The chips designed by Apple that feed Mac, iPhones and iPads contain two recently discovered vulnerabilities that filter credit card information, locations and other confidential data of Chrome and Safari browsers while visiting sites such as the icloud calendar, Google Maps and Proton Mail .
The vulnerabilities, which affect the CPU in the subsequent generations of the chips sets of the A apple series, open them to Side channel attacksA class of exploit that infers secrets by measuring manifestations such as time, sound and energy consumption. Both side channels are the result of the use of the chips of speculative executionAn optimization of performance that improves the speed when predicting the control flow that the CPU must take and follow that route, instead of the order of instruction in the program.
A new address
The affected Apple silicon takes speculative execution in new directions. In addition to predicting the control flow that the CPU must take, the data flow also predicts, such as what memory address it will be loaded and what value will be returned from the memory.
The most powerful of the two lateral channel attacks is called Flop. It exploits a form of speculative execution implemented in the predictor of the load value of the chips (LVP), which predicts the content of the memory when they are not available immediately. By inducing the LVP to forward the values of the malformed data, an attacker can read the content of the memory that would normally be out of the limits. The attack can be used to steal the location history of a Google Maps target, Proton Mail input tray content and events stored in the Icloud calendar.
Meanwhile, it abuses the predictor of the Cargo Directorate (LAP). While LVP predicts the memory content values, LAP predicts memory locations where instruction data can be accessed. Slap forces the directions of incorrect memory to predict. Specifically, the value in the predicted management of a previous load instruction is forwarded to younger arbitrary instructions. When Safari has an open tab on a website directed as Gmail, and another open tab in an attacker, the latter can access confidential chains of the JavaScript code of the first, allowing to read the email content.