SLAP and FLOP has come to Apple Silicon-powered iPhones, iPads, and Mac. No, it’s not the latest fast-action video game, its two recently discovered security holes that could be used to steal your data.
The new security exploits takes advantage of how Apple’s latest processors, including the M2 and M3, use predictive computing to speed up operations. The processors make an educated guess about upcoming memory operations to provide blazingly-fast performance. Researchers have found that when the guess is wrong, it opens security holes that can be used by hackers to access your sensitive information, such as information found in emails and credit card or debit card information.
Researchers at the Georgia Institute of Technology have identified two new security vulnerabilities in Apple’s recent CPUs, named SLAP and FLOP. The attacks use the predictive features found in Apple’s M2, M3, A15, and A17 chips that are designed to improve performance.
Apple Silicon processors attempt to predict memory operation, which can greatly speed up tasks. However, if the processor makes an incorrect prediction, the doors are opened to attacks by hackers.
SLAP
Data Speculation Attacks via Load Address Prediction on Apple Silicon
We present SLAP, a new speculative execution attack that arises from optimizing data dependencies, as opposed to control flow dependencies. More specifically, we show that Apple CPUs starting with the M2/A15 are equipped with a Load Address Predictor (LAP), which improves performance by guessing the next memory address the CPU will retrieve data from based on prior memory access patterns.
However, if the LAP guesses wrong, it causes the CPU to perform arbitrary computations on out-of-bounds data, which should never have been accessed to begin with, under speculative execution. Building on this observation, we demonstrate the real-world security risks of the LAP via an end-to-end attack on the Safari web browser where an unprivileged remote adversary can recover email content and browsing behavior.
FLOP
Breaking the Apple M3 CPU via False Load Output Predictions
We present FLOP, another speculative execution attack that results from recent Apple CPUs predicting the outcome of data dependencies. Here, we demonstrate that Apple’s M3/A17 generation and newer CPUs are equipped with a Load Value Predictor (LVP). The LVP improves performance on data dependencies by guessing the data value that will be returned by the memory subsystem on the next access by the CPU core, before the value is actually available.
If the LVP guesses wrong, the CPU can perform arbitrary computations on incorrect data under speculative execution. This can cause critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory. We demonstrate the LVP’s dangers by orchestrating these attacks on both the Safari and Chrome web browsers in the form of arbitrary memory read primitives, recovering location history, calendar events, and credit card information.
So far, these flaws have not been exploited by a hacker in the wild
While Apple hasn’t yet released a fix, it is aware of the issues. The researchers notified Apple close to a year ago about one of the flaws, and informed them about the second flaw about six months ago.
Unfortunately, the M4 chip was already in production at that time, meaning the fix couldn’t be included in the chip’s code. A fix likely won’t be put in place until Apple’s next generation of chips.
Hopefully, Apple can come up with a software patch to mitigate the problem.
Macs, iPhone, and iPads using an M2, M3, A15, or A17 chip are vulnerable to SLAP and FLOP, leaving last-generation iPad Pro models, this generation iPad Air models, the iPhone 15 Pro, and the M2-powered MacBook Air are susceptible to these exploits.
To help protect yourself until a fix is developed, keep your device and your data as safe as possible. Always update your devices and apps to their latest versions. These often include fixes for security holes like this. Stay away from untrusted websites, disable JavaScript whenever possible, and use extensions to block scripts in your browser.