Researchers have uncovered two critical vulnerabilities in Apple’s custom silicon chips, dubbed SLAP (Speculative Load Address Prediction) and FLOP (False Load Output Predictions). 

These flaws, found in Apple’s A- and M-series processors, expose sensitive user data such as credit card details, location history, and even private email content to potential attackers. 

The vulnerabilities affect a wide range of Apple devices, including MacBooks, iPads, and iPhones released since 2021.

SLAP and FLOP Attacks on Apple Chips

Both SLAP and FLOP exploit speculative execution, a performance optimization technique used in modern CPUs to predict and execute instructions ahead of time.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

While this technique boosts processing speed, it also introduces security risks when predictions go wrong.

SLAP (Speculative Load Address Prediction):

• Found in Apple CPUs starting with the M2 and A15 chips.
• Relies on a Load Address Predictor (LAP) to guess the next memory address the CPU will access.
• If the LAP predicts incorrectly, it allows speculative execution on out-of-bounds data. This flaw can be exploited to access sensitive information like email content or browsing activity. 

For instance, researchers demonstrated an attack on Safari where an unprivileged remote adversary could recover private email data.

FLOP (False Load Output Predictions):

• Affects newer generations of Apple CPUs, starting with the M3 and A17 chips.
• Utilizes a Load Value Predictor (LVP) to estimate the value returned by memory before it is available.
• Incorrect predictions lead to speculative execution on invalid data, bypassing memory safety checks. This vulnerability was showcased through attacks on both Safari and Chrome browsers, enabling hackers to extract credit card details, calendar events, and location history.

The research team demonstrated the severity of these vulnerabilities with proof-of-concept attacks:

Proton Mail Inbox Leak: Using FLOP, researchers trained Apple’s M3 CPU via JavaScript running in Safari to access Proton Mail inbox data. They successfully retrieved sender names and subject lines from emails.

Literary Data Extraction: SLAP was used on an M2 chip to recover a secret string containing text from The Great Gatsby. Similarly, FLOP allowed the recovery of text stored in memory but never accessed directly.

The vulnerabilities affect a broad spectrum of Apple devices:

• All Mac laptops (MacBook Air/Pro) from 2022 onward.
• All Mac desktops (Mac Mini, iMac, Mac Studio) from 2023 onward.
• iPad Pro, Air, and Mini models released since September 2021.
• All iPhones from the iPhone 13 series onward.

These vulnerabilities compromise hardware-level protections designed to isolate web pages from accessing each other’s data. By exploiting SLAP or FLOP, malicious websites can bypass these safeguards and steal sensitive login-protected information.

While FLOP has actionable mitigations requiring software patches, these fixes are complex and cannot be implemented by end-users. 

Apple has acknowledged the issue and plans to release security updates soon. Users are advised to enable automatic updates and ensure their devices are running the latest software versions.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar