Apple Chips Can Be Hacked: Serious Vulnerabilities Expose Your Mac, iPhone, and iPad Data

Alternatives to DeepSeek in 2025

Hey everyone, it’s time for a serious chat about something that might make you a little uneasy: newly discovered vulnerabilities in Apple’s own silicon. Yep, the very chips powering your Macs, iPhones, and iPads are at risk. We’re talking about two sneaky side-channel attacks, called FLOP and SLAP, that could allow hackers to steal some pretty sensitive info, like your credit card details, where you’ve been, and even the contents of your emails. If you own a recent Apple device, you’ll want to pay close attention. This isn’t just some theoretical risk; it’s something that could potentially impact millions of us. Let’s break down what’s happening, how these attacks work, and what you need to know to stay safe.

The Side-Channel Attacks

So, what exactly are side-channel attacks? Well, they’re not like your typical software bugs that target code directly. Instead, these attacks are like eavesdropping on the hardware itself. They exploit the physical characteristics of a device, such as the timing, sound, and power consumption, to infer secrets. Think of it like this: instead of breaking down the front door, the attacker is figuring out the combination to the lock by listening to the clicks.

These vulnerabilities arise from a feature called speculative execution, which is a way to make your devices faster. It’s like a smart guess; the processor tries to predict what instruction it will need next, which speeds things up. But, as it turns out, these guesses can leave behind memory traces that hackers can exploit. It’s a bit of a trade off between performance and security. Turning off speculative execution could slow down your device by a lot—maybe even tenfold or more.

FLOP: The More Powerful Attack

Now, let’s talk about FLOP, which, sadly, is the more powerful of the two attacks. FLOP takes advantage of something called the Load Value Predictor (LVP). This little component is responsible for guessing the contents of memory when they’re not immediately available. It’s like the processor is saying, “I think this is what we’ll need next,” to save time. However, attackers can trick the LVP into giving out incorrect data, allowing them to read memory contents that should be off limits.

And what can they get access to? Well, think about your location history in Google Maps, your emails in Proton Mail, or the events in your iCloud Calendar; all of this can potentially be stolen using FLOP.

Here’s a simplified version of how FLOP works. First, the attacker sends “training data” to your browser using JavaScript. This allows them to figure out how to run code that’s meant for one data structure on another, ultimately enabling them to read any 64-bit memory address. The process works with both Safari and Chrome, which is why it’s so concerning.

With Chrome, FLOP targets the internal structures the browser uses to call WebAssembly functions. By tricking the LVP, attackers can run functions with incorrect arguments, allowing them to read specific memory locations. To make things even more complex, FLOP needs to bypass Chrome’s site isolation rules, requiring a few conditions to be met. For example, the attack won’t work if the target domain is on a public suffix list. The attacker must also be able to use their own JavaScript and WebAssembly on their site, and, of course, the target site needs to have secrets that are worth stealing. To show how this works, researchers demonstrated how FLOP can be used to steal credit card information stored on a user-created Square storefront.

FLOP is more powerful than SLAP because it can read any memory address in the browser’s process.

SLAP: The Safari-Specific Attack

Next up, we have SLAP. This attack exploits the Load Address Predictor (LAP). While LVP predicts the contents of memory, LAP predicts the locations where instruction data can be accessed. SLAP forces the LAP to predict the wrong memory addresses and forwards data to other instructions.

Using SLAP, attackers can gain access to sensitive JavaScript code on sites you visit, like Gmail. For instance, if you have one tab open to Gmail and another tab open to an attacker’s website, that attacker site can grab strings of code from your Gmail page.. In fact, researchers demonstrated how SLAP can be used to recover email content, and data from Amazon and Reddit.

Unlike FLOP, SLAP is limited to reading strings of another webpage and only works against Safari.

Affected Devices

So, which of your devices are at risk? Here’s the breakdown:

  • All Mac laptops from 2022–present (MacBook Air, MacBook Pro)
  • All Mac desktops from 2023–present (Mac Mini, iMac, Mac Studio, Mac Pro)
  • All iPad Pro, Air, and Mini models from September 2021–present (Pro 6th and 7th generation, Air 6th gen., Mini 6th gen.)
  • All iPhones from September 2021–present (All 13, 14, 15, and 16 models, SE 3rd gen.)

If you have an older device with an A14/M1 chip or older, you’re in the clear for now.

Real-World Implications and Attack Scenarios

While these attacks require specific conditions to work, it’s important to realize they are not just theoretical possibilities. In the real world, a hacker could set up a malicious website and then wait for a user with a vulnerable device to open it alongside a web-based service like Gmail, iCloud, or Google Maps. Once that happens, the attacker could use FLOP or SLAP to steal data. This could include your credit card information from a compromised storefront, or email content from your Gmail. In one scenario, a user browsing with two tabs, one on a target webpage, and another on an attacker controlled page, could be vulnerable.

Mitigation Strategies and Apple’s Response

The good news is that these issues can be fixed, but the solution requires software vendor patches. Researchers have said that Apple has indicated they plan to address these vulnerabilities in an upcoming security update. However, at the time of this blog post, there’s no fix available, and Apple hasn’t given us a date.

Apple’s response has been a bit vague. They’ve thanked the researchers for their work but have stated they don’t believe the issue poses an immediate risk to users. Why might Apple downplay the risk? Well, it’s possible they don’t want to cause mass panic, or they may feel that the complexity of these attacks makes them less likely to be used by most hackers. Other security experts might disagree with that assessment.

User Education and Best Practices

So, what can you do to protect yourself? Here are a few things to keep in mind:

  • Stay Updated: Keep your devices updated and install security patches as soon as they are available.
  • Be Careful When Browsing: Be cautious when browsing websites, especially those that host user-generated JavaScript or WebAssembly.
  • Limit Open Tabs: It’s a good idea to limit the number of open tabs you have, particularly when logged into sensitive websites.
  • Consider Avoiding Sensitive Logins: Consider not logging into sensitive accounts on your Apple devices until a patch is released.
  • Understand Your Risk: While these attacks are serious, the average user is less likely to be targeted than people with more sensitive information.

The Broader Landscape of Side-Channel Attacks

It’s important to remember that side-channel attacks are not a new concept and they’re not unique to Apple. Other chip manufacturers might be using similar methods and could be vulnerable to similar attacks. Also, researchers didn’t test Firefox, so we don’t know if it’s vulnerable. Side-channel attacks are a broader category of vulnerabilities that have been a problem for some time, requiring continuous vigilance from both hardware and software developers.

Conclusion

Okay, let’s recap. The FLOP and SLAP vulnerabilities are serious threats that can expose sensitive data on your Apple devices. FLOP is the more powerful of the two, affecting both Safari and Chrome, while SLAP is specific to Safari. While it is concerning, you can take steps to protect yourself. It’s critical to stay informed, keep your software updated, and be extra cautious when browsing the web.

The researchers who discovered these vulnerabilities are doing important work by identifying these security flaws. By bringing attention to these issues, they help encourage both hardware and software developers to find a solution.

Stay safe out there, and keep an eye out for those updates!

Also Read:

Share

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *