Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Unpatchable flaw in M1 chip
- Thread starter drdudj
- Start date
- Sort by reaction score
A link to any aforementioned newsworthy item would be appreciated.
EDIT: That does explain the stock movement today.
EDIT: That does explain the stock movement today.
Here's what i found with 2 seconds of google:
9to5mac.com
And here's the summary:
If someone has unfettered physical access to your machine, you're boned.
This is a hardware hacking attack requires physical access.
The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.
And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.
It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
PACMAN M1 chip defeats last line of Apple Silicon security
A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the...
9to5mac.com
And here's the summary:
And here's my comments as a network security guy:If someone has unfettered physical access to your machine, you're boned.
This is a hardware hacking attack requires physical access.
The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.
And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.
It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
Last edited:
People there [https://news.ycombinator.com/item?id=31693490] seem to be much more knowledgable.
what you say makes perfectly good sense to me, and it's kind of like I have always said, "if someone wanted to control my computer, take over my identity for personal gain, why would they waste all their time and effort to rip off my $128 and 23cents, when they can put in the same time and effort to rip off someone who's worth $128 million dollars?Here's what i found with 2 seconds of google:
PACMAN M1 chip defeats last line of Apple Silicon security
A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the...
And here's the summary:
And here's my comments as a network security guy:
If someone has unfettered physical access to your machine, you're boned.
This is a hardware hacking attack requires physical access.
The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.
And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.
It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
thanxz for the reply
Any attack that gains kernel access is potentially bad.
What's popular with real security professionals is chaining multiple attacks. So, combining zero-day remote exploit + PACMAN kernel attack. You can get a glimpse of chaining attacks at Pwn2Own. Time will tell if it's as bad as Pegasus.
https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
What's popular with real security professionals is chaining multiple attacks. So, combining zero-day remote exploit + PACMAN kernel attack. You can get a glimpse of chaining attacks at Pwn2Own. Time will tell if it's as bad as Pegasus.
https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
Why do it? Because they did it. I think they try to make it up by volume. You never know what you might find on an average 'Joe or Jane's' system. *shrug* Plus it all adds up.
If it requires direct physical contact, then it means it's not as exploitable. Unless you know you do work that is highly sensitive that you need to carry your machine around.
Or your desk is in a more public area. On a Mac, I'd think that any add-on would be seen fairly soon. I was freaked out to find an external credit card skimmer at the local gas station a few years ago. It was obvious it wasn't right, and I moved to a different pump that didn't have the plastic piece on the front of the slot. I told the cashier, and she looked at me with vacant eyes, so I told a few other people there. *yikes* But it made the news that night.
could anyone explain to me what physical access does the attacker has to use in order to hack the chip ? i dont get it
is it sth that can be done without opening the mac ?
is it sth that can be done without opening the mac ?
Probably has it if the vulnerability was:
- Just discovered
- Discovered late in the fab process of the M2
basically it means the exploit requires some kind of physical connection to the machine, vs. a network attack which could be carried out remotely. so for instance there might be some kind of USB or thunderbolt hardware bug that an attacker can leverage to take over the computer if they are able to plug something in.
i suppose an attack like this could also be possible over wifi thru careful crafting of L2 or L1 packets, which would not be possible remotely over the internet.
Here's what i found with 2 seconds of google:
PACMAN M1 chip defeats last line of Apple Silicon security
A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the...
And here's the summary:
And here's my comments as a network security guy:
If someone has unfettered physical access to your machine, you're boned.
This is a hardware hacking attack requires physical access.
The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.
And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.
It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
The article has been amended as follows:
"
Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.
"
Also, it states that all ARM chips are affected (not just the M1), and if this is true it means that potentially all Apple devices could be compromised (as well as those of many other vendors).
If all of this is confirmed, it doesn't sound good.
I am looking forward to a statement from Apple.
Last edited:
This article includes a bland statement from Apple:
www.tomshardware.com
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
MIT Finds Apple M1 Vulnerability, Demos PACMAN Attack (Update)
Chomping away at Arm chip security
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
It’s hardly a „security flaw“. The author of the article has stated that in order to carry out this exploit one needs to install a kernel extension. Basically this exploit already requires privileged access to even work. If your machine is so compromised that someone can change your security settings and patch your kernel, they already have your password and can do pretty much anything they want.
Looks like people may not have read the full article. The initial quote that 'Physical access is required' quoted by Macworld is wrong. Here is the snippet from the linked article.
The MIT team does clarify that NO PHYSICAL ACCESS is needed.
```
Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.
```
PACMAN M1 chip defeats last line of Apple Silicon security (9to5mac.com)
The MIT team does clarify that NO PHYSICAL ACCESS is needed.
```
Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.
```
PACMAN M1 chip defeats last line of Apple Silicon security (9to5mac.com)
Apple:
"We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques," "Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own."
https://www.bleepingcomputer.com/ne...dware-attack-targets-macs-with-apple-m1-cpus/
Researcher:
“Stay tuned for a more "realistic" follow up
”
"We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques," "Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own."
https://www.bleepingcomputer.com/ne...dware-attack-targets-macs-with-apple-m1-cpus/
Researcher:
“Stay tuned for a more "realistic" follow up
” A kext is not required; they just used one for reverse engineering and to demonstrate their proof of concept.
An attacker could use an existing kernel space buffer overflow to run a speculative branch prediction attack that brute forces pointer authentication. ENOTTY on hacker news explains it well (and was validated by the paper’s author).
But, your point still stands: if an attacker is able to execute arbitrary code in kernel space, you’re already hosed.
So if I’m understanding this correctly, the vulnerability is in pointer authentication itself, which is pretty bad considering the point of pointer authentication is to prevent attacks?
Here's what i found with 2 seconds of google:
PACMAN M1 chip defeats last line of Apple Silicon security
A so-called PACMAN M1 chip attack created by MIT security researchers succeeded in defeating what has been described as “the...
And here's the summary:
And here's my comments as a network security guy:
If someone has unfettered physical access to your machine, you're boned.
This is a hardware hacking attack requires physical access.
The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.
And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.
It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
From the (possibly updated) article you linked:
"Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed."
(Oops, looks like it took me longer to read that article than others above...)
Not really. What it requires is another security vulnerability. They used a KEXT to create a vulnerability for their proof of concept. This also doesn't require physical access. It requires other vulnerabilities. Physical access is required to execute the proof of concept. They weren't trying to create an exploit but to show that there is a flaw in a security feature of various very modern Arm CPUs including the M1 and probably the M2.
My understanding is that PAC isn't to prevent attacks, but to prevent attacks from progressing further. It's the last lock to pick, not the first.