Graphics processing units (GPU) from Apple, Qualcomm, and AMD may be carrying a severe security flaw that allows threat actors to exfiltrate sensitive data from compromised endpoints.
The threat was revealed by cybersecurity researchers Trail of Bits, who argue that there are millions of devices out there, vulnerable to the flaw they named LeftoverLocals.
With the rising popularity of Artificial Intelligence (AI), cryptocurrency mining, and gaming, GPUs have never been in such high demand. Add supply chain woes, caused by Covid-19, into the mix, and you get manufacturers rushing to increase the supply. However in this hurry, data integrity and security becomes an afterthought, the researchers claim, resulting in LeftoverBits, a flaw that allows hackers to steal anywhere between 5 megabytes and 180 megabytes of data.
Unpatched devices
“In the CPU world, even a bit is too much to reveal,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, told Wired.
Hackers looking to exploit LeftoverLocals first need to obtain access to the target system in some other way. However, they don’t need to have access to the same user account – they can steal data from the GPU belonging to any device user. What’s more, the attack is relatively easy to pull off, Wired suggests, as in the example it showed, the researchers pulled sensitive data using less than 10 lines of malicious code.
Further investigation uncovered GPUs from Apple, AMD, and Qualcomm, all vulnerable to LeftoverLocals, with Nvidia, Intel, and ARM, all dodging the bullet.
Apple said it addressed the flaw in its latest M3 and A17 processors, which should mean that millions of older iPhones, iPads, and MacBooks, remain vulnerable. MacBooks powered by Apple’s M2 is at risk, the researchers found, but the iPad Air 3rd generation A12 seem to have been fixed.
Qualcomm said to have released a firmware patch, and urged its users to apply the patch as soon as it’s available.
AMD said it’s currently working on fixes, which it will offer as “optional mitigations”. These should be released in March this year.
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews