A new proof of concept (PoC) exploit called iLeakage has been demonstrated by a group of US and German university professors to steal sensitive user data from Apple devices by improving on side-channel attack techniques used by Spectre and MeltDown, which alarmed CISOs when the vulnerabilities first surfaced in 2018.
While the researchers remain unaware of any iLeakage exploitation in the wild, and note it would take a high level of technical understanding to recreate it, they point out that their novel exploit uncovers vulnerabilities to side-channel attacks that still exist.
“iLeakage shows that the Spectre attack is still relevant and exploitable, even after nearly 6 years of effort to mitigate it since its discovery,” said the researchers in an overview of their POC white paper, posted last week.
The iLeakage PoC has managed to steal private data including Gmail content, text messages, login details filled by password managers, and YouTube watch histories on target machines. Affected devices include machines running macOS or iOS with Apple’s A-series or M-series CPUs, including recent iPhones and iPads, as well as Apple’s laptops and desktops from 2020 and onwards, according to the researchers.
“We show (through iLeakage) how an attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution,” the researchers said. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content.”
Side channel attack uses WebKit
iLeakage performs its side channel attack in part by targeting WebKit, the JavaScript engine powering Apple’s Safari browser. Users of macOS devices who use other browsers such as Chrome, Firefox, and Edge — which incorporate different JavaScript engines — are not susceptible to iLeakage. But iOS-based devices — essentially, iPhone and iPads — are a different story.
