Security researchers have discovered new security flaws affecting Apple devices with M2 or A15 chips and onwards. This includes iPhones, iPads, Mac laptops, and Mac desktops. The vulnerabilities, dubbed SLAP and FLOP and first reported by Bleeping Computer, could allow attackers to read information from a user’s open web tabs. Depending on the tabs you have open, this could put sensitive data like passwords and banking information at risk.
This isn’t a software problem, but rather a hardware flaw that affects CPUs and leaves them vulnerable to side channel attacks. This kind of exploit measures CPU activity and uses factors like power consumption, timing, and sound to infer information about the user’s behavior. The Spectre and Meltdown flaws from 2018 worked in a similar way.
It’s pretty complicated stuff, but the important part is that it makes it possible for attackers to get their hands on sensitive information even when it’s properly protected by the software your PC is running. The cause of these weaknesses isn’t purely an Apple problem, it’s a performance optimization that’s used on most modern CPUs.
Computer programs are just a long series of instructions that the CPU executes, but because there are so many different outcomes to cover, those instructions expand into all sorts of different branches. “If A then do X, if B then do Y,” or “If A happens, return to point X” — in a large program, millions of decisions like these happen in order to progress.
To speed things up, it’s now standard practice to predict which path the CPU should take and start executing instructions further down the line. This way, more work can be done at the same time, rather than every instruction waiting for its turn in the proper order.
This optimization is called speculative execution or branch prediction, and because it’s based on predictions, it doesn’t always go well. It’s when the predictions backfire that we get these hardware vulnerabilities that attackers can take advantage of.
The full names of the new flaws are “Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP)” and “Breaking the Apple M3 CPU via False Load Output Predictions (FLOP).” They both cause essentially the same problem, but while SLAP is limited to the Safari browser, FLOP works with Chrome as well.
The research proves with demos that attacks based on these flaws are possible, but there’s no evidence of any cybercriminals using them at the moment. The researchers shared their findings with Apple last year and said that the company responded, stating that it plans to address the issues. However, months have passed and since the papers have been published, the only official comment from Apple (to BleepingComputer) is this:
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
Although these attacks don’t involve malware, they still begin with a visit to a malicious website. As always, the best way to protect yourself until we get security updates is to be careful of suspicious links and URLs while browsing.
