back to article SLAP, Apple, and FLOP: Safari, Chrome at risk of data theft on iPhone, Mac, iPad Silicon

Many recent Apple laptops, desktops, tablets, and phones powered by Cupertino's homegrown Silicon processors can be exploited to reveal email content, browsing behavior, and other sensitive data through two newly identified side-channel attacks on Chrome and Safari. On Tuesday, security researchers Jason Kim, Jalen Chuang, and …

  1. IGotOut Silver badge

    All this is under very specific lab conditions

    ...how big a threat is it in the real world though?

    That bit rate is very low, and the accuracy....how much other shit was running at the same time?.

    1. diodesign (Written by Reg staff) Silver badge

      Re: All this is under very specific lab conditions

      Of all the Spectre exploitation examples I've seen, this one appears more real-world than most, but yes, the exfiltration rate is slow.

      C.

  2. IvyKing Bronze badge

    Firefox?

    IIRC, Firefox uses a separate process for each website, so should be more resistant to this attack than Safari.

    1. Dan 55 Silver badge

      Re: Firefox?

      Only on the Mac though, on an iDevice you just get a reskinned Safari.

    2. Dostoevsky Bronze badge

      Re: Firefox?

      So does Chromium. https://en.m.wikipedia.org/wiki/Process_isolation#Web_browsers

  3. really_adf

    Difference in response compared to Spectre

    As I remember, there was quite a lot of fuss around various speculative execution-related vulnerabilities, with numerous mitigations each usually contributions done performance detriment. There seems less concern here.

    The reason for the difference in response is unclear to me. Are the vulnerabilities discussed in the article quantitatively less severe? Good PR effort from Apple? Something else, or a combination of factors?

    1. Richard 12 Silver badge
      Mushroom

      Re: Difference in response compared to Spectre

      This one is significantly more exploitable than Spectre.

      The difference is really that Apple don't make servers. At all.

      So while the attack is much easier to carry out, the payload is just Apple user's data.

      Oh, hang on, who uses iPhones and what for?

      Apple are clearly terrified because they spoke to El Reg

      1. Tessier-Ashpool

        Re: Difference in response compared to Spectre

        Apple (well. Foxconn) is back in the server business. But only for internal use. They currently use M2-based servers for Apple Intelligence. Shortly to be upgraded to M4 systems.

  4. UnknownUnknown

    Apple Spokeperson ??

    An Apple Spokesperson told The Register…

    Really ??

    Apple AI Malfunction ??

    1. Dan 55 Silver badge

      Re: Apple Spokeperson ??

      It's PR Defcon 1 down in Cupertino, it requires extreme measures.

      1. haaz

        Re: Apple Spokeperson ??

        I cam here to note this, too. Long-term (former, present again) reader of El Reg, who remembers back in the day when Apple wouldn't even acknowledge this storied journal. I guess we really did flip into an alternate dimension after that one test at CERN in 2016...

  5. My other car WAS an IAV Stryker

    Well, that does it - no new Apple for me (for now)

    Guess I'll just keep using this ol' iPhone 8 Plus as long as I possibly can! Already on its second battery; maybe I can make it last until Apple finds a way to patch this.

    (I don't like the idea of losing TouchID anyway, even though the newer shiny has brighter screens and supposedly longer-life batteries, plus Wi-Fi improvements.)

  6. Jou (Mxyzptlk) Silver badge

    The worst about this...

    a web browser is enough. Just a web browser, an ordinary user process, which shouldn't be able to do anything remarkable, is enough to trigger.

    We had similar bugs on x86 and others, across multiple OS-es.

    Not some crafty assembler, adjusted for timing and unique behaviour of the CPU, no - just. a. web. browser.

    We are sooooooo frigged. And I am not even using any Apple product at home, but I know: Tomorrow it could hit me. No matter which OS, no matter which architecture. (I have to add to the latter: Architecture fast enough for todays needs, not last millennia)

  7. bananape4l

    these researchers need day jobs

    this is like that xkcd where instead of cracking the password on the ipad, you just hit the guy with the wrench until he tells you the password?

    1. Jou (Mxyzptlk) Silver badge

      Re: these researchers need day jobs

      You don't need a wrench, you don't even need to be nearby. Just force-redirect his phone to a proxy (something easier in US and China than in my country). User won't notice, won't know, won't see, and happily keeps on surfin'.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like