A team of researchers comprising Georgia Tech’s cybersecurity professors, Daniel Genkin and Jason Kim, University of Michigan’s Stephan van Schaik, and Ruhr University Bochum’s Yuval Yarom have published a research paper explaining a vulnerability they discovered in Apple devices that affects Macs and iPhones.
Researchers explained in the paper titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” that the vulnerability, dubbed iLeakage, has been affecting Macs and iPhones since 2020. The attack mainly affects those devices that were built with Apple’s Arm-based A-series and M-series chips.
Researchers devised an attack that forced Apple’s Safari browser to divulge passwords, Gmail content, and other sensitive data by exploiting a side channel vulnerability in the CPUs.
This vulnerability is built off an existing attack technique used on CPUs for over six years. Back in 2018, security researchers reported that all modern CPUs can be exploited to leak sensitive data by exploiting an integral feature on the processor called Speculative Execution.
In this technique, modern CPUs try to improve performance by executing instructions before they know it is needed. iLeakage is a browser-based attack exploiting a timerless speculative execution flaw in Apple devices. Timerless speculative execution lets the CPU execute instructions even without any time running. The attackers can exploit this to perform malicious operations without getting detected.
What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. The attacker can exfiltrate this data without alerting the user. It is a dangerous attack because adversaries can perform them without needing the victim to click on malicious links or open infected documents/attachments.
The flaw exists in the way the Safari browser handles JavaScript timers. This allows attackers to create malicious JavaScript code and use it to steal sensitive data from the device. The stolen data may include passwords, PII (personal identification information), and credit card numbers. Using this data, attackers can commit crimes like identity theft and fraud.
Researchers noted that iLeakage attacks are currently effective on Apple devices running Safari. However, other platforms or browsers may also be vulnerable. Therefore, it is essential to exercise caution to prevent iLeakage attacks. Always keep your software up-to-date and use a security solution that can detect/block speculative execution attacks.
The findings were disclosed to Apple on 12 September 2022. The company acknowledged this issue, and Apple’s Product Security team and Safari browser development team collaborated with the researchers to develop countermeasures. As a result, Apple refactored Safari’s multi-process architecture. These changes are currently under active development and are available in Safari Technology Preview versions 173 and above.
Apple has released a new inter-process communication API to spawn new processes for pages launched with window.open(). Researchers have confirmed that the patch mitigates iLeakage attacks by preventing the consolidation of domains across security boundaries but it has limitations.
“We have empirically verified that this patch mitigates our attack by preventing the consolidation of domains across security boundaries. This means that while it is still possible to escape the speculative JavaScript sandbox, an attacker will only be able to read their own address space and therefore their own data,” researchers concluded.
The full report can be accessed here (PDF), and there is a dedicated site available to demonstrate the iLeakage attack.
Regarding this research, Lionel Litty, Chief Security Architect at Menlo Security, a Mountain View, Calif.-based provider of browser security stated that this attack shows browsers are the new OS.
“This attack illustrates how for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads. Security practitioners must educate themselves on this attack surface.”
John Gallagher, Vice President of Viakoo Labs at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene noted that this attack method is not as significant as is the realization that threats are continually evolving.
“The significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security. Prefetching of information to speed up CPU execution has been around for a while, and equally has been exploited for a while. This is just a further “tit for tat”, and will be remediated in future CPU development.”
Gallagher, however, claims that in this attack, organizations aren’t at high risk because this attack requires a high degree of sophistication and there aren’t any reports that it has been exploited in the wild.
“Organizations are not at high risk, given that this attack method requires a high degree of sophistication by the threat actor and has not been seen exploited yet in the wild (or at least not reported). Organizations concerned (or high-value individual targets) should consider enabling lockdown mode, or using the MacOS (unstable) patch available,” Gallagher stated.