A new side-channel attack technique called “iLeakage” has been discovered by researchers, which can be used to access an Apple customer’s credentials and emails. This attack targets the Safari web browser found on Apple devices and exploits certain vulnerabilities to extract sensitive information from popular services like Google. The attack was disclosed through a dedicated website and accompanying white paper on October 25th by researchers from the Georgia Institute of Technology, the University of Michigan, and Ruhr University Bochum.
The iLeakage technique allows threat actors to recover information from a Safari user’s browser after causing it to render a malicious webpage. Examples given on the website include viewing a user’s Gmail inbox, accessing their YouTube watch history, and harvesting their Instagram credentials. By defeating Apple’s countermeasures and exploiting a new technique for consolidating websites, the attack is capable of extracting passwords, inbox content, locations, and more.
The researchers compare the iLeakage attack to the infamous Spectre class of side-channel vulnerabilities, which affected microprocessors and were disclosed in 2018. Both attacks utilize speculative execution, a feature that allows processors to predict and execute instructions in advance to improve performance. The iLeakage team states that their attack “shows that the Spectre attack is still relevant and exploitable” despite efforts to mitigate it over the past six years.
It is worth noting that browser vendors, including Apple, have implemented significant security measures to protect against attacks based on speculative and transient execution since the discovery of Spectre. However, iLeakage is the first demonstration of a speculative execution attack against Apple Silicon CPUs and the Safari browser, indicating a potential vulnerability in these systems.
The iLeakage attack affects various modern Apple devices, including macOS and iOS products that use Apple’s A-series or M-series chips. This includes all Apple laptops and desktops from 2020 onwards, as well as recent iPhones and iPads.
Apple has released a partial mitigation for the iLeakage attack, but it is only available as an opt-in update for macOS Ventura versions 13.0 and higher. The company has acknowledged the issue and stated that it will be addressed in their next scheduled software release. It is important to note that the researchers have no evidence of the iLeakage attack being abused in the wild, as it is a complex attack that requires advanced knowledge of browser-based side-channel attacks and Safari’s implementation.
The iLeakage research team disclosed their findings to Apple on September 12, 2022, more than 400 days before the public release of their research. The researchers have reported that Apple has been helpful during their conversations and that they have had several discussions about their work.
The discovery of side-channel vulnerabilities, such as Meltdown and Spectre in 2018, had a significant impact on the technology industry. Speculative execution emerged as a widespread attack surface, and chipmakers initially struggled to fully patch the flaws without affecting CPU performance. Since then, researchers have continuously discovered new variants and types of side-channel attacks that exploit speculative execution functions.
Most recently, Google researcher Daniel Moghimi disclosed a new class of side-channel attack called “Downfall” at Black Hat USA 2023. Downfall exploits a vulnerability in the memory optimization feature of modern Intel processors, allowing a user to abuse the gather instruction and steal data from another user on the same CPU.
In conclusion, the iLeakage attack highlights the ongoing challenge of securing systems against side-channel attacks. While Apple has released a partial mitigation for this specific attack, further efforts are needed to fully protect users from the exploitation of speculative execution vulnerabilities. The discovery of new attack techniques like iLeakage and Downfall serves as a reminder that the technology industry must remain vigilant in addressing these security vulnerabilities and adopting robust mitigation strategies.