide+Power, Downfall, and Inception.
– The discovery of RowPress, a variant of the RowHammer attack, has also raised concerns about data corruption or theft.
Please let me know if there is any further information or clarification you need.