(Image by Mariia Shalabaieva)
BOCHUM, Germany — Recent findings have exposed a lingering threat in our digital devices, directly linked to a security flaw first discovered in 2018 known as the Spectre attack. In a startling revelation, cybersecurity experts have identified a persisting vulnerability in Apple devices that could allow hackers to access sensitive information via Safari. This issue isn’t just a software bug that can be easily patched; it’s a flaw within the very architecture of modern processors that power our devices.
The 2018 Spectre attack rocked the tech world, exposing critical security flaws inherent in the hardware of modern processors used across countless devices and operating systems. These vulnerabilities could let attackers “eavesdrop” on confidential information stored in the memory of other running programs. The industry’s response was swift, with manufacturers, including Apple, rolling out supposed safeguards to protect user data.
However, this new study shows that these safety measures are insufficient. Researchers from Ruhr University Bochum, Georgia Tech, and the University of Michigan discovered that Mac and iOS systems are still prone to these security breaches. The team successfully demonstrated a way to exploit these vulnerabilities using the Safari browser, allowing them to access passwords, emails, and even location data.
The findings highlight the persistence of a security gap known in tech circles as a “side-channel attack.” Modern processors, or CPUs, are designed to perform multiple tasks simultaneously to optimize speed. They often try to predict the next action and execute instructions accordingly, a process known as ‘speculative execution.’ However, even uncompleted or discarded tasks by the CPU can leave traces, creating a backdoor for attackers to access data that is normally secure.
Apple’s strategy against such attacks involved isolating each web page in its Safari browser, running them as separate processes to prevent cross-access.
“Users can’t tell that they’ve landed on such a page,” says study co-author Yuval Yarom, from the Faculty of Computer Science at Ruhr University Bochum, in a statement. This indicates the stealthy nature of these attacks.
The research demonstrates that this defense could be bypassed, enabling hackers to read the contents of the inbox or access login data from password managers like LastPass, challenging the effectiveness of current security measures. This method, dubbed “iLeakage,” involves tricking users into visiting a malicious website that then allows the attacker to access private data like passwords and emails.
Responding to these findings, Apple has initiated software updates aimed at addressing these vulnerabilities and affirms its commitment to enhancing user security. The researchers have consolidated their findings and recommendations for users, including available updates on the website ileakage.com, emphasizing the importance of vigilance about the sites one visits online.
This situation serves as a reminder for the public to be cautious: clicking on unknown or untrustworthy links can lead to unseen cyber-attacks. Prof. Yarom emphasizes the importance of this simple rule, as staying informed and cautious online is crucial for maintaining personal data security amidst these ongoing cyber threats.
“As always, the rule is that you should only click on trustworthy sites,” Yarom explains.
You might also be interested in:
- Best VPN Services: Top 5 Virtual Private Networks Most Recommended By Cybersecurity Experts
- Best Antivirus Software: Top 5 Applications Most Recommended By Cyber Safety Experts
- ChatGPT could help hackers launch devastating cyberattacks, experiments reveal
The researchers received funding from the Air Force Office of Scientific Research, the Australian Research Council, the Defense Advanced Research Projects Agency, the German Research Foundation as part of the CASA Cluster of Excellence, and the National Science Foundation.
