Apple Silicon Security Flaw Discovered in iPhone 12 and M2 MacBook Air

[Victor Mortimer]

The linked article says:

So how does this align with this in the article?

It doesn't align at all.

The only way it could truly be local only is if the device had to be disassembled and leads attached to the board. Otherwise it's remote exploitable.

 

[Amazing Iceman]

The linked article says:

So how does this align with this in the article?

They already claiming a one year old iPhone cannot have specific small features enhancements because it needs the new A-chip that supersedes it. For example A15 vs A16. Good example Stagemanager on iPads.

If they cannot fix that they will definitely not fix this.

They already ensured new patches to downgrade the radiosignal power on these devices. To, again, force people to upgrade.

It seems you are mixing apples with oranges here. Some features require the newer processors to work properly. Nothing to fix here, it's expected if the device is not capable of the new feature.
In other cases, older devices benefit from new features added to the OS in later versions.

 

[3530025]

If someone has your Mac there are 1000 easier ways to get data off it than this.

 

[MichaelYYZ]

AppleWatch Ultra 2 discounted 50% at Amazon..

$50 off, not 50% off! No big deal...

 

[roar08]

I see AAPL having a time ticking bomb...

This has been said about AAPL for the past 30+ years. I guess that's one long fuse.

 

[WarmWinterHat]

To, again, force people to upgrade.

No one, in the history of Apple, has ever been "forced" to upgrade...

My ex used an iPhone 2G (by choice) until the 6S came out. Hell, I still I see people carrying around the 5 and 5S occasionally. I keep Macs well past their software support phase. You think anyone, anywhere, other than businesses and this site cares anything about any of this?

Forced, indeed. Yawn.

 

[CalMin]

I understand there's a theoretical risk, but can someone explain exactly what I need to be careful of here? Is it that someone with physical access to my machine could potentially see my interactions with a local instance of ChatGPT? If that's the case, I'm not losing any sleep over it.

 

[laptech]

oh dear, Apples 'backdoor' into silicon devices has been discovered. 😉

 

[knightsabre7]

Measurements taken to force people to upgrade. Apple knows that the ship is gonna sink, hence everyone is leaving the company and WSB horses have been implemented into the company to take full control and drive it down the core leaving with all the money.

This makes no sense. There's far more money to be made by working to keep the company going than by burning it down.

 

[Nugget]

Anxiously waiting for the predictable chorus of naysayers to jump in to explain why this is yet another nail in the coffin for the AVP.

 

[mike090910]

So giving an unlocked Apple device to a stranger is bad

 

[minik]

Apple told Wired that newer devices with the A17 Pro and M3 chips have received patches to address this flaw, and Trail of Bits found that the third-generation iPad Air had also received a fix.

Although I upgrade my iPhone every year, not my Mac or iPad device. Anyhow, Apple also promotes how long lasting its' hardware and OS support, yet when it comes to security issue the previous generations of hardware or OS may not receive the needed patch at the same timeline.

 

[duervo]

Having looked over the source article, I could not find anywhere that states physical access is required.

I did find the section that states remote execution (from a website) is not possible simply because websites cannot execute the low level code required to exploit the vulnerability. However, that same section also stated that malicious apps installed on the affected devices can exploit the vulnerability.

Did I miss something in that original article?

Also, FWIW, this affects a lot more than just older Apple GPUs. Also affects AMD, Qualcomm, etc. Intel, Arm, and nVidia are not affected.

 

[SactoGuy18]

I wouldn't be surprised that Apple will try to patch it with iOS 17.3, which is now in final testing stage. Apple has yet to release a Release Candidate version of iOS 17.3, so the patch could be incorporated as part of iOS 17.3 RC by January 18, 2024.

 

[MakeAppleAwesomeAgain]

If someone has your Mac there are 1000 easier ways to get data off it than this.

How, except guessing the password? Isn't the filesystem encrypted by default on Apple Silicon?

 

[podycust]

So all A14 and M2 devices are affected or just these 2 models?

Well I downloaded and the compiled the PoC on my M1 Mac and it doesn't seem work as the GitHub suggests it if has the LeftoverLocals vulnerability

 

[mannyvel]

This isn't a real problem for anyone in real life. With local access to the machine they can watch your whole session, so grabbing extraneous LLM data is pretty pointless.

 

[WarmWinterHat]

We will likely see Tim Cooke step down by the end of the year. If not by fiscal year end 2025.

Get real, institutional investors and the board love Tim Cook; he made Apple a trillion dollar company under his watch. He'll leave when he decides, and the board will beg him to stay before he goes.

 

[MVMNT]

The nature of the LeftoverLocals vulnerability is such that it requires physical access to the device, making remote exploitation highly improbable.

For the skim readers.

 

[JPack]

The nature of these spectre-related alarms is pretty much always "theoretical" or "needs physical or elevated access in the first place to install" and then the manufacturer still happily pushes out performance-shattering patches as I assume it's just so awesome for them to have an excuse to cripple performance in older devices.

Yes, I'm cynical about this. Intel Skylake-PCs got hit so hard with all these and it's not particularly fun to chase what registry to tweak to regain performance after each big windows-update. Hope Apple does better.

If it were so difficult to get physical and elevated access, iOS 17.3 wouldn’t include Stolen Device Protection.

Many people unknowingly provide elevated and physical access.

 

[coolfactor]

One more reason to convince my friend to upgrade from her 12. But should've this happened in the first place,

Are you expecting 100% perfection all the time with every release? Keep dreaming... technology is hard! Often, issues are not discovered until after they are in use by millions of people. You can relax. It's par for the course. Nobody is going to steal your data with this "flaw".

 

[WarmWinterHat]

One more reason to convince my friend to upgrade from her 12. But should've this happened in the first place,

Leave your friend alone. The only people updating because of this flaw are suckers.

 

[bigboy29]

People who are shocked that Apple has a vulnerability in silicon... Intel wants a word. Silicon vulnerabilities are a reality of modern computing just as software vulnerabilities are, with the exception that most require physical access.

 

[sw1tcher]

AppleWatch Ultra 2 discounted 50% at Amazon..

🤔

50 percent ≠ 50 dollars

Amazon Has Nearly Every Apple Watch Ultra 2 Model for $749 ($50 Off)

Amazon has nearly every model of the Apple Watch Ultra 2 for $749.00 today, down from $799.00. You'll find all band options on sale at this price, including Trail Loop, Ocean Band, and Alpine Loop. Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we...

www.macrumors.com

 

[MacGekko]

I dunno what´s going on at AAPL nowadays.. Only sad and bad news.
iPhone 16´s ability will be limited.
Vision Pro will not support Wi-FI 6E.
No generative AI at all.
Siri is screwed up.
iPhone 15 does not sell in China.
AppleWatch Ultra 2 discounted 50% at Amazon..

I see AAPL having a time ticking bomb...

It gets worse and worse till worst parts coming soon.

Provide the Amazon link that sends us to the Apple Watch Ultra 2 selling New for $400?????