Apple GPU security flaw in iPhone 12 and M2 MacBook Air

A report of an Apple GPU security flaw has been confirmed by the company, which has admitted that the iPhone 12 and M2 MacBook Air are affected.

An exploit has been demonstrated by security researchers that would allow an attacker to view data processed by the chip, including the results of things like ChatGPT requests…

What is the Apple GPU security flaw?

Security researchers A trace of lice Apple, Qualcomm, AMD and Imagination have discovered a vulnerability in a number of graphics processing units (GPUs). They called the flaw LeftoverLocals.

They demonstrated an exploit where an attacker with local access to the device could read data left over from previous processing on the GPU. The proof of concept allowed them to accurately read the AI ​​chatbot survey results.

Which Apple devices are affected?

The complete list is not yet known. The researchers reported their findings to Apple and other affected companies, giving them time to release security patches before the vulnerability became public.

Trail of Bits says Apple is patching some devices, including those running the A17 and M3 chips, but others remain vulnerable.

We tested the vulnerability again on January 10, where some devices appear to have been patched, namely the Apple iPad Air 3rd G (A12). However, the problem still seems to exist on the Apple MacBook Air (M2). In addition, the recently released Apple iPhone 15 is not affected in the same way as previous versions. Apple has confirmed that the A17 and M3 series processors have fixes, but we haven’t been told the specific patches deployed on their devices.

Apple has confirmed that both the iPhone 12 and the M2 MacBook can still be successfully attacked. Wired it says that other Apple devices may remain vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company has shipped fixes with its latest M3 and A17 processors, which it introduced in late 2023. This means that the vulnerability is still present in millions of existing iPhones, iPads and MacBooks that are apparently dependent. In previous generations of Apple silicon.

How serious is this?

The mentioned exploit needs some kind of existing access to the machine, which means it currently falls into the low risk category.

Anxiety, like Wired notes whether it can be chained with other forms of attack.

Although exploiting the vulnerability would require a certain amount of existing access to the targets’ devices, the potential impact is significant given that it is common for highly motivated attackers to perform exploits by chaining multiple vulnerabilities together. In addition, for many common types of digital attacks, it is now necessary to create “primary access” to the device.

What should you do?

As always, update your devices to the latest supported OS versions.