The major hardware flaw in Apple M-series chips – Security Intelligence
The “need for speed” is having a negative impact on many Mac users right now.
The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP).
DMP predicts memory addresses that the code is most likely to access by scanning the cache and prefetching that information. This technology gives Apple users improved computer speed and overall computing performance. That intuitive computing is one of the benefits of using Apple products for their enhanced efficiency and productivity.
However, the GoFetch vulnerability in DMP has turned the positives into a serious liability. As described by Ars Technica, GoFetch, a side-channel flaw, “allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.” Simply, data stored in the M-chips can be mistaken for a legitimate memory address and cached. However, if a malicious app gains access through the vulnerability, it can repeatedly push this error and eventually decrypt the key. A group of researchers found that the vulnerability actually “poses severe risks to the constant-time coding paradigm.”
Critically, the GoFetch vulnerability stems from the core design of the M-series chips, meaning Apple cannot fix the weakness with a simple software patch. Instead, any mitigation will require a protective code added to third-party encryption software. This could drastically slow performance, particularly on older M1 and M2 Mac models.
The GoFetch vulnerability highlights a long-standing problem for developers, IT and security teams: balancing the importance of security versus performance. In this case, the vulnerability management around GoFetch would have a negative impact on the performance of Mac computers (other Apple devices, like iPads, don’t appear to be impacted yet). Speed is the selling point for chip makers; computer speed is vital to productivity. But it also means that security takes a back seat.
By sacrificing security in preference for performance, users are exposed to attacks on their encryption keys, potentially compromising sensitive data.
Fixing the security in chip development would require manufacturers to share details about chip development, but it would also mean vulnerability management could be implemented much earlier. In the long run, that will improve performance.
GoFetch is a hardware flaw, so there is no easy fix; developers can’t simply update the software code and send it out to users as they can with SaaS.
Apple has stated that if users with an M-3 chip device enable data-independent timing (DIT), they will be able to disable DMP and add security: “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”
But that doesn’t help those with M1 and M2 devices, and the researchers admit that disabling DMP is a drastic move for M3 devices. They suggest other defense approaches that include:
As of this writing, there have been no reports of a major cyberattack around the GoFetch vulnerability, but it is only a matter of time. Any organization or user using Mac devices will want to step up their defenses and be aware of the potential risk because, as the researchers concluded, “DMPs pose a significant security threat to modern software, breaking a wide variety of state-of-the-art cryptographic implementations.”
3 min read – Last year, Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) stated that “Artificial intelligence (AI) holds extraordinary potential for both promise and peril.” In response to this reality, the United States Department of Homeland Security…
5 min read – As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking…
16 min read – Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm…
3 min read – In March 2023, the U.S. administration released the first National Cybersecurity Strategy Implementation Plan (NCSIP). This was presented as a government action plan consisting of 27 strategic objectives prioritizing critical initiatives to protect national security from ongoing cyber threats.Recently, 31 initiatives have been added to this plan, and a number of federal agencies have been identified to lead these efforts moving forward.Goals of the National Cybersecurity Strategy Implementation PlanThe NCSIP outlines several critical implementation actions to improve the U.S. national…
3 min read – Recently, the United States Government Accountability Office issued an update on the progress of Executive Order 14028, Improving the Nation’s Cybersecurity. In 2021, the White House identified 55 leadership and oversight requirements that needed to be met to improve cybersecurity in federal IT systems, with all systems needing to meet or exceed the standard outlined. Executive Order (14028) on Improving the Nation’s Cybersecurity elaborated on the reasons for the requirement, stating that the “prevention, detection, assessment and remediation of cyber…
3 min read – Last year, Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence) stated that “Artificial intelligence (AI) holds extraordinary potential for both promise and peril.” In response to this reality, the United States Department of Homeland Security (DHS) recently released guidelines to help critical infrastructure owners and operators develop AI security and safety. The DHS guidelines stem from insights gained from CISA’s cross-sector analysis of AI risk assessments completed by Sector Risk Management Agencies (SRMAs) and relevant…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
