Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

An unpatchable vulnerability has been discovered in Apple's M-series chips that allows attackers to extract secret encryption keys from Macs under certain conditions, according to a newly published academic research paper (via ArsTechnica).

m1 vs m2 air feature toned down
Named "GoFetch," the type of cyber attack described involves Data Memory-Dependent Prefetchers (DMPs), which try to predict what data the computer will need next and retrieve it in advance. This is meant to make processing faster, but it can unintentionally reveal information about what the computer is doing.

The paper finds that DMPs, especially the ones in Apple's processors, pose a significant threat to the security provided by constant-time programming models, which are used to write programs so that they take the same amount of time to run, no matter what data they're dealing with.

The constant-time programming model is meant to protect against side-channel attacks, or types of attacks where someone can gain sensitive information from a computer system without directly accessing it (by observing certain patterns, for example). The idea is that if all operations take the same amount of time, there's less for an attacker to observe and exploit.

However, the paper finds that DMPs, particularly in Apple silicon, can leak information even if the program is designed not to reveal any patterns in how it accesses memory. The new research finds that the DMPs can sometimes confuse memory content, which causes it to treat the data as an address to perform memory access, which goes against the constant-time model.

The authors present GoFetch as a new type of attack that can exploit this vulnerability in DMPs to extract encryption keys from secure software. The attack works against some popular encryption algorithms that are thought to be resistant to side-channel attacks, including both traditional (e.g. OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum (e.g. CRYSTALS-Kyber and CRYSTALS-Dilithium) cryptographic methods.

In an email to ArsTechnica, the authors explained:

Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value "looks like" a pointer, it will be treated as an "address" (where in fact it's actually not!) and the data from this "address" will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.

Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value "looks like" an address, and brings the data from this "address" into the cache, which leaks the "address." We don't care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.

In summary, the paper shows that the DMP feature in Apple silicon CPUs could be used to bypass security measures in cryptography software that were thought to protect against such leaks, potentially allowing attackers to access sensitive information, such as a 2048-bit RSA key, in some cases in less than an hour.

According to the authors, the flaw in Apple's chips cannot be patched directly. Instead, the attack vector can only be reduced by building defenses into third-party cryptographic software that could result in an extreme performance degradation when executing the cryptographic operations, particularly on the earlier M1 and M2 chips. The DMP on the M3, Apple's latest chip, has a special bit that developers can invoke to disable it, but the researchers aren't yet sure what kind of penalty will occur when this performance optimization is turned off.

As ArsTechnica notes, this isn't the first time researchers have identified threats in Apple DMPs. Research documented in 2022 discovered one such threat in both the ‌M1‌ and Apple's A14 Bionic chip for iPhones, which resulted in the "Augury" attack. However, this attack was ultimately unable to extract the sensitive data when constant-time practices were used.

"GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk," the researchers claim on their website. "Specifically, we find that any value loaded from memory is a candidate for being dereferenced (literally!). This allows us to sidestep many of Augury's limitations and demonstrate end-to-end attacks on real constant-time code."

DMP-style attacks are not common, and the researchers informed Apple of the vulnerability in December 2023. Users concerned about the vulnerability are advised to check for GoFetch mitigation updates that become available in future macOS updates for any of the encryption protocols known to be vulnerable. Apple representatives declined to comment on the record when ArsTechnica asked about the paper.

Popular Stories

iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
maxresdefault

Apple's AirPods Pro 2 vs. Samsung's Galaxy Buds3 Pro

Saturday July 13, 2024 8:00 am PDT by
Samsung this week introduced its latest earbuds, the Galaxy Buds3 Pro, which look quite a bit like Apple's AirPods Pro 2. Given the similarities, we thought we'd compare Samsung's new earbuds to the AirPods Pro. Subscribe to the MacRumors YouTube channel for more videos. Design wise, you could potentially mistake Samsung's Galaxy Buds3 Pro for the AirPods Pro. The Buds3 Pro have the same...
Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Monday July 8, 2024 5:00 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
macbook pro january

Best Buy's Black Friday in July Sale Takes Up to $700 Off M3 MacBook Pro for Members

Monday July 15, 2024 11:05 am PDT by
Best Buy's "Black Friday in July" sale is in full swing today, and in addition to a few iPad Air discounts we shared earlier, there are also some steep markdowns on the M3 MacBook Pro. You will need a My Best Buy Plus or Total membership in order to get some of these deals. Note: MacRumors is an affiliate partner with Best Buy. When you click a link and make a purchase, we may receive a small...
Generic iOS 18 Feature Real Mock

Apple Seeds Revised Third Betas of iOS 18 and iPadOS 18 to Developers

Monday July 15, 2024 10:09 am PDT by
Apple today seeded updated third betas iOS 18 and iPadOS 18 to developers for testing purposes, with the software coming a week after Apple initially released the third betas. Registered developers are able to opt into the betas by opening up the Settings app, going to the Software Update section, tapping on the "Beta Updates" option, and toggling on the ‌iOS 18/iPadOS 18‌ Developer Beta ...
ipaos 18 image playground

Apple Releases First iOS 18 and iPadOS 18 Public Betas

Monday July 15, 2024 1:16 pm PDT by
Apple today provided the first betas of iOS 18 and iPadOS 18 to public beta testers, bringing the new software to the general public for the first time since the Worldwide Developers Conference in June. Apple has seeded three developer betas so far, and the first public beta includes the same content that's in the third developer beta. Subscribe to the MacRumors YouTube channel for more videos. ...

Top Rated Comments

danieldk Avatar
17 weeks ago
This kind of vulnerability is bad - future hardware revisions should solve it and mitigations should be put into place. However, glossing over the paper, this currently does not seem like a big threat to most users:

Emulating realistic attack scenarios, we assume that ct-swap runs in a victim process, separate from the attacker’s address space. We assume a simple but common protocol between victim and attacker, where the victim takes input from the attacker to populate the ct-swap’s a and b arrays and then executes ct-swap.

So, it assumes that not only has the attacker has a process running on a victim's machine, but that it can also feed input directly to the victim process. However, if a malicious actor already has a local process running with user privileges, there are so many possible attack vectors, that it's also often game over before this vulnerability. If you only install trusted software, you should be pretty safe.

What made Meltdown/Spectre so devastating on Intel CPUs is that they allowed snooping information without communication with the victim process and that e.g. Linux is used on many multi-tenant machines. So there is ample opportunity to eavesdrop on other people's machines.

It's a bit sad that Ars did not qualify the research further, because if you read the headline and article, it's as if the sky is falling on Apple Silicon CPUs. But (not surprisingly) it's not.
Score: 68 Votes (Like | Disagree)
brijazz Avatar
17 weeks ago
Still better than updating to 14.4 ;)
Score: 33 Votes (Like | Disagree)
danieldk Avatar
17 weeks ago

From Macworld this morning:
[...]
DMP-based attacks aren’t common, and they require a hacker to have physical access to a Mac. So, the best way to prevent an attack is you secure your user account on your Mac with a strong password, and do not let people you don’t know use your Mac. For more information on Mac security, read “;How to know if your Mac has been hacked ('https://www.macworld.com/article/676307/how-to-know-if-your-mac-has-been-hacked.html')” and “How secure is your Mac? ('https://www.macworld.com/article/668710/how-secure-mac.html')” Also consider running an antivirus program on your Mac ('https://www.macworld.com/article/670537/do-macs-need-antivirus.html').
By the way, MacWorld is incorrect here. It does not require physical access. A malicious actor needs to be able to run a process in your machine. This can also be accomplished by tricking the user to install malware, planting malware through vulnerabilities in programs that read untrusted data (web browser, iMessage, etc.).

If you don't install random software from the internet, you should be pretty safe.
Score: 27 Votes (Like | Disagree)
hovscorpion12 Avatar
17 weeks ago
Genuine question. Does this “exploit“ actually have an effect on users? Or this for specific individuals?
Score: 25 Votes (Like | Disagree)
mystery hill Avatar
17 weeks ago
This can be fixed by upgrading to M5.
Score: 23 Votes (Like | Disagree)
hovscorpion12 Avatar
17 weeks ago

Wonder how long Apple has known about this? I think we can safely assume based on past experience that Apple did nothing, hoping the public would never know.
The devs posted they informed Apple in Dec 2023.
Score: 21 Votes (Like | Disagree)