Academic researchers have revealed in a paper published Thursday that a newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.
Dan Goodin for Ars Technica:
The flaw — a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols — can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster…
The attack, which the researchers have named GoFetch, uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on a macOS system. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—even when on separate cores within that cluster — GoFetch can mine enough secrets to leak a secret key…
The DMP on the M3, Apple’s latest chip, has a special bit that developers can invoke to disable the feature. The researchers don’t yet know what kind of penalty will occur when this performance optimization is turned off.
Readers should remember that whatever penalties result will only be felt when affected software is performing specific cryptographic operations. For browsers and many other types of apps, the performance cost may not be noticeable
End users who are concerned should check for GoFetch mitigation updates that become available for macOS software that implements any of the four encryption protocols known to be vulnerable. Out of an abundance of caution, it’s probably also wise to assume, at least for now, that other cryptographic protocols are likely also susceptible.
Support MacDailyNews at no extra cost to you by using this link to shop at Amazon.
MacDailyNews Take: The hits just keep on comin’!
Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!
Support MacDailyNews at no extra cost to you by using this link to shop at Amazon.
Well that’s a kick in the nuts. I recommend letting this megacrap news fester for 4-8 weeks and then, “Be greedy when others are fearful.” Apple with buy their way into average-quality LLM’s. Then hopefully new leadership will leap us to what’s next. (Here’s a hint, Apple. As I read recently, AI is not a fun add-on. It’s a new Operating System. Get on it and lets see OSXi by 2026.)
Forget 2026, that’s insanely too late. Fall 2024 is already late AF
“OSXi”: Is that the China-only release?
no, it’s “oh sexy”
For the average user, the potential risk posed by the GoFetch vulnerability in Apple’s M-series chips is relatively low. Here’s why:
Specific Conditions Required: The vulnerability requires very specific conditions to be exploited. Both the malicious app and the app performing the cryptographic operation must run on the same CPU cluster within the M-series chip. This specific alignment is not common in everyday usage.
Need for Malicious Software: A user would need to have unknowingly downloaded and run a malicious application that exploits this vulnerability. Average users who download apps from trusted sources like the Mac App Store are less likely to encounter such malware.
Targeted Nature of Attack: Such attacks are typically more targeted in nature. Average users are less likely to be the focus of sophisticated attacks that exploit chip-level vulnerabilities like GoFetch.
Updates and Mitigations: Software developers and Apple are aware of this issue and are likely working on updates and mitigations. Keeping your operating system and applications updated can greatly reduce risks.
Limited Impact: Even if the vulnerability is exploited, it affects specific cryptographic operations. The impact on the overall system or data security for an average user is limited.
In summary, while it’s important to be aware of such vulnerabilities and practice good security hygiene (like keeping software updated and downloading apps from reputable sources), the actual risk to the average user from this specific vulnerability is low..
I would actually say the risk is minuscule.
Is it a real risk? Yes. However, the likelihood of it being exploited in the real world is miniscule–and even less than that for the average user.
The fastest part of each of the exploits is five minutes or more.
Who uses the same key for five continuous minutes? Maybe if you’re downloading a huge file from a secure site or uploading a large file to a secure site. Other than that new keys are issued and exchanged for each new operation.
Apple could obviate this issue by sending out a security patch that requires new keys to be created (and exchanged when necessary) every four minutes or less. That would have minimal impact on the average user.
Thanks again, Timmy boy!
But, I do love the new emojis with dildos and toilet plungers!
Toxic hellstew! – MDN
That would be CLUELESS COOK!…
He couldn’t design a box, so I don’t blame him for that. The BS however… sure!
Then let’s go back to pencil and paper.
Cook doesn’t do the actual design. He doesn’t start his day with VHDL coding the functions inside the M chips. You all know that….right?
The CIA uses typewriters and the only security are the carbon copies…hmmm.