Apple news: iLeakage attack, MAC address leakage bug

On Wednesday, Apple released security updates for all supported branches of iOS and iPadOS, macOS, tvOS, watchOS and Safari.

This time around, the updates did not garner as much attention as when they deliver a zero-day fix, though it has to be mentioned that the company has finally delivered a patch for CVE-2023-32434, a code execution vulnerability exploited to deliver the extremely stealthy TriangleDB spyware, to the currentlu oldest supported iOS/iPadOS branch (15.x).

MAC address leakage

Another vulnerability of note fixed this Wednesday with the release of iOS 17.1 and iPadOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1 and watchOS 10.1 is CVE-2023-42846, a bug that made a privacy-enhancing feature (“Private Wi-Fi Address”) not work as intended.

Discovered and reported by Talal Haj Bakry and Tommy Mysk of Mysk Inc., the vulnerability allowed the tracking of users’ iPhone across different Wi-Fi networks by their device’s static MAC address.

“Ever since it was introduced [in iOS 14], the feature was completely useless. While iOS replaces the device’s real MAC address in the data link layer with a generated address per network, it includes the real MAC address in the AirPlay discovery requests that an iPhone starts sending when it joins a network,” the researchers explained.

“There is no way to prevent iPhones and iPads from sending AirPlay discovery requests, even when connected to a VPN.” As Mysk confirmed to Ars Technica, Lockdown Mode is equally toothless in this regard.

Apple said it has plugged the security hole by “removing the vulnerable code,” but offered no detailed explanation. Also, the fix is yet to be delivered to the iOS 15.x branch.

iLeakage side channel attack

A group of researchers has developed a side-channel attack exploiting Apple A-series or M-series CPUs’ speculative execution capability to extract sensitive information (such as autofilled passwords or Gmail inbox content) when a Safari user lands on a specially crafted webpage.

“Code running in one web browser tab should be isolated and not be able to infer anything about other tabs that a user has open. However, with iLeakage, malicious JavaScript and WebAssembly can read the content of a target webpage when a target visits and clicks on an attacker’s webpage. This content includes personal information, passwords, or credit card information,” they shared.

The attack can also be leveraged against Chrome, Firefox and Edge users on iOS, since they use Safari’s JavaScript engine.

“[Those mobile browsers] are simply wrappers on top of Safari that provide auxiliary features such as synchronizing bookmarks and settings. Consequently, nearly every browser application listed on the App Store is vulnerable to iLeakage,” they added.

Technical information about the attack can be found in this paper.

The researchers pointed out that the attack is “significantly difficult” to orchestrate end-to-end (also, the rate of sensitive data extraction is very slow) and that they currently do not have evidence that iLeakage has been abused by attackers.

They disclosed their research to Apple in September 2022, but there is no fix available.

There are possible mitigations, though: users can switch to Lockdown Mode or disable JavaScript in the browser. But both options have drawbacks: Lockdown Mode comes with potentially unwanted limitations, and disabling JavaScript will “break” certain webpages one might want to visit.

Don't miss