New research conducted by a team of academics from various U.S. universities has unveiled a significant vulnerability in Apple's M-series chips, which are commonly used in MacBook devices. Published on March 21, the report identifies this flaw as a side-channel vulnerability, enabling unauthorized access to confidential encryption keys during the execution of typical encryption protocols.
Unlike conventional vulnerabilities that can be addressed through direct patches, this particular issue stems from deep-seated flaws within the microarchitectural design of the chip itself. Consequently, it is deemed "unpatchable," posing a substantial challenge to rectification efforts.
Effectively mitigating this flaw necessitates the adoption of third-party encryption software, a solution that could substantially impair the performance of Apple's M-series chips, particularly earlier iterations like the M1 and M2 variants. Such revelations underscore noteworthy deficiencies and obstacles within Apple's hardware security framework.
The vulnerability exploits memory access patterns to intercept and extract sensitive information, including encryption keys employed by encrypted applications. This exploit, dubbed the "GoFetch" vulnerability, seamlessly operates within the user's environment and requires only standard user permissions akin to those typically granted to regular applications.
Following the disclosure of this research, users on various online Mac forums have raised concerns regarding the potential implications for security, particularly in relation to the Password Keychain. Speculation has arisen regarding Apple's response, with some users expressing anticipation for direct mitigation measures within the operating system. Others noted Apple's purported prior awareness of the flaw, suggesting that actions such as introducing instructions to disable DMP in the M3 chip may indicate proactive measures undertaken by the company. Previous research on similar vulnerabilities, known as "divination," was cited as early as 2022.
These findings emerge amidst broader legal developments, as Apple faces a comprehensive antitrust lawsuit filed by the U.S. Department of Justice (DOJ). The lawsuit alleges that Apple's App Store policies and perceived "monopoly" unfairly limit competition and hinder innovation. Additionally, the DOJ contends that Apple's restrictions on competing digital wallets and developers' payment services constitute anticompetitive practices.
