Side-Channel Attack Exposes Sensitive Data on Apple Devices
Security researchers have discovered two new side-channel vulnerabilities—dubbed FLOP and SLAP—that affect Apple’s A- and M-series chips, potentially exposing sensitive user data from Gmail, iCloud, and other online accounts. These flaws exploit a technique called speculative execution, allowing attackers to access restricted memory and extract valuable information.
How the Apple Chip Vulnerability Works
What Is a Side-Channel Attack?
A side-channel attack doesn’t directly break encryption or system security. Instead, it exploits unintended behaviors in hardware—such as how a CPU processes data—to extract sensitive information. The FLOP and SLAP vulnerabilities target Apple’s chip architecture by manipulating speculative execution, a method processors use to predict and execute instructions faster.
Understanding FLOP and SLAP
1. FLOP (Floating Point Operation Leakage)
• Targets the Load Value Predictor (LVP) in Apple chips.
• Exploits memory anticipation to reveal information from emails, passwords, and browsing activity.
• Can be used to extract sensitive user data from online accounts.
2. SLAP (Speculative Load Address Predictor)
• Targets the Load Address Predictor (LAP), which guesses memory locations for future operations.
• Attackers can trick the CPU into leaking information across browser tabs, including login credentials, Gmail messages, and iCloud data.
• Could allow unauthorized access to password managers, banking apps, and private documents.
Which Apple Devices Are Affected?
The vulnerabilities impact recent generations of Apple hardware, including:
• MacBooks and iMacs with M1, M2, and M3 chips.
• iPhones powered by A14 Bionic and newer.
• iPads with A14 or later processors.
Since Apple uses a unified chip architecture across its ecosystem, any device running macOS, iOS, or iPadOS could be affected.
What Data Could Be Stolen?
If exploited, FLOP and SLAP could allow attackers to steal a variety of sensitive information, including:
✔️ Gmail and iCloud login credentials.
✔️ Banking and credit card details stored in autofill.
✔️ Private emails and documents accessed via web browsers.
✔️ Two-factor authentication codes intercepted through browser memory.
✔️ Cookies and session tokens, allowing unauthorized access to accounts.
How Hackers Could Exploit These Vulnerabilities
For an attack to succeed, a hacker would need to trick users into visiting a malicious website or opening a compromised app. This could be done through:
• Phishing emails containing links to infected sites.
• Fake software updates prompting users to install malware.
• Malicious browser extensions that exploit speculative execution leaks.
Unlike traditional cyberattacks, no authentication is required—meaning a remote attacker could steal data without the user even realizing it.
Apple’s Response to the Vulnerability
Apple has not yet released a full security patch, but the company is expected to:
🔹 Issue firmware updates for affected chips.
🔹 Modify Safari and macOS memory protections to prevent exploitation.
🔹 Implement stricter browser security measures to block speculative execution leaks.
In the meantime, users should take precautions to protect their sensitive data.
How to Protect Your Apple Devices from FLOP and SLAP
Until Apple releases official security updates, users can take the following steps to reduce risk:
1. Keep Your Software Updated
• Install the latest macOS, iOS, and Safari updates as soon as they become available.
• Apple frequently releases security patches to fix vulnerabilities.
2. Use Secure Browsers
• Consider using privacy-focused browsers like Brave or Firefox, which have additional security layers.
• Enable Strict Mode in browser settings to block third-party trackers.
3. Disable JavaScript for Untrusted Sites
• JavaScript-based exploits are a common attack vector.
• Use browser extensions like NoScript or uBlock Origin to prevent malicious scripts from running.
4. Avoid Public Wi-Fi and Unknown Networks
• Public networks increase the risk of remote attacks.
• If necessary, use a trusted VPN to encrypt your internet traffic.
5. Log Out of Sensitive Accounts When Not in Use
• Regularly clear cookies and session data from your browser.
• Avoid saving passwords in your browser—use a password manager instead.
Could This Be Apple’s Version of Spectre and Meltdown?
The discovery of FLOP and SLAP has drawn comparisons to the infamous Spectre and Meltdown vulnerabilities that affected Intel and AMD processors in 2018. These security flaws also exploited speculative execution to leak sensitive data, requiring major updates from chip manufacturers.
If FLOP and SLAP prove difficult to patch, Apple may need to redesign future chips to address the security risk permanently.
Final Thoughts: Is Your Apple Device at Risk?
The FLOP and SLAP vulnerabilities are a serious concern, as they could allow unauthorized access to Gmail, iCloud, and other private data. While no real-world attacks have been reported yet, the potential for exploitation is significant.
Until Apple rolls out official security patches, users should update their software, use secure browsing habits, and stay cautious of suspicious links and websites.
