Security researchers funded by the U.S. Air Force Officer of Scientific Research and the Defense Advanced Research Projects Agency have revealed how hackers can extract data, including your Gmail inbox, from Apple devices running iOS, iPadOS and macOS. Dubbed iLeakage, this side-channel attack can be deployed against Apple devices from 2020 onwards with the A and M series CPUs and targets the Safari web browser as well as any browser app running on an iPhone or iPad.
What Is The iLeakage Exploit?
The researchers from the Georgia Institute of Technology, the University of Michigan and the Ruhr University in Germany, included those responsible for uncovering the so-called Spectre speculative execution attacks in 2018. iLeakage uses the same kind of speculative execution to conduct attacks against Safari on macOS devices. However, it works against any browser on iPhones and iPads, thanks to them being required to use Apple’s WebKit engine under the hood.
In their paper, iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices, the researchers reveal the full extent to which this exploit could be used. A hacker could recover sensitive information by inducing Safari or another WebKit-based browser to render an arbitrary page. “In particular, we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets,” the researchers reveal, including “Gmail inbox content.” But the problems don’t end there; the researchers also demonstrate exploits that can lead to “the recovery of passwords” when auto-filled by password managers.
How An iLeakage Attack Could Read Your iPhone Gmail Inbox
The paper states that when it comes to Gmail, one of the world’s most popular email providers with billions of users, an exploit target is likely to be signed into their personal Google account. “By having the event listener inside the attacker’s page access execute window.open(gmail.com),” the researchers explain, “we can consolidate the target’s inbox view into the attacker’s address space. We then leak the contents of the target’s inbox.” I have approached Apple and Google for a statement and will update this article if one is provided.
Mitigating The iLeakage Attack Scenario
According to the researchers, Apple was made aware of the iLeakage exploit discovery on September 12, 2022. So far, the only mitigation from Apple in more than a year would appear to be reserved for Safari on Macs only running macOS Ventura 13.0 or later, which is considered unstable in use and isn’t enabled by default. You can view the precise details in the iLeakage FAQ. There is no mitigation for iPhone or iPad users at this point in time, although Apple is understood to be working on a fix.
Are Attackers Already Exploiting iLeakage?
The good news is, as far as is known, that iLeakage exploits have not been used in the wild. Not least because, as the researchers note, it is a “significantly difficult attack to orchestrate end-to-end, and requires advanced knowledge of browser-based side-channel attacks and Safari’s implementation.” The bad news is that iLeakage leaves no traces of an attack within system log files, although the attacking web page might be found in the browser cache, as it runs within Safari. The researchers have confirmed that it’s “highly unlikely” for an attack to be detected.
Read the full article here
