Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's "last line of defense" — but most Mac users shouldn't be worried.
More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN."
Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.
"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," said Joseph Ravichandran, one of the paper's co-authors.
Apple's M1 chip was the first commercially available processor to feature ARM-based pointer authentication. However, the MIT team has discovered a method leveraging speculative execution techniques to bypass pointer authentication.
The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it. The researchers found that they could use a side-channel attack to brute-force the code.
PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.
The PACMAN vulnerability itself can't bypass the security mechanisms on a Mac. Instead, the flaw could make other exploits or attacks more serious and expand the overall attack surface.
Who's at risk and how to protect yourself
The researchers note that no attacks currently leverage the PACMAN flaw and it isn't a "magic bypass for all security on the M1 chip." Instead, it can only take an existing bug that pointer authentication protects against and "unleash" its true potential.
The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
"Future CPU designers should take care to consider this attack when building the secure systems of tomorrow," said Ravichandran. "Developers should take care to not solely rely on pointer authentication to protect their software."
8 Comments
Intel rightfully took a lot of flak for specter and meltdown but this just proves how difficult it is to mass produce produce high performance cpu hardware that’s free from vulnerability or attack.
Good luck with this exploit unless they have physical access to your device:
” More than that, actually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit.”