Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys
- Thread starter MacRumors
- Start date
- Sort by reaction score
So when someone breaks into a car, all models of that car are recalled?
Do not be worried. That’s easier said than done with an anxiety disorder, but this will not be an issue for you, unless you happen to be someone extremely famous and a “high value” target. Even then, M3 processors have a built in fix.
Turning off DMP will cripple M3 chips performance so not really a fix.
The idea is turning off prefetching only when doing cryptography. It won’t have any effect on performance-oriented code.
Disabling DMP is meant to severely reduce performance the white paper says "DMP can be disabled on M3 CPUs, but not M1 and M2 chips, the researchers note, adding that disabling DMP is likely to seriously degrade performance" It says third party cryptographic programs can be used to improve implementations to prevent attacks from succeeding. Similar fixes are available for Intel chips too. The thing is Apple will want to I imagine keep the playing field as level as possible as people who just bought a M2 Pro mac Mini or Mac Studio M2 for something like 4K rendering wont be happy.
Maybe I didn’t express my self clearly, I apologize. You would only disable DMP when entering the cryptographic function and reenable it on exit. General performance won’t suffer.
Right! If folks get near the end of the Ars Technica article they'll see this crucial bit of "the sky is not falling" info:
Save the gnashing of the teeth for the gnoshing on your breakfast and enjoy your weekend. Life is still good. ✌️
Yes but since you can’t do that on M1 and M2 this will leave a lot of people with issues of loss of performance as those chips can’t have DMP turned off, even with your workaround (have you got a link to this workaround being effective)
I bought a M2 mac Mini Pro last year and I won’t be updating to a M3 version when or if one appears just to solve this issue. Lots of people won’t I would imagine. Sorry if I didn’t make myself clear either.
Well… Kia and Hyundai cars were recalled to for an exploit with possibility to turn on car without a key as immobilizer was not present due to Brands being cheap…
As a result people got sticker, software update or if not possible - additional hardware level protection 😅
Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challenge
“The Kia Boyz” have gone viral on TikTok.
Which is still not fully protecting…
At least for cars, companies get their back hurt by having to fix and pay for repairs and specialist work in case of real life hazard, not by sending silent OTA without saying sorry which is common in IT world…
Well… I was about to buy M3 Max and probably will continue to use old buddy (MBP late 2011) for one more year… for stuff I cant do on iPad so 3D slicers for instance as I don’t want to pay VERY BIG money for getting nerf later…
Just convinced, yesterday, a friend to buy a 13” M3 MacBook Air to replace her 2015 intel MacBook. She got 34GB ram and 1TB drive to hope to last the next 9 years. Told her today to cancel her order until more is know.
I am just not sure what this all really means, and a solution to turn off DMP at the app level (if I understand it correctly), does not seem like a good enough option To me. Yes, she is a fastidious user who knows not to download suspicious stuff, but still.
I wonder what this all means for the three M2 MacBooks I have in my family.
I am just not sure what this all really means, and a solution to turn off DMP at the app level (if I understand it correctly), does not seem like a good enough option To me. Yes, she is a fastidious user who knows not to download suspicious stuff, but still.
I wonder what this all means for the three M2 MacBooks I have in my family.
Smells kind of like a hitjob, coupled with DOj investigation, seems like the US government has a bone to pick with Apple for making Taiwan a thorn on their side...
Last edited:
Yes, definitely. This has been said multiple times before. In order to execute this exploit, you need to be able to run your code on the target machine.
We should not downplay the importance of this exploit though, as it is basically unfixable globally. Is it the most scary thing and does it mean all Macs are going to be hacked? Not at all. Is it something completely harmless? Unfortunately no.
Because no one would go in to the business of making computers knowing they would be out of business as soon as an odd exploit like this is found.
I was just thinking that. If it is patched, at least give the option to leave it turned off.
I fully agree. At the same time I don’t see any reason for panicky doomsday attitude that permeates this discussion. Many here would do good to learn from your level-headed posts for example.
Secure computing is tremendously hard and there will be challenges ahead. It is good that we are having this conversations.
I figured as much thanks for looking it up. This is not something anyone needs to be concerned about.
Consider this: Every MacOS and every iOS patch these days contains a number of zero day patches.
Anywhere from 1 - 10.
If you really think about this, there's simply a ton of holes in an unpatchable system.
Once an attacker is on your system, they can use all sorts of ways to get your crypto keys - it's impossible to protect against data theft of any kind if the attacker has access to your system.
Cache attacks are not new, I remember when Intel had their share - Intel never fixed them because the performance hit would be massive. The processor cache and predictive caches have a large effect on performance, they can't just be turned off; at the same time, they tend to store critical data. I think Apple did a lot better here than Intel, Intel's branch prediction would load data and keep it totally unprotected in the cache...
So yeah - worry about zero days - each patch, look at how many zero day exploits were fixed, and what effect they have - most of the time, they are the worst case scenario, "attacker can run arbitrary code on the affected system"
This is a storm in a teacup. People don't realize how bad the security situation already is.
Apple is very quiet about it.
Attackers go for the lowest hanging fruit (pardon the pun)
At this point: SMS on phones have endless holes, they can find new zero days in there, thanks to iMessages huge number of features.
On the Mac, Safari presents a huge attack surface with easily tens of thousands of holes left to plug and new features with new holes constantly added.
Check the OS point updates - each one contains so many critical flaws, all of which can steal your data, and unlike the theoretical exploit in that paper, they're being actively used in the wild.
I am paranoid about zero days - fly by no interaction safari exploits, or spear fishing attacks that are targeted and basically almost impossible to defend against.
Reading this on my 14 year old MacBook Pro 17' with INTEL processor, feeling totally save. I just ordered me a brand new replacement Battery from OWC. Its the third battery now. Since I do all the heavy lifting on my Mac Pro 5.1 , only 12 years old. I guess I will have to wait another two years to switch to Apple Silicon, giving Apple more time again to fix it and work out those kinks. Well Apple take your time, my devices become even more economical over time. Thanks Apple for an 2010 Ecosystem with a very USER-FRIENDLY replaceable Battery, SSD drive Upgrade path, RAM Memory Upgradability and CD/DVD drive that was replaced with a second HDD. Non of which today's devices have.Apple might now decide to switch from Silicon to Intel processors
It shows, how good those devices have been and with how much junk you currently bullS?&%$ today's consumer in the name of Programmed Product Obsolescence. Environmental my ASS......