Apple Silicon has a hardware-level exploit that could leak private data

A team of university security researchers has found a chip-level exploit in Apple Silicon Macs. The group says the flaw can bypass the computer’s encryption and access its security keys, exposing the Mac’s private data to hackers. The silver lining is the exploit would require you to circumvent Apple’s Gatekeeper protections, install a malicious app and then let the software run for as long as 10 hours (along with a host of other complex conditions), which reduces the odds you’ll have to worry about the threat in the real world.

The exploit originates in a part of Apple’s M-series chips called Data Memory-Dependent Prefetchers (DMPs). DMPs make the processors more efficient by preemptively caching data. The DMPs treat data patterns as directions, using them to guess what information they need to access next. This reduces turnarounds and helps lead to reactions like “seriously fast,” often used to describe Apple Silicon.

The researchers discovered that attackers can use the DMP to bypass encryption. “Through new reverse engineering, we find that the DMP activates on behalf of potentially any program, and attempts to dereference any data brought into cache that resembles a pointer,” the researchers wrote. (“Pointers” are addresses or directions signaling where to find specific data.) “This behavior places a significant amount of program data at risk.”

“This paper shows that the security threat from DMPs is significantly worse than previously thought and demonstrates the first end-to-end attacks on security-critical software using the Apple m-series DMP,” the group wrote.

The researchers named the attack GoFetch, and they created an app that can access a Mac’s secure data without even requiring root access. Ars Technica Security Editor Dan Goodin explains, “M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—even when on separate cores within that cluster — GoFetch can mine enough secrets to leak a secret key.”

The details are highly technical, but Ars Technica’s write-up is worth a read if you want to venture much further into the weeds.

But there are two key takeaways for the layperson: Apple can’t do much to fix existing chips with software updates (at least without significantly slowing down Apple Silicon’s trademark performance), and as long as you have Apple’s Gatekeeper turned on (the default), you won’t likely install malicious apps in the first place. Gatekeeper only allows apps from the Mac App Store and non-App Store installations from Apple registered developers. (You may want to be extra cautious when manually approving apps from unregistered developers in macOS security settings.) If you don’t install malicious apps outside those confines, the odds appear quite low this will ever affect your M-series Mac.

Go to Source