San Francisco: Researchers at the Massachusetts Institute of Technology (MIT), including Indian-origin Joseph Ravichandran, have identified a new hardware vulnerability in Apple’s in-house silicon M1 chip that powers Macs.
The threat, dubbed ‘PACMAN’ by PhD student Ravichandran, enables attackers to stop the M1 chip from detecting software bug attacks.
The M1 chip uses a feature called ‘Pointer Authentication’, which acts as a last line of defence against typical software vulnerabilities.
With ‘Pointer Authentication’ enabled, bugs that normally could compromise a system or leak private information are stopped dead in their tracks.
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory found a crack as their novel hardware attack, called ‘PACMAN’ showed that ‘Pointer Authentication’ can be defeated without even leaving a trace.
Moreover, ‘PACMAN’ utilises a hardware mechanism, so no software patch can ever fix it.
“The idea behind ‘Pointer Authentication’ is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defence isn’t as absolute as we once thought it was,” said Ravichandran, co-lead author of the MIT paper.
When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With ‘PACMAN’ making these bugs more serious, the overall attack surface could be a lot larger,” he added.
‘Pointer authentication’ is primarily used to protect the core operating system kernel, the most privileged part of the system.
An attacker who gains control of the kernel can do whatever they’d like on a device.
The team showed that the ‘PACMAN’ attack even works against the kernel, which has “massive implications for future security work on all ARM systems with pointer authentication enabled”.
“Future CPU designers should take care to consider this attack when building the secure systems of tomorrow,” Ravichandran said in the paper that was published late on Friday.
“Developers should take care to not solely rely on pointer authentication to protect their software,” he added.
Apple has implemented ‘pointer authentication’ on all of its custom ARM-based silicon so far, including the M1, M1 Pro and M1 Max.
“If not mitigated, our attack will affect the majority of mobile devices, and likely even desktop devices in the coming years,” MIT said in the research paper.
An Apple spokesperson told TechCrunch that the company wants to “thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques”.
“Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own,” the company’s spokesperson added.