Security News Vulnerability in Apple M-series chips leak encryption keys

[vtqhtr413]

Content source

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

A newly discovered vulnerability baked into Apple’s M-series chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations. The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations.

The attack, which the researchers have named GoFetch, uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on a macOS. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—even when on separate cores within that cluster—GoFetch can mine enough secrets to leak encryption keys.

The attack works against both classical encryption algorithms and a newer generation of encryption that has been hardened to withstand anticipated attacks from quantum computers.

Unpatchable vulnerability in Apple chip leaks secret encryption keys

Fixing newly discovered side channel will likely take a major toll on performance.

arstechnica.com

 

[vtqhtr413]

GoFetch: Apple CPU encryption hack

A hardware vulnerability in Apple's “M” series CPUs can be exploited to hack encryption algorithms.

usa.kaspersky.com

In mid-March, researchers from several U.S. universities published a paper demonstrating a hardware vulnerability in Apple’s “M” series CPUs. These CPUs, based on the ARM architecture and designed by Apple, power most of its newer laptops and desktops, as well as some iPad models. The issue could potentially be exploited to break encryption algorithms. The attack that uses this vulnerability was dubbed “GoFetch”.

The combination of a juicy topic and a big-name manufacturer like Apple led to this highly technical paper being picked up by a wide range of media outlets — both technical and not so much. Many ran with alarmist headlines like “Don’t Trust Your Private Data to Apple Laptops”. In reality, the situation isn’t quite that dire. However, to really get to the bottom of this new problem, we need to delve a little into how CPUs work — specifically by discussing three concepts: data prefetching, constant-time programming, and side-channel attacks. As always, we’ll try to explain everything in the simplest terms possible.