A team of researchers has developed an innovative side-channel attack called iLeakage, which takes advantage of a vulnerability in Apple’s A- and M-series CPUs found in iOS, iPadOS, and macOS devices. This technique allows for the extraction of sensitive information from the Safari web browser.
“In a recent study, researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom revealed that attackers can use speculative execution to recover sensitive data by manipulating Safari to render arbitrary webpages.”
In a real-world attack, a malicious webpage could be used to exploit this vulnerability and gain access to Gmail inbox contents and even retrieve autofilled passwords stored by credential managers.
iLeakage represents the inaugural instance of a Spectre-style speculative execution attack targeting Apple Silicon CPUs. Furthermore, it affects all third-party web browsers on iOS and iPadOS due to Apple’s App Store policy requiring browser vendors to utilize Safari’s WebKit engine.
Apple was notified of the findings on September 12, 2022. The shortcoming impacts all Apple devices released from 2020 that are powered by Apple’s A-series and M-series ARM processors.
This is achieved through the utilization of a microarchitectural side-channel, which a malicious actor can exploit to deduce sensitive information by analyzing variables such as timing, power consumption, or electromagnetic emissions.
The underlying side channel for this latest attack relies on speculative execution, a performance optimization mechanism in contemporary CPUs. It has been the focus of multiple similar methods since the discovery of Spectre in 2018.
Speculative execution is intended to enhance performance by executing program instructions out of order during conditional branch instructions. It predicts the program’s path, speculatively executing instructions along that path to speed up task completion when the prediction is correct.
But when a misprediction occurs, the results of the speculative execution are abandoned and the processor resumes along the correct path. That said, these erroneous predictions leave behind certain traces in the cache.
Although iLeakage poses a potential threat, Ars Technica maintains that the chances of it being exploited in real-world scenarios are minimal. Exploiting it demands a deep understanding and expertise in reverse-engineering A- and M-series chips to access the side channel they possess. The publication asserts, “There’s no evidence that this vulnerability has been previously identified, let alone actively exploited in real-world situations.”