For hackers and cybercriminals, speculative execution is a gift that keeps on giving.
In the latest development, researchers used the technique to steal passwords and other sensitive content from Apple devices via a side-channel vulnerability – targeting Macs, iPhones and iPads with A and M series CPUs running the latest iOS and macOS operating systems. .
They called the flaw iLeakage, and what’s more worrying is that there is no CVE or patch for it yet, meaning iPhone and Mac users could still be at risk.
iLeakage
The researchers have created a new website for demonstration purposes. When a visitor with a vulnerable endpoint visits that website, a piece of JavaScript code opens a second website and restores the site content displayed in a pop-up. Through that second website, the attackers can retrieve sensitive data from various services to which the victim is logged in: from YouTube to Gmail and more. Even passwords auto-filled by password managers are not secure.
Apparently, the iLeakage site takes about five minutes to profile the target and less than a minute to figure out a 512-bit secret.
“We demonstrate how an attacker can trick Safari into displaying an arbitrary web page and then recover the sensitive information contained therein using speculative execution,” the researchers said.
“Specifically, we demonstrate how Safari allows a malicious web page to extract secrets from popular high-value targets, such as the contents of the Gmail inbox. Finally, we demonstrate password recovery in case they are auto-populated by credential managers.” Safari is only used as an attack tool on Macs. For iPhone and iPad devices, any browser will work, as they are all built on Apple’s WebKit browser engine.
Speculative execution is a feature built into most modern hardware to increase its speed. In layman’s terms, a chip will try to guess what the next operation will be and preload it in anticipation. If it has speculated correctly, it can perform the operation quickly, improving the overall speed of the device. This feature has also been at the center of a number of controversies, starting with two huge vulnerabilities discovered about five years ago: Specter and Meltdown. Fixing the defects meant that the devices slowed down.
Although iLeakage sounds dangerous, Ars Technica states that it is very unlikely to be exploited in the wild as it requires a lot of experience and knowledge about reverse engineering A and M series chips to gain insight into the side channel that they contain. “There is no evidence that this vulnerability has ever been discovered before, let alone actively exploited in the wild,” the publication concludes.
Through ArsTechnica