Unfortunately this is not true. Physical access is not required. It's possible to execute the DMP attack remotely. Remote access is enough. Check the demo here: https://gofetch.fail/
Not sure why some articles are spreading lies.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys
- Thread starter MacRumors
- Start date
- Sort by reaction score
Not sure why some articles are spreading lies.
What makes you say that? Anyone can spend $99 and get a developer license, to sign their software. Signing software (and even having it reviewed via Apple) absolutely won't stop this.
From what I am understanding, this requires code to be running locally on the machine. So this would be used as part of an exploit chain when malware has already been able to execute.
The problem here is that no software should be able to access the private keys ever, and if software is allowed to run which makes guesses at memory addresses, it can build a list of addresses that worked into the correct key.
So it's not great but it's not a direct danger to users on its own, the user would have already been compromised.
This would be a much bigger danger on servers but fortunately Apple got out of the server business. Not many Apple servers publicly exposed, I would imagine.
Someone correct me if I'm interpreting this incorrectly.
This is false. E.g., you can't extract a private key from the secure enclave using this vulnerability.
It is real, but also requires the attacker get a malicious binary on the victim's machine. In that there are already a lot of possible attack vectors.
Unless someone figures out how to chain this through a browser exploit
But as I said earlier it’s likely apple will mitigate this in the os and let the machines take a bit of a performance hit
Many private keys are not in the secure enclave. If the software keeps the private key in-memory - which is the case for majority of programs when running - it can be extracted with this method.
This is totally true. And it's not that hard to deliver malicious binary to casual user.
Not the same as being unable to mitigate in software, but, as Arstechnica noted, it’ll be a performance hit on everything using encryption to do it
It was described in the article on the other major Apple rumor site. Not sure if I can post links to the other site.
Incorrect. Signed software can also execute this exploit. However, it is less likely for two reasons: (1) Apple will probably add heuristics to Notarization to detect this; (2) the signing certificate would reveal who the attacker is.
However, apropos (2) malicious binaries have been signed with a stolen certificate before.
In the hardware, yes. In the software there are possibilities how to overcome it.
On M3 software developers can set DIT bit. On M2 and M1 developers can use efficiency cores in order to bypass this bug.
oh boy. more bad luck or news for Apple in 3024.
looks like I have to wait for the M4 to buy my first APPLE silicon Mac.
looks like I have to wait for the M4 to buy my first APPLE silicon Mac.
Is this one of those vulnerabilities that could actually become an issue for real-world users, or a "vulnerability" that only works under very specific laboratory conditions that would never affect 99.99% of people using an Apple Silicon Mac? 🤔
Please, give some examples where dropped the ball on security in ways that it harmed a large number of users.
I skimmed parts of the paper. It looks like the issue affects 13th gen Intel processors as well. Possibly more processors.
Some of qualcomm’s latest ARM chips too I believe
I edited my comment after visiting the site. I’m not sure if other articles are spreading lies as much as misunderstanding what is needed for an attack. There’s a difference between lying and ignorance.
Incompetence is a safer assumption than malice.
Last edited:
The chances anyone successfully targets you and pulls this hack off are even greater than one in a quadrillion, in my estimates. Apple has your back when it comes to layered security.
This is false. The attacker needs to run a process on the machine. Remotely exploitable vulnerabilities are exploitable through only network access. An example is e.g. a vulnerability that allows you to compromise the iMessage app through a maliciously crafted image.
For this vulnerability, you need the user to install a malicious binary or use another (remote) vulnerability to drop and run a binary on the machine. That's not what we call a *remote vulnerability*.
(MacWorld is wrong too, it does not require physical access.)
This one is only half-true. There are not "many possible attack vectors" to PrivEsc and gain admin privileges.
Extracting private key just by running the executable under the user privileges is still a big thing.
Even trusted software may have a security hole - and through such you can run this exploit... So yeah, it is a pretty big deal.
Yes. Attacker needs executable to be run on the target machine. Attacker does not need physical access though. Delivery of the executable can be performed completely remotely.