A security researcher identified the first-ever vulnerability in Apple M1 chips that requires a silicon redesign to fix.
The good news is that the flaw is considered low-risk, and even the security researcher who identified it believes the flaw is insignificant and has sought to avoid exaggerating the problem while presenting his findings.
The vulnerability was codenamed M1RACLES and is presently tracked as CVE-2021-30747. It was discovered by Hector Martin, a software engineer at Asahi Linux, a project that works on porting Linux for Mac devices.
In a simplified explanation, Martin explained that the vulnerability allowed two apps running on the same device to exchange data via a hidden channel at the CPU level, circumventing memory, sockets, files, and other standard operating system features.
While the discovery is notable because of the amount of time, work, knowledge, and proficiency required to find bugs in a CPU's physical design, Martin states that the problem is of no benefit to attackers.
The only way Martin can see this bug being abused is by dodgy advertising businesses, which could abuse an app they already had installed on a user's M1-based device for cross-app tracking, which would be a really bizarre scenario since the ad industry has many other more reliable data collection methods.
Even though the M1RACLEs bug violates the OS security model by allowing a CPU process to transfer data to another CPU process over a secret channel, Martin believes the flaw was caused by a human error on Apple's M1 design team.
“Someone in Apple’s silicon design team made a boo-boo. It happens. Engineers are human,” he said. Martin further added that he has informed Apple of his discoveries, but the firm has yet to clarify whether the flaw will be fixed in future M1 chip silicon versions.
Martin revealed and debunked his own findings on a dedicated website that ridiculed similar sites developed in the past to advertise CPU vulnerabilities—many of which, like M1RACLEs, were similarly meaningless and insignificant to people's threat models.
Martin concludes that exploitation on iOS may be used to overcome privacy protections adding that a malicious keyboard app may act as a keylogger by transferring typed text to another malicious app, which could subsequently transfer the information to the internet.
However, he suggests that because of Apple's constraints on creating code at runtime, the firm could detect exploit attempts if it subjected App Store submissions to static analysis. The hypervisors disable guest access to the vulnerable register by default, the flaw can be mitigated by utilizing a virtual machine, but there aren't many other solutions, particularly on macOS.
