Apple M1 chip has an 'unpatchable' security flaw, but don't panic just yet
The M1 exploit uses a hardware trick that can't be fixed via update
The Apple M1 chip has been a wildly successful release for the Cupertino tech giant, but new research from MIT says that the chip powering everything from the Apple MacBook Pro to the latest iPad Air has a major security flaw that by its nature cannot be fixed in a security update.
The flaw was exposed in a new paper from MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) researchers and exploits something known as pointer authentification code (PAC). Essentially, PAC works by checking a digital signature to ensure that a program's code hasn't been changed maliciously.
PACMAN, the exploit that the MIT researchers designed, relies on a combination of software and hardware exploits that test whether a signature is accepted, and since there are only a finite number of possible signatures, it is possible for PACMAN to try them all, find out which one is valid, and then have a separate software exploit use that signature to bypass this final defense mechanism in the M1 chip.
The researchers tested this exploit against the system's kernel – the foundation of any operating system – and found that the exploit gave them kernel-level system access, meaning that it could give an attacker complete control over a system.
"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," said MIT CSAIL We've shown that pointer authentication as a last line of defense isn't as absolute as we once thought it was,” said MIT CSAIL Ph.D. student Joseph Ravichandran, a co-lead author of the paper explaining the flaw, which will be presented to the International Symposium on Computer Architecture on June 18th.
“When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger," Ravichandran added.
And since the researchers used a microarchitecture exploit to bypass the PAC security measure, there is no way to "patch" this part of the exploit since it is literally hardwired into the chip itself. Still, the exploit can only work in conjunction with another software exploit. It can't do anything on its own.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Analysis: This sounds bad, but is it?
While this sounds like a serious problem, and it can be, it doesn't mean that everyone's new MacBook Air is open to any cybergang that wants to extort some bitcoin out of people.
The hardware exploit that the researchers used in this case is similar to the Spectre and Meltdown exploits seen in some Intel chips, and while those were a problem, it did not suddenly destroy everyone's computers. The fact is that the vast majority of people are not worth a cybercriminal's time. Why mess with your laptop when someone can lock up an oil pipeline and extort millions of dollars?
Plus, the PAC exploit attacks the last line of defense on an M1 chip (and not just M1 chips, but also any ARM-based processor that uses a PAC security measure, implicating some Qualcomm and Samsung chips as well).
"We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques," an Apple spokesperson told TechRadar. "Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."
This doesn't mean that such an exploit can't be used, but it means that an exploit will have to overcome every other security measure in the system, and Apple systems are fairly well-secured as it is. So while we're pretty sure that Apple will fix this issue in chips going forward, Apple M1 users don't necessarily need to panic over this exploit, especially if they take other preventative safety measures.
John (He/Him) is the Components Editor here at TechRadar and he is also a programmer, gamer, activist, and Brooklyn College alum currently living in Brooklyn, NY.
Named by the CTA as a CES 2020 Media Trailblazer for his science and technology reporting, John specializes in all areas of computer science, including industry news, hardware reviews, PC gaming, as well as general science writing and the social impact of the tech industry.
You can find him online on Bluesky @johnloeffler.bsky.social