Earlier this week, the TechRadar Pro team reported on a serious security flaw affecting millions of GPUs from Apple, AMD, and Qualcomm – and today, Apple has officially confirmed that some of its products are indeed affected.
So far, Apple has stated that the iPhone 12 and M2 MacBook Air are affected, but it’s likely older Apple products still hold the vulnerability; the researchers at Trail of Bits who originally uncovered the security flaw noted that the recently-released iPhone 15 and M3 MacBook Pro seem to have been patched to remove the issue, but there’s no concrete list of which products are currently still affected.
The security flaw, dubbed ‘LeftoverLocals’, allows hackers to read data that was previously processed by the device’s GPU. As the security researchers at Trail of Bits demonstrated, an attacker could steal information such as the results of a query given to an AI chatbot such as ChatGPT. It’s a remarkably simple process for hackers, too – the researchers were able to pull sensitive data from a target device with just 10 lines of code.
Beyond Apple’s hardware, the affected Qualcomm devices – which will presumably include dozens of Android phone and tablet models – have apparently now been patched, while AMD has stated it is working on a series of fixes that will be available in March.
Should we be worried about this?
Fortunately, there’s no need to panic straight away. As our Pro team noted yesterday, LeftoverLocals requires pre-existing access to a target device in order to work, meaning that the affected devices aren’t instantly vulnerable. That means the exploit will need to be used in conjunction with more conventional cyber-attacks (such as phishing emails) to be effective.
In other words, if you exercise the usual cybersecurity best practices – no clicking on dodgy links! – you should be fine. However, Trail of Bits did add that since the vulnerability exists at the GPU level, hackers don’t need specific access to individual user accounts: once they have any form of access to the device, they can steal data from any user.
With that in mind, it’s worth being extra careful when using devices with shared accounts right now. If you share a Chrome tablet with a child who has their own user account, for example, their profile being compromised could open up your account to a LeftoverLocals attack.
Naturally, you should be sure to download any available security patches if you’ve got a device with a Qualcomm, Apple, or AMD processor. If you’re running on Intel, Nvidia, or MediaTek hardware, then you don’t have to worry!
You might also like
https://www.techradar.com/rss
christian.guyton@futurenet.com (Christian Guyton)
