A team of researchers comprising Georgia Tech’s cybersecurity professors, Daniel Genkin and Jason Kim, University of Michigan’s Stephan van Schaik, and Ruhr University Bochum’s Yuval Yarom have published a research paper explaining a vulnerability they discovered in Apple devices that affects Macs and iPhones.
Researchers explained in the paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” that the vulnerability, dubbed iLeakage, has been affecting Macs and iPhones since 2020. The attack mainly affects those devices that were built with Apple’s Arm-based A-series and M-series chips.
Researchers devised an attack that forced Apple’s Safari browser to divulge passwords, Gmail content, and other sensitive data by exploiting a side channel vulnerability in the CPUs.
This vulnerability is built off an existing attack technique used on CPUs for over six years. Back in 2018, security researchers reported that all modern CPUs can be exploited to leak sensitive data by exploiting an integral feature on the processor called Speculative Execution.
In this technique, modern CPUs try to improve performance by executing instructions before they know it is needed. iLeakage is a browser-based attack exploiting a timerless speculative execution flaw in Apple devices. Timerless speculative execution lets the CPU execute instructions even without any time running. The attackers can exploit this to perform malicious operations without getting detected.
What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. The attacker can exfiltrate this data without alerting the user. It is a dangerous attack because adversaries can perform them without needing the victim to click on malicious links or open infected documents/attachments.
The flaw exists in t ..
Support the originator by clicking the read the rest link below.
