Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New SLAP and FLOP CPU Attacks Expose Data From Apple Computers, Phones

New CPU side-channel attacks named SLAP and FLOP can be exploited to remotely steal data from Apple mobile and desktop devices. 

Apple CPU attack

Academic researchers have disclosed the details of two new CPU side-channel attacks impacting millions of phones, tablets, laptops and desktop computers made by Apple.

The attack methods, discovered by researchers from the Georgia Institute of Technology and Ruhr University Bochum, have been named SLAP (Speculation via Load Address Prediction) and FLOP (False Load Output Predictions). 

The researchers have demonstrated how an attacker can exploit CPU vulnerabilities to obtain potentially sensitive information from the memory of a targeted user’s Apple device by getting the victim to visit a malicious website.

According to the researchers, the SLAP and FLOP attacks work against all MacBook laptops released since 2022, all Mac desktop devices since 2023, and all iPads and iPhones released since September 2021.  

The SLAP attack was showcased on the Safari browser in a scenario that involved an unprivileged remote attacker recovering email content and browsing behavior from a targeted webpage. 

The FLOP attack was demonstrated on Safari and Chrome, with researchers showing how a threat actor could obtain data such as location history, calendar events and even payment card information. 

SLAP targets Apple’s implementation of a performance-improving feature named Load Address Predictor (LAP) on devices with CPUs starting with M2 and A15. FLOP targets a performance-improving feature named Load Value Predictor (LVP) on devices with M3, A17 and newer CPUs.

“SLAP exploits a phenomenon in Safari where strings that belong to different webpages can be allocated within a close distance to each other, and thus discloses cross-origin strings that are allocated in proximity to the adversary’s own strings,” the researchers explained. “On the other hand, FLOP is a speculative type confusion attack that causes the CPU to bypass integrity checks on data structures, resulting in memory read primitives from arbitrary addresses in Safari and Chrome.”

Advertisement. Scroll to continue reading.

Apple was informed about the findings in May 2024 (SLAP) and September 2024 (FLOP), but the company does not appear too concerned. 

In a statement, the tech giant thanked the researchers and acknowledged that their proof-of-concept advances the company’s understanding of these types of threats, but noted that based on its analysis it does not believe these attacks pose an immediate risk to users.

SecurityWeek has reached out to the researchers to find out why Apple would believe the attacks don’t pose an immediate risk considering that they are remotely exploitable with minimal user interaction — whether the attacks are not as easy to conduct as they appear, or they have a low success rate in practice. This article will be updated if they respond. 

Devices with Intel, AMD and Qualcomm processors do not appear to be impacted, and the researchers said they haven’t tested the attacks on other web browsers except Chrome and Safari. 

Additional details are available on a dedicated website and in the papers published for FLOP and SLAP

Related: BadRAM Attack Uses $10 Equipment to Break AMD Processor Protections

Related: New CounterSEVeillance and TDXDown Attacks Target AMD and Intel TEEs

Related: AMD Says New Sinkclose CPU Vulnerability Only Affects ‘Seriously Breached Systems’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.