Skip to main content

PACMAN M1 chip attack defeats ‘the last line of security’

A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the last line of security” on Apple Silicon.

When designing the M1 chip, Apple created various layers of security, each designed to protect against an attacker who succeeded in penetrating the previous ones. Its final layer is a security feature known as PAC – and this has now been defeated …

Macworld explains:

Pointer Authentication is a security feature that helps protect the CPU against an attacker that has gained memory access. Pointers store memory addresses, and pointer authentication code (PAC) checks for unexpected pointer changes caused by an attack. 

However, the team from the Massachusetts Institute of Technology (MIT) managed to defeat PAC with an attack they called PACMAN. The work was performed by researchers in the Computer Science and Artificial Intelligence Laboratory (CSAIL).

MIT CSAIL found that the M1 implementation of Pointer Authentication can be overcome with a hardware attack that the researchers developed […]

PACMAN is an attack that can find the correct value to successfully pass pointer authentication, so a hacker can continue with access to the computer.

MIT CSAIL’s Joseph Ravichandran, who is the co-lead author of a paper explaining PACMAN, said in an MIT article, “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger.”

According to MIT CSAIL, since its PACMAN attack involves a hardware device, a software patch won’t fix the problem.

The team says that the vulnerability is found in other ARM chips, not just the M1 – but it hasn’t yet had the chance to try it against the M2.

The real-world risk is low because PACMAN requires physical access to a Mac; the attack cannot be carried out remotely.

Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.

The team has notified Apple, and will reveal more details at the International Symposium on Computer Architecture on June 18. Apple has not commented.

PACMAN is the third vulnerability discovered in the M1 chip. In May of last year, security researcher Hector Martin discovered a flaw dubbed M1RACLES, which allowed two apps to covertly exchange data – though he said that the worst-case exploit would be nothing worse than enable cross-app tracking, for targeted ads. He also put together an amusing FAQ on the limited nature of the risk, which reads in part:

Can malware use this vulnerability to take over my computer?
No.

Can malware use this vulnerability to steal my private information?
No.

Can malware use this vulnerability to rickroll me?
Yes. I mean, it could also rickroll you without using it.

Can this be exploited from Javascript on a website?
No.

Can this be exploited from Java apps?
Wait, people still use Java?

Then just last month, a cross-university team discovered a vulnerability dubbed Augury, which again sounded much worse than it is. The bad news is that the chip can leak data at rest – as this would bypass many forms of protection. The good news is that they haven’t yet demonstrated any viable exploits, and thinks it unlikely to be used in practice.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications