No patches yet for Apple iLeakage side-channel attack

A new side-channel attack technique known as "iLeakage" can be used to access an Apple customer's credentials and emails, and no patches are currently available.

The iLeakage technique is a transient execution side-channel attack that targets the Safari web browser found on Apple devices. The attack was disclosed via a dedicated website and white paper on Oct. 25 and discovered by Jason Kim and Daniel Genkin of the Georgia Institute of Technology, Stephan van Schaik of the University of Michigan, and Yuval Yarom of Ruhr University Bochum.

The attack, if executed, would enable a threat actor to recover sensitive information from a Safari user's browser after causing it to render a malicious, arbitrary webpage. Examples provided on the website include viewing a user's Gmail inbox, accessing a user's YouTube watch history and harvesting Instagram credentials.

"[W]e can defeat Apple's low-resolution timer, compressed 35-bit addressing, and value poisoning countermeasures, allowing us to read any 64-bit address within the address space of Safari's rendering process," the white paper read. "Combining this with a new technique for consolidating websites from different domains into the same renderer process, we craft an end-to-end attack capable of extracting sensitive information (e.g., passwords, inbox content, locations, etc.) from popular services such as Google."

The iLeakage team compared the attack to Spectre, an infamous class of side-channel flaw that was disclosed in 2018 and affected a range of microprocessors. It, too, used speculative execution. The researchers said the new attack technique "shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery."

"Since the original Spectre exploit, browser vendors had significantly hardened browsers against attacks based on speculative and transient execution," the iLeakage website read. "For the case of Safari, this includes 35-bit addressing and the value poisoning, one process per tab isolation policy, as well as a low resolution timer. Nonetheless, iLeakage is the first demonstration of a speculative execution attack against Apple Silicon CPUs and the Safari browser."

The iLeakage attack affects many modern Apple devices, as all macOS and iOS products using Apple's A-series or M-series chips are vulnerable. All Apple laptops and desktops from 2020 onward are affected, as are recent iPhones and iPads.

Apple has released a mitigation for iLeakage. However, it is only a partial fix, as the update is opt-in and can only be enabled on macOS -- specifically, macOS Ventura versions 13.0 and higher. An Apple spokesperson told TechTarget Editorial in an email that the company is aware of the issue and that it will be addressed in Apple's next scheduled software release.

A FAQ on the iLeakage website said the researchers do not have evidence regarding whether the side-channel technique has been abused, noting that "iLeakage is a significantly difficult attack to orchestrate end-to-end, and requires advanced knowledge of browser-based side-channel attacks and Safari's implementation."

According to the iLeakage FAQ, the team disclosed its research to Apple on Sept. 12, 2022 -- more than 400 days prior to public release. Asked about working with Apple, the Georgia Institute of Technology's Genkin said the tech giant "has been very helpful with our conversations, and we had several discussions with them about our work."

The 2018 disclosure of the Meltdown and Spectre side-channel flaws proved to be a pivotal moment for the technology industry, as speculative execution emerged as an extensive attack surface. Major chipmakers initially struggled to fully patch the flaws without negatively affecting CPU performance, and researchers later discovered additional variants and new types of side-channel attacks that abused speculative execution functions.

Most recently, Daniel Moghimi, a senior research scientist at Google, discovered and disclosed at Black Hat USA 2023 a new class of side-channel attack he named "Downfall." The attack exploits a vulnerability, CVE-2022-40982, in the memory optimization feature of modern Intel processors and allows a user to abuse the gather instruction to steal data from another user on the same CPU.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.