SECURITY
SECURITY
SECURITY
Newly discovered ‘iLeakage’ exploits speculative execution in Apple devices
A team of academic researchers has published a paper and website warning users about a security threat that exploits weaknesses in recent Apple Inc. devices that can be used to extract sensitive information from Apple’s Safar web browser.
Dubbed “iLeakage,” the vulnerability exploits a “speculative execution” vulnerability in Safari installed on recent model Macs, iPads and iPhones with Apple A and M series CPUs. Speculative execution is a technique that modern processors use to improve performance by executing instructions before it is known whether they are actually necessary. Doing so can lead to security vulnerabilities if the speculative execution is not properly controlled.
To induce the vulnerability, an attacker does need to trick a potential victim into visiting a malicious website. The attack path could include phishing links sent through email asking potential victims to reset passwords or something similar.
Once attackers have induced a victim to visit the malicious site, they can then use JavaScript or WebAssembly to read the content of other web pages that the user has opened in Safari. The content can include personal information, passwords or credit card information.
The researchers, from the University of Michigan, Georgia Institute of Technology and Ruhr University Bochum, warn that iLeakage is a serious security vulnerability that can be exploited by attackers to steal sensitive information from Safari users.
Apple has implemented a mitigation for iLeakage in Safari. However, it’s not enabled by default and enabling it is possible only on macOS. Added to the mix is that the mitigation is currently marked as unstable.
“This attack illustrates how, for both attackers and defenders, the browser is the new OS, with web primitives such as origins and web workers that parallel OS primitives, such as applications and threads,” Lionel Litty, chief security architect at browser security company Menlo Security Inc., told SiliconANGLE. “Security practitioners must educate themselves on this attack surface.”
John Gallagher, vice president of Viakoo Labs at enterprise internet of things security platform company Viakoo Inc., noted that “the significance is not necessarily in this as an attack method, but more in how threats are evolving based on the tradeoff between speed and security.”
“Prefetching of information to speed up CPU execution has been around for a while and equally has been exploited for a while,” Gallagher explained. “This is just a further ‘tit for tat’ and will be remediated in future CPU development.”
Image: DALL-E 3
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
