Millions of GPUs from Apple, AMD and Qualcomm have a serious security flaw — and it could put literally all your data at risk if it isn't fixed

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Graphics processing units (GPU) from Apple, Qualcomm, and AMD may be carrying a severe security flaw that allows threat actors to exfiltrate sensitive data from compromised endpoints. 

The threat was revealed by cybersecurity researchers Trail of Bits, who argue that there are millions of devices out there, vulnerable to the flaw they named LeftoverLocals.

With the rising popularity of Artificial Intelligence (AI), cryptocurrency mining, and gaming, GPUs have never been in such high demand. Add supply chain woes, caused by Covid-19, into the mix, and you get manufacturers rushing to increase the supply. However in this hurry, data integrity and security becomes an afterthought, the researchers claim, resulting in LeftoverBits, a flaw that allows hackers to steal anywhere between 5 megabytes and 180 megabytes of data. 

Unpatched devices

“In the CPU world, even a bit is too much to reveal,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, told Wired.

Hackers looking to exploit LeftoverLocals first need to obtain access to the target system in some other way. However, they don’t need to have access to the same user account - they can steal data from the GPU belonging to any device user. What’s more, the attack is relatively easy to pull off, Wired suggests, as in the example it showed, the researchers pulled sensitive data using less than 10 lines of malicious code.

Further investigation uncovered GPUs from Apple, AMD, and Qualcomm, all vulnerable to LeftoverLocals, with Nvidia, Intel, and ARM, all dodging the bullet. 

Apple said it addressed the flaw in its latest M3 and A17 processors, which should mean that millions of older iPhones, iPads, and MacBooks, remain vulnerable. MacBooks powered by Apple’s M2 is at risk, the researchers found, but the iPad Air 3rd generation A12 seem to have been fixed. 

Qualcomm said to have released a firmware patch, and urged its users to apply the patch as soon as it’s available. 

AMD said it’s currently working on fixes, which it will offer as “optional mitigations”. These should be released in March this year.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Security
Intel slams Nvidia and AMD, claims chip giants have huge numbers of security flaws
Digital image of a lock.
Nvidia systems could be facing another worrying security flaw
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
AMD Ryzen 5 7600X processor
AMD confirms processor security flaws after Asus patch slips out early
AMD logo
AMD patches high severity security flaw affecting Zen chips
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000
An Nvidia GeForce RTX 5070
Nvidia RTX 5080 stock is so barren that retailers are holding competitions where you can "win" the right to buy one for MSRP