Apple M1 processors have a 'unpatchable' issue, according to MIT experts.

News Sand DC
Source: Getty Images

According to MIT researchers, Apple's M1 chips have an "unpatchable" hardware vulnerability that could allow attackers to bypass the company's last line of defense.

A hardware-level security mechanism used in Apple M1 chips called pointer authentication codes, or PAC, is the source of the vulnerability. This feature makes it far more difficult for an attacker to introduce malicious code into a device's memory, and it also protects against buffer overflow vulnerabilities, which cause memory to spill out to other parts of the chip.

However, researchers at MIT's Computer Science and Artificial Intelligence Laboratory have devised a new hardware attack that combines memory corruption and speculative execution assaults to circumvent the security mechanism. The attack demonstrates how pointer authentication can be bypassed without leaving a trace, and because it relies on a hardware mechanism, no software patch will be able to solve it.

The "Pacman" attack works by guessing a pointer authentication code (PAC), a cryptographic signature that verifies that a program hasn't been maliciously updated. This is accomplished by leaking PAC verification findings via speculative execution — a method utilized by current computer processors to improve efficiency by speculatively guessing certain lines of computation — while a hardware side-channel indicates whether or not the guess was right.

Furthermore, because the PAC has only a limited number of potential values, the researchers discovered that it is possible to try all of them to identify the best one.

The researchers demonstrated that the attack works even against the kernel — the software core of a device's operating system — in a proof of concept, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," according to Joseph Ravichandran, a Ph.D. student at MIT CSAIL and co-lead author of the research paper.

"The concept behind pointer authentication is that even if everything else fails, you can still rely on it to keep intruders out of your system," Ravichandran explained. "We've demonstrated that pointer authentication as a last line of security isn't as reliable as we formerly believed."

Apple has implemented pointer authentication on all of its own ARM-based chips so far, including the M1, M1 Pro, and M1 Max, and Qualcomm and Samsung have either announced or are scheduled to release new CPUs that enable the hardware-level security feature. According to MIT, the attack has yet to be tried on Apple's unannounced M2 chip, which also provides pointer authentication.

"If not mitigated, our attack will affect the majority of mobile devices, and potentially even desktop systems, in the coming years," according to MIT.

The Pacman attack isn't a "magic bypass" for all security on the M1 chip, according to the researchers, who disclosed their results to Apple. It can only exploit an existing issue that pointer authentication guards against.

Apple declined to comment on the record when contacted prior to publication. "We want to thank the researchers for their work as this proof of concept increases our knowledge of these approaches," Apple spokesperson Scott Radcliffe said after the report was published. We have assessed that this problem does not represent an imminent risk to our customers and is inadequate to circumvent operating system security measures on its own, based on our investigation and the facts supplied to us by the researchers."

A developer uncovered an unfixable issue in Apple's M1 chip in May of last year, which establishes a hidden channel that two or more already-installed malicious apps may exploit to exchange information. However, the flaw was judged "harmless" since malware couldn't utilize it to steal or mess with data on a Mac.

#buttons=(Accept !) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Accept !