They discovered a vulnerability in the Apple M1 chip that cannot be patched

Apple’s remarkably fast and efficient M1 chips have been the catalysts behind the recent resurgence of MacBooks, but MIT security researchers have found a loophole in their armor.

Scientists at the Computer Science and Artificial Intelligence Laboratory (CSAIL) of the Massachusetts Institute of Technology in A recent study A vulnerability in what they call the “last line of safety” for the M1 chip. In theory, the flaw could give cybercriminals or malicious hackers a gateway to full access to the core of the underlying operating system.

Before continuing, the owners MacBook M1 You don’t have to worry about their sensitive data being stolen. While this is a serious vulnerability that must be addressed by Apple, some unlikely conditions must be met in order for it to work. First of all, the system under attack must have a current memory corruption error. As such, scientists say there is “no direct cause for concern.”

For its part, Apple thanked the researchers in a statement Take CrunchBut he stressed that the “issue” does not pose an immediate danger to MacBook owners.

“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these technologies,” Apple said. “Based on our analysis, as well as the details that researchers have shared with us, we conclude that this issue does not pose an immediate risk to our users and is insufficient to bypass the operating system’s security protections on its own.”

G/O Media may get commission

Free Mounting Service

Samsung 65″ QLED Smart TV QN95B

The ultimate 4K experience
Brilliant details shine even in daylight with Quantum Matrix Technology. Powered by a huge grid of Samsung’s ultra-precise Quantum Mini LEDs, it takes exact control of the individual zones of light in your picture for breathtaking color and contrast.

Entrando en los aspectos técnicos, el chip M1 de Apple usa algo llamado “Autenticación de puntero” para detectar y protegerse contra cambios inesperados en la memoria. El MIT llama a esto la “última línea de defensa” y dice que puede eliminar errores que normalmente comprometerían un sistema y filtrarían información privada. Lo hace utilizando “PACS” o código de autenticación de puntero (PAC) que verifica los cambios inesperados que resultan de un ataque. Se crea un PAC, o un hash criptográfico utilizado como firma, cuando se considera que un programa es seguro.

Como descubrieron los investigadores, esta línea de defensa se puede romper. Ahí es donde entra en juego el ataque PACMAN del MIT. Esto adivina el valor de un PAC usando un dispositivo de hardware, lo que significa que un parche de software no arreglará el programa. Hay muchos valores posibles de un PAC, pero con un dispositivo que revela si una suposición es correcta o falsa, puede probarlos todos hasta obtener el correcto sin dejar rastro. En este escenario, los fantasmas ganan.

“La idea detrás de la autenticación de punteros es que si todo lo demás ha fallado, aún puede confiar en él para evitar que los atacantes obtengan el control de su sistema. Hemos demostrado que la autenticación de punteros como última línea de defensa no es tan absoluta como alguna vez pensamos que era”, dijo el estudiante de Ph.D. (doctorado) en el MIT CSAIL Joseph Ravichandran y coautor principal del estudio.

“Cuando se introdujo la autenticación de puntero, toda una categoría de errores de repente se volvió mucho más difícil de usar para los ataques. Con PACMAN haciendo que estos errores sean más serios, la superficie de ataque general podría ser mucho mayor”, agregó Ravichandran.

Dado que la autenticación de puntero se usa para proteger el kernel del sistema operativo central, omitirlo podría dar acceso a los atacantes a las partes sensibles de un sistema. Como señalan los investigadores: “un atacante que obtiene el control del kernel puede hacer lo que quiera en un dispositivo”.

En esta prueba de concepto, los investigadores demostraron que el ataque PACMAN podría usarse para atacar el kernel, lo que tiene “implicaciones masivas para el trabajo de seguridad futuro en todos los sistemas ARM With pointer authentication enabled. Future CPU designers should be careful considering this attack when building secure systems in the future,” Ravichandran cautioned. “Developers should be careful not to rely solely on pointer authentication to protect their software.”

Apple uses pointer authentication on all of its ARM-based chips, including M1, M1 Pro and M1 Max. The Massachusetts Institute of Technology said it had not tested this attack on M2 . processor Newly revealed to enable The New MacBook Air and MacBook Pro 13. Qualcomm and Samsung aa number Advertise themselves Processors that use this security function.

The researchers identified three ways to prevent such an attack in the future. One way is to modify the software so that the results of the PAC check are never performed under guesswork, which means that the attacker will not be able to take cover while trying to infiltrate. Another potential solution is to defend against PACMAN in the same way Specter vulnerabilities are mitigated. Finally, correcting memory corruption errors will ensure that this last line of defense is not needed.

apple wins a A lawsuit over the flaws of Specter and Meltdown Security

In related news, a judge has dismissed a class action lawsuit against Apple for allegedly selling iPhones and iPads to customers with processors that were vulnerable to devastating Specter and Meltdown flaws. Federal District Judge Edward Davila in San Jose, California (US) held that customers could not prove that they overpaid for the devices because Apple intentionally hid defects, according to reports. Reuters. Nor did they provide sufficient evidence that the security patch applied to those devices made them noticeably slower.