These Apple Silicon Chip Security Flaws Could Expose Your Private Data to the Bad Guys

Toggle Dark Mode
Owners of Apple Silicon-powered iPhones, iPads, and Macs are faced with a new security risk. “SLAP and FLOP” isn’t the latest fast-action video game; they’re a pair of new Apple Silicon security vulnerabilities that could allow bad actors to steal your private data.
Apple’s latest processors, like the M2 and M3, owe some of their blazing performance to their ability to make an educated guess about memory operations to speed up tasks. Unfortunately, researchers have found that this predictive ability can create security holes for hackers to exploit when it guesses wrong, opening up access to your sensitive information, including your emails and even your credit card information.
What Are SLAP & FLOP Attacks?
Researchers from the Georgia Institute of Technology recently identified two new security vulnerabilities in Apple’s recent CPUs, named SLAP and FLOP. The attacks take advantage of features in M2, M3, A15, and A17 chips designed to improve performance.
The issue lies in how Apple Silicon processors attempt to predict memory operations, hoping to speed up device tasks. Unfortunately, if the predictions are incorrect, they open the door to hackers to use the flaws to attack your device. These are known as “side-channel attacks.”
SLAP (Speculative execution via Load Address Prediction) allows attackers to access users’ private data by tricking the processor into using out-of-bounds memory. Meanwhile, FLOP (False Load Output Prediction) takes things further, bypassing memory safety checks completely.
The attacks are not just pie-in-the-sky theoretical attacks, as the research team demonstrated how a SLAP attack could extract private emails in Safari, while a FLOP attack allowed the recovery of other sensitive data, including credit and debit card data.
While it isn’t believed that these flaws have been exploited by hackers in the wild, it’s only a matter of time until some bad guy takes advantage of the security flaws.
What Will Apple Do?
SLAP and FLOP are similar to speculative execution attacks in previous years, such as Spectre and Meltdown, which caused widespread concerns for Windows users and Mac users who were running Windows. However, SLAP and FLOP specifically target Apple Silicon-based hardware.
While Apple hasn’t yet released a fix, it’s aware of the vulnerabilities. The researchers who uncovered SLAP and FLOP notified Apple of the first flaw around a year ago and informed them about the second one six months ago.
The M4 chip was well underway then, meaning the fix couldn’t be included in the chip’s code, which is required to provide a fix at the chip level. This likely won’t be accomplished until Apple’s next generation of processors. Apple has told the researchers that it’s working on a software fix that will be pushed out in an upcoming security update, but it’s unclear when that will arrive.
While FLOP has an actionable mitigation, implementing it requires patches from software vendors and cannot be done by users. Apple has communicated to us that they plan to address these issues in an upcoming security update, hence it is important to enable automatic updates and ensure that your devices are running the latest operating system and applications.
Security researchers at the Georgia Institute of Technology
Such a fix might also result in a performance hit, as many security experts believe that side-channel attacks exploiting CPU microarchitecture are nearly impossible to fix without degrading performance. SLAP may be the easiest of the two for Apple to fix, as it’s specific to Safari.
What Can You Do to Keep Your Data Safe?
According to the researchers, the following devices are potentially vulnerable to SLAP and FLOP:
- All Mac laptops from 2022-present (MacBook Air, MacBook Pro)
- All Mac desktops from 2023-present (Mac Mini, iMac, Mac Studio, Mac Pro)
- All iPad Pro, Air, and Mini models from September 2021-present (Pro 6th and 7th gen., Air 6th gen., Mini 6th gen.)
- All iPhones from September 2021-present (All 13, 14, 15, and 16 models, SE 3rd gen.)
It’s also worth noting that SLAP only affects Safari since it lacks Site Isolation. This protection exists in Chrome to prevent webpages from different domains from sharing the same memory space, and the lack of it also contributed to the iLeakage vulnerability the same researchers discovered in 2023. However, researchers note it’s an imperfect implementation as Chrome remains equally vulnerable to the FLOP attack. Researchers did not test other browsers, such as Firefox.
While we wait for Apple to come up with a fix, practice safe computing. Keep your devices updated to the latest versions of their operating systems and the apps you use. Updates often include security fixes for issues like SLAP and FLOP. Do not visit untrusted websites, keep JavaScript disabled whenever possible, and use browser extensions that block scripts.