MIT Finds a Hardware Vulnerability in the Apple M1 Chip

The MIT team believes the vulnerability could impact future ARM mobile devices, and likely even future ARM desktop PCs, if it isn't mitigated in future architectures.

Apple M1 chip

Apple’s M1 chip is an amazing piece of technology, but apparently, it isn’t bulletproof. MIT Computer Science & Artificial Intelligence Laboratory (CSAIL) scientists unveiled a new attack methodology that exploits a hardware vulnerability in the Apple M1 chip by using a new PACMAN technique to steal data.

The team claims the attack can even potentially access the core operating system kernel, thus giving attackers full control of a system. However, the software portion of the attack does rely upon an existing memory corruption bug to work, so it isn’t a silver bullet that will bypass all security.

The really problematic part is that the exploit doesn’t require physical access to the machine, so it can be performed remotely. What’s more, the researchers claim the M1’s hardware vulnerabilities can’t be patched with software!

The MIT team also believes the vulnerability could impact future ARM-based mobile devices, and likely even future ARM-based desktop PCs, if it isn’t mitigated in future architectures.

“Any chip that uses speculative execution to evaluate and operate on pointer authentication signed pointers (and handles nested mispredicts eagerly) could potentially be vulnerable to PACMAN,” Joseph Ravichandran, a researcher with the MIT team, told Tom’s Hardware. That means this could possibly impact chips from other vendors, such as Qualcomm, MediaTek and Samsung.

The attack targets ARM’s Pointer Authentication feature through a side-channel attack on the chips’ speculative execution engine. This feature is normally used to verify software with cryptographic signatures called pointer authentication codes (PACs), thus preventing malicious attacks on the memory via software vulnerabilities. These software attacks usually consist of techniques that exploit memory corruption, like buffer overflows, to take full control of a program.

The PACMAN technique comprises “guessing” a value for the PAC while using a speculative execution attack, much like we see with Spectre and Meltdown, to leak the PAC verification results via “microarchitectural side channels.” This then allowed the researchers to find the correct PAC value, thus sidestepping protection against software vulnerabilities.

However, and here’s some good news, such an attack would require an existing memory corruption bug in the software to work. “PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug’s true potential for use in an attack by finding the correct PAC,” the researchers said, adding that the PACMAN attack works across privilege levels — “implying the feasibility of attacking a PA-enabled operating system kernel.”

The researchers also proposed three methods to protect against the PACMAN attacks. One method, which would affect the performance of the system, is to modify the hardware or software to prevent PAC verification results from being used in the speculative execution process. The other suggestion is to adapt previously-developed Spectre mitigation techniques to PACMAN. Finally, patching memory corruption vulnerabilities would also prevent the attacks.

The team has also managed to reverse-engineer the Apple M1 processors’ memory hierarchy, revealing many previously undisclosed details of the chip’s architecture.

The results of the work have been shared with Apple several months in advance. The iPhone maker on its end acknowledged the vulnerability, adding: “Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”

The work of MIT researchers was partly funded by the National Science Foundation (NSF) and the Air Force Office of Scientific Research (AFOSR).