In a startling discovery, a Georgia Tech researcher has cracked the security of Apple’s newest MacBook Pro, equipped with the M3 processor chip.
This breakthrough has exposed a significant vulnerability in Apple devices, allowing the researcher to hack into a fictional target’s Facebook account and intercept a second-factor authentication text.
Jason Kim, a Ph.D. student, demonstrated the power of the iLeakage side-channel exploit in a video.
This vulnerability, which he discovered along with associate professor Daniel Genkin, affects a wide range of Apple products manufactured since 2020, including iPhones, iPads, laptops, and desktops.
iLeakage specifically targets the Safari browser on these devices. It can potentially give attackers access to sensitive information like Instagram login details, Gmail inboxes, and YouTube watch histories.
Kim had previously showcased this exploit on an older MacBook Pro last month.
The attack works when a user visits a malicious webpage controlled by the attacker. Safari’s failure to keep webpages from different sources separate allows the attacker’s page to access information from the target’s page.
The attacker can then read private data from the target page through a method called speculative execution.
Speculative execution is a technique used in modern CPUs to enhance performance. However, this design choice has made devices susceptible to security breaches.
The issue became widely known with the Spectre attack reported in 2018. Despite efforts to combat these kinds of attacks, Kim and Genkin’s research shows that vulnerabilities still exist.
In their demonstration, they used a MacBook Pro with the new Apple M3 chip and the latest macOS 14.1.1 and Safari 17.1 to recover a target’s Facebook password. They then intercepted a two-factor authentication token sent via SMS to an Android phone.
Apple was informed about iLeakage on September 12, 2022. In response, the company issued a mitigation for Safari.
However, this fix was not initially enabled by default and was only compatible with macOS Ventura 13.0 and higher.
The researchers believe that iLeakage is a complex attack to execute, requiring advanced knowledge of browser-based side-channel attacks and Safari’s implementation. So far, there’s no evidence that real-world attackers have used iLeakage.
The vulnerability is specific to the Safari web browser on macOS due to unique aspects of Safari’s JavaScript engine. In contrast, iOS users are in a different situation because of Apple’s App Store policies. These policies require other browser apps on iOS to use Safari’s JavaScript engine, leaving nearly all browser applications on the App Store vulnerable to iLeakage.
The findings of this research, titled “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” will be presented at the 2023 ACM SIGSAC Conference on Computer and Communications Security.
This revelation underscores the need for continuous vigilance and advancement in cybersecurity to protect users from sophisticated attacks in an ever-evolving digital landscape.
Source: Georgia Institute of Technology.