What if cybercriminals could create a webpage that, once it loads on your Mac, iPhone, or iPad, automatically steals your passwords, emails, browser history, and personal data?
While many would think that this type of malicious zero-click attack website technology is impossible to build, researchers from the Georgia Institute of Technology, the University of Michigan, and the Ruhr University Bochum say it can be done. And that they have proof.
Breaking down the iLeakage attack
In the scientific report “iLeakage: Browser-based Timerless Speculative Execution Attacks on Apple Devices,” researchers walk us through a new type of attack. Executing it is far from simple. Researchers had to reverse-engineer Apple hardware, develop a side-channel attack special software, and build a new gadget to trick systems into divulging passwords, account content, and other personal data.
The iLeakage attack works when this maliciously crafted website is loaded on Safari (or any other browser). It affects every device that runs on macOS or iOS and has Apple’s A-series or M-series CPUs. This means that all modern Apple laptops and desktops, iPhones, and iPads from 2020 on are vulnerable to this type of attack.
According to ArsTechnica, Apple itself is concerned about this new find. Apple thanked iLeakage researchers, saying the study “advances the company’s understanding.” Apple also assured that they plan to address this vulnerability with a new software release soon.
How the iLeakage attack works
An iLeakage attack can be summarized in just three steps:
- The victim visits the iLeakage website, which autoruns malicious code without the victim needing to download a file or take any other action.
- Once the malicious website loads, the inserted code breaks the isolation security that exists between two or more web browser tabs.
- Once the victim opens any other website, email, social media, bank account, e-wallet, or other personal accounts, the code inserted by the malicious website acts with the support of specialized hardware to steal the victim’s data.
While this seems like an extremely simple attack, the incredibly difficult part of it is to build the hardware and software needed to create this type of malicious website in the first place. These types of zero-click attacks require the attacker to have a deep understanding of the software and hardware vulnerabilities of the targeted devices, in this case, all modern Apple devices.
Side-channel speculative execution attacks
iLeakage is a side-channel attack that reveals the vulnerabilities that exist in Apple’s design of Safari’s web browser isolation.
“Code running in one web browser tab should be isolated and not be able to infer anything about other tabs that a user has open,” the researchers explain in the paper. “However, with iLeakage, malicious JavaScript and WebAssembly can read the content of a target webpage when a target visits and clicks on an attacker’s webpage. This content includes personal information, passwords, or credit card information.”
These types of side-channel attacks are not new. In fact, they have been around for years. In the past, researchers have demonstrated how side-channel attacks can be carried out.
For example, the infamous Meltdown and Spectre attacks exploit critical vulnerabilities in modern processors. Unlike other types of cyberattacks, Meltdown, Spectre, and iLeakage focus on hardware and software vulnerabilities (not just software) to steal data stored or processed on a computer or a device.
What is speculative execution?
To be specific, the iLeakage side-channel attack works with speculative execution. Let’s explain what that is.
The majority of modern CPUs use predictions to optimize performance. Say, for example, a CPU is executing instructions as quickly and efficiently as possible, but suddenly, the system is unsure of the path to take. This is where “branch prediction” comes in. Branch prediction is a technique that allows the CPU to “guess,” even if it is unsure.
“Once a prediction is made, the CPU will execute instructions along the prediction, a process called speculative execution,” researchers of the paper explain. “If the CPU realizes it had mispredicted, it must revert all changes in the state it performed after the prediction. Both desktop and mobile CPUs exhibit this behavior, regardless of manufacturer (such as Apple, AMD, or Intel).”
While speculative execution can enhance system performance and save time, it is also a security risk. Side-channel speculative execution attacks trick the CPU into speculatively executing malicious code to steal sensitive data or even take control of the system.
“While the CPU should ideally revert all changes in state, speculative execution leaves traces in the CPU’s microarchitectural state and especially the cache,” the researchers say. “A Spectre attack coerces the CPU into speculatively executing the wrong flow of instructions.”
iLeakage also leverages extensive knowledge of JavaScript and WebAssembly — programming languages used to deliver dynamic content via websites to users. Because JavaScript and WebAssembly code executes automatically when web pages are loaded, attackers can create malicious code that autoruns without the user ever downloading a file, therefore creating dangerous zero-click attacks.
“iLeakage is highly unlikely to be detected since the attack runs in Safari and does not leave traces in the system’s log files,” researchers warn.
How can I keep safe from iLeakage attacks?
While iLeakage side-channel-style attacks are extremely complex to build and run, and despite the fact that cybersecurity experts have not identified a single iLeakage attack in the wild, you can still take precautions.
With the iLeakage website, researchers assure that Apple has already taken measures to mitigate these types of attacks in Safari. However, the mitigation setting is not enabled by default, and at this time, only macOS Ventura 13.0 and higher can turn the mitigation option on.
However, if you have macOS Ventura 13.0 or higher, you can enable the mitigation manually by following these steps.
First, the Terminal app needs full disk access. To do this:
- Open the System Settings app by clicking the System Settings icon in the Dock or navigating to the Apple menu > System Settings.
- Go to Privacy & Security.
- Click the menu item for Full Disk Access, then the + button. Type in your credentials if asked.
- On the Finder window that appears, select Applications on the left sidebar, scroll down, and find and open the Utilities folder.
- Find and click on the Terminal app in the Utilities folder, then click on the Open button in Finder.
If you have updated to macOS Sonoma 14.0 or higher:
- Open the Terminal app. (Click the Launchpad icon in the Dock, type Terminal in the search field, then click Terminal.)
- Type in the following command:
defaults write com.apple.Safari IncludeInternalDebugMenu
- Run the command by hitting the Return key.
For earlier macOS versions (macOS Ventura 13.0 to 13.6), you can find instructions here.
The steps above should enable the hidden Safari Debug Menu.
To continue:
- Open Safari and click the now-enabled menu item “Debug” on the top far right.
- Now click on WebKit Internal Features at the bottom of the drop-down Menu.
- Scroll down to the bottom and find an entry called Swap Processes on Cross-Site Window Open.
- Click on Swap Processes on Cross-Site Window Open. A checkmark should appear to the left of it.
You can also protect yourself from this type of attack by using Lockdown Mode, Apple’s extreme solution for rare and highly sophisticated cyber attacks. Remember that when in Lockdown Mode, many features are limited and will not operate as usual.
Final thoughts
As attackers look for new ways to breach systems and steal data, zero-click attacks like these, where no action is needed from the victim, are becoming increasingly popular in the underground cybercriminal world.
For a criminal, a website that they could use to gain access to visitors’ personal and sensitive information automatically is the holy grail. However, it is important to stress once again that iLeakage attacks have not been discovered in the wild. Additionally, reverse-engineering Apple hardware and creating the specialized gadgets and sophisticated malicious software that iLeakage and other zero-click attacks need is extremely challenging.
In fact, modern cybercriminal trends show us that the skill levels of bad actors in both software and hardware are decreasing with the rise of malware-as-a-service, ransomware-as-a-service, and other malware toolkits that can be bought online, ready to be used.
Furthermore, studies show that in most modern attacks, criminals do not use malware to breach into a system but simply take over accounts by using stolen credentials that they buy on the dark web, usually obtained via phishing.
Despite these trends and all the challenges associated with building zero-click malicious websites, the research of iLeakage experts should be taken seriously. As a user, always stay away from suspicious sites, check URLs, and, if you get any warnings from Safari about the legitimacy or danger level of a website, pay close attention and proceed with caution.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Safari, macOS, and iOS are trademarks of Apple Inc.
