Unpatched security flaw discovered in Apple M1

MIT security experts have discovered a flaw in Apple's blisteringly fast and extremely efficient M1 CPUs, which have been the catalysts driving a recent MacBook renaissance.

MIT security experts have discovered a flaw in Apple's blisteringly fast and extremely efficient M1 CPUs, which have been the catalysts driving a recent MacBook renaissance.

Before I go any further, M1 Mac users do not need to be concerned about their personal information being taken. While this is a serious vulnerability that must be addressed, it will only function if certain improbable conditions are met.

First and foremost, the system under attack must have a memory corruption problem. As a result, the experts say there's 'no need to be alarmed right now.'

In a message to TechCrunch, Apple praised the researchers, but stressed that the 'problem' did not represent an imminent threat to MacBook owners.

'We appreciate the researchers' help in developing this proof of concept, since it increases our understanding of these methodologies,' Apple added.

'We have assessed that this issue does not pose an imminent risk to our users and is inadequate to bypass operating system security measures on its own, based on our investigation and the details supplied with us by the researchers.'

To get into the technical details, Apple's M1 chip has a feature known as Pointer Authentication to identify and protect against unexpected memory modifications.

This is referred to as the 'final line of defence' by MIT, and it claims to be capable of snuffing out flaws that might otherwise compromise a system and expose private information.

This is accomplished by the use of 'PAC,' or pointer authentication code, which checks for unanticipated changes as a result of an attack. When a programme is considered safe, a PAC, or cryptographic hash used as a signature, is created.

This level of defence can be breached, as the researchers discovered. This is when the MIT PACMAN assault comes into play. It uses a hardware device to guess the value of a PAC, therefore a software patch will not solve the application.

There are many conceivable PAC values, but with a gadget that shows whether a guess is true or false, you can try them all until you find the one that works. The ghosts prevail in this scenario.

'The concept behind pointer authentication is that if all else fails, you can still rely on it to keep attackers out of your system.' 'We've proven that pointer authentication as a last line of security isn't as reliable as we always thought,' said co-lead author and MIT CSAIL Ph.D. student Joseph Ravichandran.

'When pointer authentication was added, an entire class of problems became much more difficult to exploit for attacks.' The entire attack surface could be a lot larger now that PACMAN has made these issues more serious,' Ravichandran warned.

Bypassing pointer authentication, which protects the core OS kernel, could allow bad actors to get access to key sections of a system. 'An attacker who takes control of the kernel can do whatever they want on a device,' the researchers write.

The researchers demonstrated that the PACMAN attack could be used to assault the kernel in this proof of concept, which has 'significant ramifications for future security work on any ARM platforms with pointer authentication enabled.'

Future CPU designers should keep this threat in mind while designing secure systems for the future,' Ravichandran advised. 'Developers should be cautious about relying entirely on pointer authentication to secure their software.'

All of Apple's ARM-based chips, including the M1, M1 Pro, and M1 Max, use pointer authentication. The recently unveiled M2 CPU, which will power the next MacBook Air and MacBook Pro 13, hasn't been tested, according to MIT. Qualcomm and Samsung have announced or are planning to introduce CPUs with the security feature.

The researchers proposed three strategies for averting a future attack. One option is to change the programme such that PAC verification results are never done under suspicion, preventing an attacker from infiltrating while incognito.

Another option is to defend against PACMAN in the same way that the Spectre vulnerabilities are addressed. Finally, fixing memory corruption problems would eliminate the need for this last layer of defence.

For more stories like this

Explore our website