A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the last line of security” on Apple Silicon.
When designing the M1 chip, Apple created various layers of security, each designed to protect against an attacker who succeeded in penetrating the previous ones. Its final layer is a security feature known as PAC – and this has now been defeated …
Macworld explains:
Pointer Authentication is a security feature that helps protect the CPU against an attacker that has gained memory access. Pointers store memory addresses, and pointer authentication code (PAC) checks for unexpected pointer changes caused by an attack.
However, the team from the Massachusetts Institute of Technology (MIT) managed to defeat PAC with an attack they called PACMAN. The work was performed by researchers in the Computer Science and Artificial Intelligence Laboratory (CSAIL).
MIT CSAIL found that the M1 implementation of Pointer Authentication can be overcome with a hardware attack that the researchers developed […]
PACMAN is an attack that can find the correct value to successfully pass pointer authentication, so a hacker can continue with access to the computer.
MIT CSAIL’s Joseph Ravichandran, who is the co-lead author of a paper explaining PACMAN, said in an MIT article, “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger.”
According to MIT CSAIL, since its PACMAN attack involves a hardware device, a software patch won’t fix the problem.
The team says that the vulnerability is found in other ARM chips, not just the M1 – but it hasn’t yet had the chance to try it against the M2.
The real-world risk is low because PACMAN requires physical access to a Mac; the attack cannot be carried out remotely.
Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.
The team has notified Apple, and will reveal more details at the International Symposium on Computer Architecture on June 18. Apple has not commented.
PACMAN is the third vulnerability discovered in the M1 chip. In May of last year, security researcher Hector Martin discovered a flaw dubbed M1RACLES, which allowed two apps to covertly exchange data – though he said that the worst-case exploit would be nothing worse than enable cross-app tracking, for targeted ads. He also put together an amusing FAQ on the limited nature of the risk, which reads in part:
Can malware use this vulnerability to take over my computer?
No.Can malware use this vulnerability to steal my private information?
No.Can malware use this vulnerability to rickroll me?
Yes. I mean, it could also rickroll you without using it.Can this be exploited from Javascript on a website?
No.Can this be exploited from Java apps?
Wait, people still use Java?
Then just last month, a cross-university team discovered a vulnerability dubbed Augury, which again sounded much worse than it is. The bad news is that the chip can leak data at rest – as this would bypass many forms of protection. The good news is that they haven’t yet demonstrated any viable exploits, and thinks it unlikely to be used in practice.
FTC: We use income earning auto affiliate links. More.
Comments