Researchers have identified a novel, unpatched security vulnerability that can allow an attacker to decrypt data on the most advanced MacBooks.
This newly discovered vulnerability affects all Macs utilising Apple silicon, including the M1, M2, and M3 CPUs. To make matters worse, the issue is built into the architecture of these chips, so Apple can't fix it properly. Instead, any upgrades must be done before the iPhone maker launches its M4 chips later this year.
The vulnerability, like last year's iLeakage attack, is a side channel that, under specific circumstances, allows an attacker to extract the end-to-end encryption keys. Fortunately, exploiting this flaw is challenging for an attacker, as it can take a long time.
The new flaw was identified by a group of seven academic academics from universities across the United States, who outlined their findings in a research paper (PDF) on microarchitectural side channel attacks.
To demonstrate how this issue could be exploited by hackers, they created GoFetch, an app that does not require root access. Instead, it merely requires the same user privileges as most third-party Mac apps.
For those unfamiliar with Apple's M-series chips, they are all organised into clusters that house their respective cores.
If the GoFetch app and the cryptography app being targeted by an attacker share the same performance cluster, GoFetch will be able to mine enough secrets to reveal a secret key.
Patching will hinder performance
Patching this flaw will be impossible as it exists in Apple's processors, not in its software. To fully resolve the issue, the iPhone manufacturer would have to create entirely new chips.
The researchers who found the vulnerability advise Apple to use workarounds in the company's M1, M2, and M3 chips to solve it, as there is no way to fix it.
In order to implement these solutions, cryptographic software developers would need to incorporate remedies such as ciphertext blinding, which modifies or eliminates masks applied to sensitive variables, such as those found in encryption keys, before or after they are loaded into or saved from memory.
Why there's no need for concern
To leverage this unfixable vulnerability in an attack, a hacker would first have to dupe a gullible Mac user into downloading and installing a malicious app on their computer. In macOS with Gatekeeper, Apple limits unsigned apps by default, which would make it much harder to install the malicious app required to carry out an attack.
From here, this attack takes quite some time to complete. In reality, during their tests, the researchers discovered that it took anywhere between an hour and ten hours, during which time the malicious app would have to be operating continually.
While we haven't heard anything from Apple about this unpatched issue yet, we'll update this post if we do. Until then, the researchers advised that users maintain all of the software on their Apple silicon-powered Macs up to date and apply Apple updates as soon as they become available.