Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

[danieldk]

Unless someone figures out how to chain this through a browser exploit

Agreed. But if someone gets code with enough privileges running on a machine, it's pretty much game over anyway (there are probably enough local exploits in the black market, let alone that you'll be able to trick people into giving a root password or accessibility access for key logging).

I don't want to downplay this vulnerability. It's bad. But if you read press coverage, it'll read like imminent doom, which overblown.

Also, we have to see if there are no workarounds. E.g. Pro/Max have two performance clusters. So, certain types of communication between apps could be required to run on separate performance clusters. We don't know if Apple doesn't have a similar undocumented flag on M1/M2. We don't know what is possible through microcode updates, etc. So many unknowns at this point.

 

[TroyBoy30]

man they are falling so quickly

 

[Saturn007]

Not sure why some articles are spreading lies.

Spreading errors or misinformation, perhaps, but “lies” requires deception, intent, or knowledge of the actual truth, which we haven't established!

 

[klasma]

It was described in the article on the other major Apple rumor site. Not sure if I can post links to the other site.

You can, and the article is wrong.

 

[hovscorpion12]

Well. What goes up. Always comes down.

 

[bodhisattva]

By the way, MacWorld is incorrect here. It does not require physical access. A malicious actor needs to be able to run a process in your machine. This can also be accomplished by tricking the user to install malware, planting malware through vulnerabilities in programs that read untrusted data (web browser, iMessage, etc.).

If you don't install random software from the internet, you should be pretty safe.

"Requires an attacker process to be running on your machine..." Looking at the EU demands and the push to allow 3rd party stores, side loading applications, etc....

 

[hacky]

Attackers have to: 1. have physical access to the machines and either your account password or an account on the computer to exploit this or 2. otherwise get access to the computer. It looks like it could be done via installed software, although that potential method of attack needs to be confirmed as viable in the “real world”.

Given these constraints, this is going to be an issue for how many people? I’m not minimizing the risk. I’m merely indicating that security vulnerabilities “affect” everyone but only have negative effects on a minority of users. In those cases they can be devastating, but catastrophizing about this is not warranted. Apple will figure out a way to address it.

As said in my previous posts.

This affects everyone. Because prior this attack - when attacker gained user privileges, that was all he got. User privileges. If he did not find i PrivEsc exploit to gain admin rights.

With this thing you're able to extract private keys (confidential data) which requires admin rights, just with user privileges.

 

[hacky]

"Requires an attacker process to be running on your machine..." Looking at the EU demands and the push to allow 3rd party stores, side loading applications, etc....

Uh... This can be performed even through the software available in the Apple's app store. All it takes is security hole in such software which you can exploit to run your custom code.

EU 3rd party stores has nothing to do with this thing. Also 3rd party stores are optional thing. It's your responsibility what you install anyway.

 

[danieldk]

Yes. Attacker needs executable to be run on the target machine. Attacker does not need physical access though. Delivery of the executable can be performed completely remotely.

Now you need two exploits. Through your reasoning, every locally exploitable vulnerability is also a remotely exploitable vulnerability. Yet, this would be classified as a local vulnerability (which you could exploit if you have a remote vulnerability that allows you to drop and execute a binary).

 

[Jhonjhon236]

This is only possible with installing unsigned software.

Checkm8 exists, even with signed software. Different exploit but both are still unpatchable and no amount of updates can fix it. Signed software has nothing to do with this.

 

[wilhoitm]

I bet it might be easier to exploit this with Progressive Web Apps! Was Apple right about Security all along?

 

[neuropsychguy]

Should’ve stuck with Intel… lol

It also affects Intel’s processors (at least 13th gen ones). It's possible it affects many other Intel and other processors. The researchers only tested a few processors.

 

[rwh63]

looks like i will be using my 2011 MacBook pro a while longer

 

[danieldk]

Extracting private key just by running the executable under the user privileges is still a big thing.

Not just by running an executable. The executable also needs to be able to communicate with a victim process (this implies something that listens on e.g. a UNIX domain socket or network socket) and the victim process needs to pass the data from the malicious process directly to certain crypto primitives. This affects only a small number of applications. And then the exploit can only extract private keys from the victim process, *not* any application on the system (let alone the secure enclave).

 

[hacky]

Now you need two exploits. Through your reasoning, every locally exploitable vulnerability is also a remotely exploitable vulnerability. Yet, this would be classified as a local vulnerability (which you could exploit if you have a remote vulnerability that allows you to drop and execute a binary).

That's correct. Never I said it's a remotely exploitable vulnerability (and if I said so, I'm going to fix my mistake). All I said or wanted to say is that you don't require physical access to the target machine in order to exploit it.

Physical access and running process on the target machine are two totally different things. You need physical access in order to attack machine with rubber ducky USB. You don't need it for the this exploit though.

 

[frozencarbonite]

so when will the class action or recall be so can we trade in our M1’s for an M3?

That sounds like a plan. 😄

[I'm still a little bitter about buying a $3,000 M1 Max machine in 2022, and now we are already up to the M3 chip. Yes, computer tech moves fast, but Apple also seems to be too quick to drop support for past hardware.]

 

[danieldk]

That's correct. Never I said it's a remotely exploitable vulnerability (and if I said so, I'm going to fix my mistake). All I said or wanted to say is that you don't require physical access to the target machine in order to exploit it.

Physical access and running process on the target machine are two totally different things. You need physical access in order to attack machine with rubber ducky USB. You don't need it for the this exploit though.

I think we are in full agreement. The message I initially reacted to seemed to imply that this was remotely exploitable. I think it does not make sense to fix a message (maybe add an additional remark at the bottom), because it makes it impossible to follow the conversation.

 

[klasma]

It could in principle even be possible from JS/WASM in a web browser. The GoFetch paper references this other paper about microarchitectural attacks from JS: https://dl.acm.org/doi/abs/10.1007/978-3-319-70972-7_13. Unlikely and difficult, but maybe not impossible.

 

[JohnRckr]

Is it just me or Apple is going really downhill last 2 months?

I'm sure it's connected to me switching to Android last month.

 

[aloysiusfreeman]

I gotta say that the discussion between danieldk and hacky have been quite pleasant and informative. I certainly don't have the finest background to understand all of this but observing these two helps!

Rare macrumors comment win.

 

[Xiao_Xi]

I skimmed parts of the paper. It looks like the issue affects 13th gen Intel processors as well. Possibly more processors.

Intel seems to have included some measures to prevent attacks like this, but I am not sure if these measures protect against this attack.

On Intel processors, DDPs exhibit several properties which are designed to restrict their potential use for side channel attacks. These properties include not operating at supervisor or other privileged modes, preventing cross-domain training, and preventing recursive dereferencing (meaning the DDP will not use the contents of dereferenced memory addresses for further prefetches).

Data Dependent Prefetcher

Some newer Intel processors support a new hardware prefetcher feature classified as a Data-Dependent Prefetcher (DDP) which exhibits properties designed to restrict side channel attacks.

www.intel.com

By the way, that documentation is from the end of 2022.

 

[hacky]

I think we are in full agreement. The message I initially reacted to seemed to imply that this was remotely exploitable. I think it does not make sense to fix a message (maybe add an additional remark at the bottom), because it makes it impossible to follow the conversation.

In such case we are in full agreement.

Yes, you need to deliver your executable to the target machine be it through

• another insecure software already running on the machine
• another exploit
• social engineering

So yes, it either requires user interaction or another exploit. I'm not saying this HW security vulnerability means all Macs are now going to be hacked. Not at all.

But it's still very important exploit especially when it can't be fixed just through next macOS upgrade.

 

[nicolas_s]

Coming soon to the iPhone, thanks to sideloading and alternative marketplaces.

 

[arkitect]

That sounds like a plan. 😄

[I'm still a little bitter about buying a $3,000 M1 Max machine in 2022, and now we are already up to the M3 chip. Yes, computer tech moves fast, but Apple also seems to be too quick to drop support for past hardware.]

This is going to make me sound really, really old… which I am! 😁

I do miss the pre-internet days.
I would buy a Mac from my Mac shop… use it until it felt slowish. Then I might even just upgrade the RAM or storage myself. *gasp*

I lived and worked with no idea what the latest and greatest Mac was. What processor it was up to… etc etc.

Just blissful ignorance.

After 3-5 years I'd just buy the latest Mac I could afford.

Life definitely was a lot simpler back then! 🙂

Edit: Spelling

 

[nathan_reilly]

Hey my cheese grater Mac Pro just keeps getting better with age!