Just days after announcing the upcoming release of the M2 chip at the 2022 edition of its WWDC show, Apple was alerted to the security of its previous chip, the M1. Researchers at the Computer Science and Artificial Intelligence Laboratory (CSAIL), attached to the Massachusetts Institute of Technology (MIT) have discovered a flaw in a security mechanism on the Apple brand’s M1 chips.
Feature bug bypasses Apple’s M1 chip security
It was by attacking the M1 chip that researchers at MIT discovered a vulnerability present in the “ Point Authentication » M1 chips. Pointer authentication is a security feature that aims to detect and block any unexpected changes that could lead to data leaks or compromise the system. Thus, pointers store important information and Pointer Authentication Code (PAC) checks for unexpected pointer changes that may be caused by an attack.
US exposes methods of Chinese hackers
These specialists succeeded in targeting the ” Point Authentication to manage to execute a code to bypass this security. This attack was titled Pacman Attack. The MIT researchers at the origin of this discovery specify the foundations: Pacman takes an existing software bug (memory read/write) and turns it into a more serious exploit primitive (a pointer authentication bypass), which may lead to arbitrary code execution. To do this, we must find what is the PAC value of the specific pointer of each victim “.
To successfully find the PAC value of a pointer that bypasses the security of the M1 chip, the researchers use a very specific technique: “ Pacman does this by creating what we call an Oracle PAC, which is the ability to tell whether a given PAC corresponds to a specific pointer. The Oracle PAC should never crash if an incorrect guess is provided. We then test all possible values of PAC using the Oracle PAC “.
We found a way to defeat pointer authentication (and forge kernel pointers from userspace) on the Apple M1 via a new hardware attack.
Here’s how it works-https://t.co/6Kz3jnRtwI
— Joseph Ravichandran (@0xjprx) June 10, 2022
Apple says the risks are low for users
More broadly, the researchers claim that this problem is not only related to the authentication pointers of the M1 chip, but also to all ARM processors. They also alerted all ARM chip designers to take this discovery into consideration for the design of their future chips (or updates) so that their new components are more secure.
For its part, Apple reacted by indicating that this vulnerability did not pose an immediate risk for users. A spokesperson for the firm said: Based on our analysis, as well as the details shared with us by the researchers, we have concluded that this issue poses no immediate risk to our users and is insufficient to bypass device protections on its own. same “.
MIT researchers and Apple have been working together for several months now to try to fix this flaw or find an alternative. It is possible to imagine that the new M2 chip is spared this security flaw. During WWDC 2022, Apple had also announced that security updates would now be made automatically on iOS 16, macOS Ventura and iPadOS 16.