Visit a website, and your Apple device blacks out. Newer iPhones and Macs with M-series processors are affected by a resource exhaustion vulnerability that instantly crashes the system, Imperva researchers have discovered. You’re probably safe, though, as the issue was addressed in an update.
The Imperva researchers found a flaw dubbed ShadyShader. It allows attackers to overwhelm Apple devices’ GPUs, causing repeated freezes, ultimately leading to a system crash.
The problem lies in how modern GPUs detect and stop infinite loops, which are sequences of instructions that run endlessly if not terminated.
While GPUs proficiently detect and stop obvious loops, the researchers demonstrated a method to craft a nested loop that was executed undetected.
Ron Masas, a security researcher at Imperva, managed to craft a simple shader code that only iterates through a vast number of loops, forcing the GPU to perform an immense number of calculations.
This code could be added to websites to crash user systems. It could also be delivered via messages, emails, and QR code scanners with malicious links. If the user clicks the link, the browser loads WebGL content with the malicious shader, and the device enters a digital limbo.
No user permission is needed, as GPU access happens silently when executing many common tasks.
“The drivers do not recognize that the shader is unnecessarily monopolizing resources. This overwhelms the GPU to the point where it can no longer manage other tasks, eventually crashing the system,” Masas said.
Apple's display management service, WindowServer on macOS or SpringBoard on iOS, waits for the GPU to finish the task. When struck with ShadyShader, this service, which is responsible for managing everything you see on the screen, can’t get any updates, and the entire system becomes unresponsive.
Apple devices have built-in watchdog timers that monitor critical processes to ensure they don’t take too long. After 120 seconds, this timer triggers a kernel panic, forcing the system to crash and reboot. On iPhones and iPads, the watchdog reacts even faster, within 30 seconds.
“In our testing however, Macbooks experience a full reboot within 1-2 minutes, while iOS devices remain unresponsive anywhere from 3-6 minutes before presenting the lock screen, without performing a full reboot in most cases,” the researcher noted.
Despite the patch, the problem persists
Apple updated its GPU drivers to address this flaw back in 2023, so users running the latest iOS and macOS versions should be fine.
However, the underlying issue seems to have broader implications.
“GPU resource exhaustion remains in our view and could be exploited in future attacks,” Imperva warns. We observed interesting behaviors on other devices as well, notably on Google Pixel phones.”
Some opportunistic tests reveal that the browser app on Pixels became unusable until the user restarted the phone, although the device did not crash.
Even on Tesla vehicles, Imperva researchers observed temporary unresponsiveness of the main screen when hit with ShadyShader.
“Critical driving functions remained unaffected. While we have not tested all possible impacts, we estimate that any system with a GPU and a browser could be similarly affected,” Imperva warns.
Users who observe their device getting stuck in a crash loop from such an attack may attempt to disable JavaScript in the Settings before opening the browser and then close the problematic tab.
Your email address will not be published. Required fields are markedmarked