Chip-level vulnerability in Apple Macs could cause massive data leak
A group of university-based security researchers has discovered a chip-level vulnerability in Mac computers with Apple Silicon. This flaw could potentially enable hackers to sidestep the computer's encryption and gain access to its security keys, thus revealing private data. However, exploiting this vulnerability is not straightforward. It involves bypassing Apple's Gatekeeper protections and installing a malicious app that needs to run for up to 10 hours.
It originates in a part of M-series chips
As per the researchers, the vulnerability lies within a component of Apple's M-series chips, called Data Memory-Dependent Prefetchers (DMPs). These DMPs boost processor efficiency by proactively caching data, interpreting data patterns as instructions to predict which information they need to access next. This feature significantly contributes to the high-speed performance that Apple Silicon is known for.
Researchers uncover DMP's potential to circumvent encryption
The researchers found that attackers could exploit DMP to circumvent encryption. They clarified, "Through new reverse engineering, we find that the DMP activates on behalf of potentially any program and attempts to dereference any data brought into cache that resembles a pointer." This behavior exposes a substantial amount of program data, as pointers are essentially addresses indicating where specific data can be located.
Researchers created GoFetch to illustrate DMP vulnerability
In their research paper, the team noted that "the security threat from DMPs is significantly worse than previously thought," and demonstrated "the first end-to-end attacks on security-critical software using the Apple M-series DMP." The researchers were able to create an attack named GoFetch, which can access a Mac's secure data without needing root access. This app exploits the vulnerability in Apple's M-series chips to bypass encryption and gain access to private data.
How GoFetch exploits M-series chip clusters
Dan Goodin, Security Editor from Ars Technica has shed light on how GoFetch operates. He explained, "M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores." "As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—even when on separate cores within that cluster — GoFetch can mine enough secrets to leak a secret key."