mek21 Posted March 22 Share Posted March 22 https://cryptonews.com/news/security-vulnerability-in-apples-m-series-chips-puts-mac-users-crypto-private-keys-at-risk.htm Fundamental Weakness in Apple’s M-Series Chips Security Poses Threat to Crypto Holders Unlike typical vulnerabilities that can be addressed through software patches, this particular flaw resides in the microarchitectural design of the chips themselves, rendering it “unpatchable.” To mitigate the issue, third-party cryptographic software would need to be employed, but this could severely impact the performance of earlier M-series chips, including the M1 and M2. 2 Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/ Share on other sites More sharing options...
mhaeuser Posted March 30 Share Posted March 30 *Sigh* - Nobody knows whether this is unpatchable, this is made up by ignorant news outlets. - This has nothing to do with first- vs third-party. - M3 is immune when following the correct guidelines and all Apple cryptographic libraries do. - Stuff like FV2 is done by the SoC. While crypto operations on secret data may require slower algos on M1 and M2, they can be employed very localised. I don’t think general-purpose stuff would really suffer much on average. 1 Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/#findComment-2818722 Share on other sites More sharing options...
mek21 Posted April 1 Author Share Posted April 1 On 3/30/2024 at 9:08 AM, mhaeuser said: *Sigh* - Nobody knows whether this is unpatchable, this is made up by ignorant news outlets. - This has nothing to do with first- vs third-party. - M3 is immune when following the correct guidelines and all Apple cryptographic libraries do. - Stuff like FV2 is done by the SoC. While crypto operations on secret data may require slower algos on M1 and M2, they can be employed very localised. I don’t think general-purpose stuff would really suffer much on average. Given the list of researchers: The team of researchers consists of: Boru Chen, University of Illinois Urbana-Champaign Yingchen Wang, University of Texas at Austin Pradyumna Shome, Georgia Institute of Technology Christopher W. Fletcher, University of California, Berkeley David Kohlbrenner, University of Washington Riccardo Paccagnella, Carnegie Mellon University Daniel Genkin, Georgia Institute of Technology And an actual exploit exists: https://gofetch.fail/ It does not appear that this is made up by ignorant news outlets. https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/ Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/#findComment-2818812 Share on other sites More sharing options...
mhaeuser Posted April 10 Share Posted April 10 @mek21 Thanks for stating the obvious, you clearly did not understand my post at all. What was made up by ignorant news outlets is that it is unpatchable. This word does not appear in the research at all, the news added it out of the blue. In fact, we now have proof that it is indeed patchable: https://social.treehouse.systems/@marcan/112238385679496096 1 Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/#findComment-2819036 Share on other sites More sharing options...
mek21 Posted April 12 Author Share Posted April 12 On 4/10/2024 at 5:41 AM, mhaeuser said: @mek21 Thanks for stating the obvious, you clearly did not understand my post at all. What was made up by ignorant news outlets is that it is unpatchable. This word does not appear in the research at all, the news added it out of the blue. In fact, we now have proof that it is indeed patchable: https://social.treehouse.systems/@marcan/112238385679496096 Refences a linux patch: So yeah, as I predicted, GoFetch is entirely patchable. I'll write up a patch for Linux to hook it up as a CPU security bug workaround. Perhaps you did not understand my post. Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/#findComment-2819071 Share on other sites More sharing options...
mhaeuser Posted April 12 Share Posted April 12 (edited) @mek21 So Linux is not software, but a magical unicorn mitigating the vulnerability with fairy dust? Maybe Apple should hire their own fairies… For the people who actually care about the technical facts, likely Apple will augment their current DIT API implementation with toggling this chicken bit next release and that’s the end of it - “unpatchable” vulnerability fully resolved. Edited April 12 by mhaeuser Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/#findComment-2819072 Share on other sites More sharing options...
mek21 Posted April 29 Author Share Posted April 29 On 4/12/2024 at 3:44 PM, mhaeuser said: @mek21 So Linux is not software, but a magical unicorn mitigating the vulnerability with fairy dust? Maybe Apple should hire their own fairies… For the people who actually care about the technical facts, likely Apple will augment their current DIT API implementation with toggling this chicken bit next release and that’s the end of it - “unpatchable” vulnerability fully resolved. The point is not well considered as the researchers were not contemplating a patchability issue for users running linux on mac hardware. Link to comment https://www.insanelymac.com/forum/topic/359040-security-vulnerability-in-apple%E2%80%99s-m-series-chips-puts-mac-users%E2%80%99-crypto-private-keys-at-risk/#findComment-2819479 Share on other sites More sharing options...
Recommended Posts