Academic researchers have disclosed the details of two new CPU side-channel attacks impacting millions of phones, tablets, laptops and desktop computers made by Apple.

The attack methods, discovered by researchers from the Georgia Institute of Technology and Ruhr University Bochum, have been named SLAP (Speculation via Load Address Prediction) and FLOP (False Load Output Predictions). 

The researchers have demonstrated how an attacker can exploit CPU vulnerabilities to obtain potentially sensitive information from the memory of a targeted user’s Apple device by getting the victim to visit a malicious website.

According to the researchers, the SLAP and FLOP attacks work against all MacBook laptops released since 2022, all Mac desktop devices since 2023, and all iPads and iPhones released since September 2021.  

The SLAP attack was showcased on the Safari browser in a scenario that involved an unprivileged remote attacker recovering email content and browsing behavior from a targeted webpage. 

The FLOP attack was demonstrated on Safari and Chrome, with researchers showing how a threat actor could obtain data such as location history, calendar events and even payment card information. 

SLAP targets Apple’s implementation of a performance-improving feature named Load Address Predictor (LAP) on devices with CPUs starting with M2 and A15. FLOP targets a performance-improving feature named Load Value Predictor (LVP) on devices with M3, A17 and newer CPUs.

“SLAP exploits a phenomenon in Safari where strings that belong to different webpages can be allocated within a close distance to each other, and thus discloses cross-origin strings that are allocated in proximity to the adversary’s own strings,” the researchers explained. “On the other hand, FLOP is a speculative type confusion attack that causes the CPU to bypass integrity checks on data structures, resulting in memory read primitives from arbitrary addresses in Safari and Chrome.”

Apple was informed about the findings in May 2024 (SLAP) and September 2024 (FLOP), but the company does not appear too concerned. 

In a statement, the tech giant thanked the researchers and acknowledged that their proof-of-concept advances the company’s understanding of these types of threats, but noted that based on its analysis it does not believe these attacks pose an immediate risk to users.

SecurityWeek has reached out to the researchers to find out why Apple would believe the attacks don’t pose an immediate risk considering that they are remotely exploitable with minimal user interaction — whether the attacks are not as easy to conduct as they appear, or they have a low success rate in practice. This article will be updated if they respond. 

Devices with Intel, AMD and Qualcomm processors do not appear to be impacted, and the researchers said they haven’t tested the attacks on other web browsers except Chrome and Safari. 

Additional details are available on a dedicated website and in the papers published for FLOP and SLAP. 

Related: BadRAM Attack Uses $10 Equipment to Break AMD Processor Protections

Related: New CounterSEVeillance and TDXDown Attacks Target AMD and Intel TEEs

Related: AMD Says New Sinkclose CPU Vulnerability Only Affects ‘Seriously Breached Systems’