Apple Silicon has a hardware-level exploit that can leak personal data

A team of university security researchers discovered a chip-level exploit in an Apple Silicon Mac. The group says the flaw can bypass a computer’s encryption and gain access to its security keys, exposing your Mac’s personal data to hackers. The silver lining is that the exploit will require you to bypass Apple’s Gatekeeper protection, install a malicious app, and then leave the software running for up to 10 hours (along with a host of other complicated conditions), which reduces the chances you’ll have of you worry about the threat in the real world.

The exploit originates from a part of Apple’s M-series chips called Data Memory-Dependent Prefetchers (DMP). DMPs make processors more efficient by preemptively caching data. DMPs treat data models as pointers, using them to guess what information they should access next. This reduces turnover and helps lead to reactions like “seriously fast” often used to describe Apple Silicon.

Researchers discovered that attackers can use DMP to bypass encryption. “Through new reverse engineering, we find that DMP is activated on behalf of potentially any program and attempts to dereference any data entered into the cache that resembles a pointer,” the researchers wrote. (“Pointers” are addresses or directions signaling where to find specific data.) “This behavior puts a significant amount of program data at risk.”

“This paper shows that the security threat from DMP is significantly worse than previously thought, and demonstrates the first end-to-end attacks on security-critical software using the Apple m-series DMP,” the group wrote.

The researchers called the attack GoFetch and created an app that accesses Mac’s protected data without even requiring root access. Ars Technica Security Editor Dan Goodin explains, “M-series chips are divided into so-called clusters. M1, for example, has two clusters: one containing four efficient cores and the other four productive cores. As long as the GoFetch application and the target cryptographic application are running on the same performance cluster – even when they are on separate cores within that cluster – GoFetch can mine enough secrets to leak a secret key.”

The details are very technical, but The Ars Technica review worth a read if you want to venture much deeper into the weeds.

But there are two key takeaways for the layperson: Apple can’t do much to fix existing chips with software updates (at least without significantly slowing Apple’s trademark Silicon performance), and while you have Apple’s Gatekeeper turned on (the default), barely will you install malicious apps in the first place. Gatekeeper only allows apps from the Mac App Store and non-App Store installations from registered Apple developers. (You may want to be extra careful when manually approving apps from unregistered developers in macOS Security Settings.) If you don’t install malicious apps outside of these restrictions, the chances seem pretty slim it will ever affect your M-series Mac.