The Apple M1 chip was a wildly successful launch for the Cupertino-based tech giant, but new research from MIT says the chip that powers everything from the Apple MacBook Pro to the latest iPad Air has a major security flaw. which, by its nature, cannot be corrected. a security update.
The flaw was exposed in a new paper from the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) (opens in new tab) researchers and explores something known as pointer authentication code (PAC). Essentially, PAC works by verifying a digital signature to ensure that a program’s code has not been maliciously altered.
PACMAN, the exploit that MIT researchers designed, relies on a combination of software and hardware exploits that test whether a signature is accepted, and since there are only a finite number of possible signatures, it is possible for PACMAN to try them all, find find out which one is valid and then have a separate software exploit use that signature to circumvent this ultimate defense mechanism on the M1 chip.
The researchers tested this exploit against the system kernel – the foundation of any operating system – and found that the exploit gave them kernel-level system access, meaning it could give an attacker complete control over a system.
“The idea behind pointer authentication is that if all else fails, you can still rely on it to prevent attackers from gaining control of your system,” said MIT CSAIL. We’ve shown that pointer authentication as a last line of defense is not as absolute as we thought it was,” said MIT CSAIL Ph.D. student Joseph Ravichandran, co-lead author of the paper explaining the flaw, which will be presented at the International Symposium on Computer Architecture on June 18.
“When pointer authentication was introduced, a whole category of bugs suddenly became much more difficult to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be much larger,” added Ravichandran.
And since the researchers used a microarchitecture exploit to circumvent the PAC security measure, there is no way to “fix” this part of the exploit as it is literally plugged into the chip itself. Still, the exploit can only work in conjunction with another software exploit. He cannot do anything alone.
Analysis: This sounds bad, but is it?
While this sounds like a serious problem, and it can be, it doesn’t mean that everyone’s new MacBook Air is open to any cyber gang that wants to extort some bitcoin from people.
The hardware exploit the researchers used in this case is similar to the Specter and Meltdown exploits seen on some Intel chips, and while they were a problem, they didn’t suddenly destroy everyone’s computers. The fact is, the vast majority of people aren’t worth a cybercriminal’s time. Why mess with your laptop when someone can block a pipeline and extort millions of dollars?
Furthermore, the PAC exploit attacks the last line of defense in an M1 chip (and not just M1 chips, but also any ARM-based processor that uses a PAC security measure, involving some Qualcomm and Samsung chips as well).
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques,” an Apple spokesperson told . “Based on our analysis and the details shared with us by the researchers, we have concluded that this issue does not pose an immediate risk to our users and is insufficient to circumvent the operating system’s security protections on its own.”
This does not mean that such an exploit cannot be used, but it does mean that an exploit will have to overcome all other security measures on the system, and Apple’s systems are reasonably well protected as they are. So while we’re sure Apple will fix this issue on the chips going forward, Apple M1 users don’t necessarily need to panic about this exploit, especially if they take other preventative security measures.