For hackers and cybercriminals, speculative execution is a gift that keeps on giving.
In the latest development, researchers used the technique to steal passwords and other sensitive content from Apple devices via a side channel vulnerability – to target Macs, iPhones, and iPads, running A- and M-series CPUs with the latest iOS and macOS operating systems.
They named the flaw iLeakage, and what’s more worrying is that it doesn’t have a CVE, or a patch, just yet, meaning iPhone and Mac users could still be at risk.
iLeakage
For demonstration purposes, the researchers created a new website. When a visitor with a vulnerable endpoint visits that website, a piece of JavaScript code opens a second website and recovers site content rendered in a pop-up. Through that second website, the attackers are able to pull sensitive data from different services the victim is logged into – from YouTube, to Gmail, and more. Even passwords being autofilled by password managers aren’t safe.
Apparently, the iLeakage site needs around five minutes to profile the target and less than a minute to extract a 512-bit secret.
“We show how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers said.
“In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.” Safari is used as means of attack only on Macs. For iPhone and iPad devices, any browser will do, as they’re all built on Apple’s WebKit browser engine.
Speculative execution is a feature built into most of today’s hardware, to enhance its speed. In layman’s terms, a chip will try to guess what the next operation will be and will preload it in anticipation. If it speculated correctly, it can execute the operation quickly, thus improving the device’s overall speed. This feature has also been at the center of a number of controversies, starting with two huge vulnerabilities discovered roughly five years ago – Spectre and Meltdown. Patching the flaws meant slowing the devices down.
While iLeakage sounds dangerous, Ars Technica argues that it’s highly unlikely to be exploited in the wild as it requires plenty of experience and knowledge on how to reverse-engineer A- and M-series chips to gain insights into the side channel they contain. “There’s no indication that this vulnerability has ever been discovered before, let alone actively exploited in the wild,” the publication concludes.
Via ArsTechnica