Too Private to Tell: Practical Token Theft Attacks on Apple Intelligence
Haoling Zhou (1), Shixuan Zhao (1), Chao Wang (1), Zhiqiang Lin (1) ((1) The Ohio State University)
TL;DR
This paper uncovers a practical cross-device token replay attack on Apple Intelligence, revealing vulnerabilities in its privacy design and emphasizing the need for cryptographic binding to ensure security.
Contribution
It introduces the Serpent attack, the first practical cross-device token replay attack on Apple Intelligence, demonstrating a significant privacy vulnerability.
Findings
Successful cross-device token replay attack on Apple Intelligence
Vulnerabilities confirmed and disclosed to Apple, CVE assigned
Highlighting the need for cryptographic binding in AI service security
Abstract
Apple Intelligence is a generative AI (GenAI) service provided by Apple on its devices. While offering a similar set of features as other similar GenAI services, Apple Intelligence is claimed to be designed with an extra focus on user security and privacy through a two-stage authentication and authorization design using anonymous access tokens. In this paper, we present our investigation into this token issuance mechanism with a goal to reveal possible vulnerabilities using traffic analysis, reverse engineering, and cross comparison with Apple's public documentation. Specifically, we present the Serpent attack, the first practical cross-device token replay attack against Apple Intelligence that allows the attacker to steal the access tokens from the victim's device and utilise them on a different device, with all usage rate-limited against the victim. We have achieved successful attacks…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.