93% of Chipset Flaws on Android Devices Persist Across Generations

1 Like

Spectre and Meltdown on x86 chips : nervously stares

1 Like

Apple hardware is much more robust to these types of threats

Apple is just better better for your privacy and security, source: Apple’s marketing says so and just trust me bro.

I say that MacOS itself is secure but hardware wise oo Apple can have it’s oopsies. With that insecure on M1 and stuff might as well use Asahi Linux :joy:

[quote="Anon47486929, post:4, topic:23070”]
Or this spectre like attack: New iLeakage attack can steal your emails and passwords on iPhone and Mac — how to stay safe | Tom’s Guide
[/quote]

This utilizes just-in-time (JIT) compilation, which can be easily disabled using Lockdown Mode. In fact, Privacy Guides mentions you should turn it on, too. If you follow Privacy Guides’s best practices, you don’t need to worry about this. However, you will suffer performance loss when browsing the web.

Edit: I just found out that iLeakage has been patched, so you don’t need to turn on Lockdown Mode anymore. However, it’s still a valid tool to reduce the attack surface for anyone using Apple devices.

iLeakage is mitigated as of Safari 17.2, which ships with iOS 17.2 and macOS 14.2.

[quote="Anon47486929, post:4, topic:23070”]
Because Apple hardware seems similarly bad: Unpatchable vulnerability discovered in Apple M1, M2 and M3 chips — what you need to know | Tom’s Guide
[/quote]

Per Asahi Linux team, GoFetch is patchable. If you use Linux on Apple Silicon, you don’t have to worry about this. From M3 onwards, Apple Silicon respects your data-independent timing choices to disable/enable data memory-dependent prefetcher (DMP)—the thing that makes GoFetch possible.


Inadvertently, these two vulnerabilities reflect the intricate balance between security and performance. JIT and DMP are clever techniques used to boost performance on Apple Silicon and others.

JIT has been proven time and time again that it’s a security risk. Meanwhile, DMP is very new, but I will not surprise if it goes down the same path as JIT. Actually, GoFetch has been recently demonstrated on Intel chips, too.

Lockdown Mode is a big blow to usability and features, can’t even compare it to something like Vanadium, where JIT is just disabled by default and you can enable it per site with a simple toggle without having to pick between everything and a kitchen sink or nothing at all.

If you lose Linux on Apple Silicon, you lose important hardware and firmware security features.

[quote="Lukas, post:8, topic:23070”]
Lockdown Mode is a big blow to usability and features, can’t even compare it to something like Vanadium, where JIT is just disabled by default and you can enable it per site with a simple toggle without having to pick between everything and a kitchen sink or nothing at all.
[/quote]

If you’re specifically talking about JIT, you can turn on/off JIT per site and per app after turning on Lockdown Mode.

[quote="Lukas, post:8, topic:23070”]
If you lose Linux on Apple Silicon, you lose important hardware and firmware security features.
[/quote]

This is a big “what if” scenario, but whatever.

Actually, I just have looked into Apple’s documentation and found this quote:

In iOS 18.2, iPadOS 18.2, macOS 15.2, tvOS 18.2, watchOS 11.2, and visionOS 2.2 and later, two new function calls are available to control and optimize DIT ( data-independent timing) for Apple devices. The functions are available on all devices regardless of whether they support DIT, but only turn on DIT on supported devices.

As a developer, you can turn off DMP for your apps, now, it seems. Of course, your app will suffer performance loss if you do this. It’s very new, so I’m not gonna voice my opinion on this.

Lockdown Mode does a lot more than just disabling JIT, it makes a lot of sites unusable or very ugly. If you turn off Lockdown Mode for a site because font blocking functionality makes a website look ugly, you will also enable JIT because there is zero granularity with Lockdown Mode.

Oh, you’re criticizing what you can turn on/off, not where you can turn it on/off, which is unclear in your previous comment.

You’re right. You can’t decide what you can turn on/off. I just want to add that malicious web fonts have been a favorite of one and zero-click malware threat actors, so Apple’s decision to block it is totally understandable. Apple has never used technical jargon to advertise or has “pro” modes for its features. Heck, it doesn’t even mention “web fonts” or “JIT” in its Lockdown Mode page.

Edit: I just found out that iLeakage has been patched, so you don’t need to turn on Lockdown Mode anymore. However, it’s still a valid tool to reduce the attack surface for anyone using Apple devices.

iLeakage is mitigated as of Safari 17.2, which ships with iOS 17.2 and macOS 14.2.

1 Like

I agree that we’re getting off track. We’re talking about hardware security, aren’t we? On that note,

is a software vulnerability.

It seems like that’s the approach that Apple will take regarding GoFetch. Responsible third-party developers can disable DMP if they wish.


Even then, it’s very hard to distinguish between iOS/macOS security and Apple Silicon security. I think the only source regarding this is from the GrapheneOS forum. In the before first-unlock state, only Apple Silicon and Google Silicon can withstand brute-force attacks. Hey, there’s a reason why GrapheneOS is only available on Pixel devices.

Edit: It seems like HUAWEI Kirin can also withstand brute-force attacks.

I’m not saying that Google Silicon is better (than what?). If anything, the source only suggests that Apple, Google, and HUAWEI take hardware security more seriously than MediaTek, Qualcomm, and Samsung. At the very least, their security modules are not compromised at the moment.

PS: I’m not up-to-date with rumors. In addition, the Pixel 10 series is far from being released, so you shouldn’t take any rumors about it too seriously.

off topic Apple security

This is a poor word choice on my part. All I want to say is, in order to stay on track, we should focus on hardware security rather than software security.

1 Like