Apple Silicon Chips used for modern Apple devices, known for its exceptional performance and energy efficiency, has revolutionised computing devices, from MacBooks, iPhone to iPads. However, recent research reveals significant vulnerabilities that could compromise sensitive data security. Let’s explore three recent side-channel attacks—Flop, Slap, and GoFetch—to understand their risks and implications.
Understanding Side-Channel Attacks
Micro-architectural side-channel attacks exploit unintended hardware behavior to leak sensitive data. Unlike software vulnerabilities, these attacks abuse CPU optimizations and speculative execution mechanisms, leaving no trace in system logs.
Flop (False Load Output Prediction)
Flop was discovered on Apple’s M3/A17 and newer CPUs, leveraging the Load Value Predictor (LVP) mechanism. LVP predicts data values from memory before they’re confirmed, enhancing performance but inadvertently introducing security risks.
Flop operates by speculatively predicting load values based on previous loads. Incorrect predictions lead the CPU to perform speculative operations on invalid or outdated data. Attackers exploit this behavior by inducing speculative type confusion, enabling arbitrary memory access.
Real-world exploitations of Flop have been successfully demonstrated on Safari and Chrome browsers, allowing attackers to extract highly sensitive data such as browsing history, email contents, calendar events, and credit card information.
Devices affected by Flop include Mac laptops and desktops from 2022/2023 onwards, iPad Pro, Air, and Mini models from September 2021 to present, and iPhones from models 13 through 16, as well as SE 3rd generation.
Slap (Load Address Prediction Attack - SLAP)
SLAP exploits another speculative mechanism known as the Load Address Predictor (LAP), found in Apple CPUs from M2/A15 onwards. LAP predicts subsequent memory addresses based on past patterns. If these predictions fail, CPUs inadvertently speculatively access out-of-bounds data.
Attackers leverage LAP-induced speculation to leak confidential data through covert channels. Exploits have been successfully demonstrated in Safari, allowing remote attackers to access sensitive inbox contents (e.g., Gmail), browsing behavior, and cross-origin web data.
Devices vulnerable to Slap include MacBook Air and Pro from 2022 onwards, iMac, Mac Mini, Mac Studio, and Mac Pro from 2023 onwards, iPad Pro, Air, and Mini models from September 2021 to present, and iPhones 13, 14, 15, 16, as well as SE 3rd generation.
GoFetch Attack
The GoFetch attack targets cryptographic operations by exploiting Data Memory-dependent Prefetchers (DMPs) found in Apple CPUs (M1, M2, and M3). DMP speculatively dereferences data from memory, mistaking regular data for pointers.
Attackers carefully craft cryptographic inputs that cause secret-dependent prefetches. Cache-timing analysis then reveals these secret-dependent operations, enabling extraction of encryption keys. GoFetch successfully extracted keys from various cryptographic implementations, including OpenSSL Diffie-Hellman, RSA, and even post-quantum algorithms such as CRYSTALS-Kyber.
This attack severely undermines the supposed safety of “constant-time” cryptographic implementations, breaking foundational security assumptions.
GoFetch affects Apple Silicon processors M1, M2, and M3, and likely other M-series variants sharing microarchitectural features.
Why These Attacks Are Dangerous:
These side-channel attacks are particularly dangerous because they leave no detectable trace, complicating detection or forensic analysis. They exploit hardware-level vulnerabilities, typically requiring either hardware redesign or software mitigations that degrade performance. The broad impact spans business secrets, private communications, cryptographic keys, and personal data, seriously threatening trust and compliance.
Timeline of Discoveries:
May 24, 2024: Researchers disclose the SLAP vulnerability to Apple.
September 3, 2024: Researchers disclose the FLOP vulnerability to Apple.
December 5, 2023: Researchers disclose the GoFetch vulnerability to Apple, 107 days before public disclosure.
Conclusion:
Flop, Slap, and GoFetch highlight the emerging threats posed by advanced CPU optimization technologies. Businesses and technical teams must remain vigilant, proactively applying updates, and monitoring vulnerability disclosures. As Apple continues its hardware evolution, achieving the right balance between performance and security will remain crucial.
Proactive Defense Over Reactive Response
By understanding how attackers think and operate, businesses can proactively identify security gaps before they can be exploited.
Want to ensure your business isn’t the next target? We decode the latest cyber threat intelligence and industry insights, leveraging advanced tradecraft to uncover hidden vulnerabilities. We deliver vendor-neutral, tailored solutions to mitigate and transfer cyber risks for your business.
Contact us today for a confidential discussion.
Disclaimer: The information provided is intended solely for educational and informational purposes. This content may include examples of cyberattack techniques, real-world incidents, and potential vulnerabilities. Under no circumstances is this information to be taken as endorsement or encouragement of illegal or malicious activities.
Threats and tactics in the cybersecurity landscape evolve rapidly. Readers should conduct their own research and seek professional consultation before taking action. Neither the authors nor the publisher accept any responsibility or liability for any loss or damage caused, directly or indirectly, by the use or misuse of the information provided. Use this material responsibly and in compliance with all applicable laws.
