A new vulnerability was found on M1 Mac and newer models that allow hackers to extract encryption keys. This issue is unpatchable, which means every Mac user could be compromised, but it doesn’t mean you should freak out.
As first reported by Ars Technica, an academic research paper highlights this unpatchable vulnerability that can extract encryption keys from M1 Mac and newer models.
The researcher named this vulnerability GoFetch, a “microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs).”
They have found this issue with M1 Mac devices but found that M2 and M3 CPUs also exhibit “similar exploitable DMP behavior.” They have not tested with other chip variants, such as M1 Max, M2 Pro, etc., but the researchers hypothesize that they’re likely to be exploited as well.
How can you protect your M1 Mac against this attack?
The researchers say that the best way to protect yourself is by constantly updating your Mac to the latest version of macOS. For developers of cryptographic libraries, they can either set the DOIT bit and DIT bit bits, which disable the DMP on some CPUs, such as M3 processors.
Still, the best way to avoid this attack is by preventing others from physically accessing your M1 Mac computer: “Preventing attackers from measuring DMP activation in the first place, for example, by avoiding hardware sharing, can further enhance the security of cryptographic protocols.”
Besides that, there isn’t much more you should do. The researchers warned Apple on December 5, 2023. Although the company hasn’t addressed any public comment on this issue, it’s possible that feature chips – or even software updates could patch this vulnerability.
You can learn more about this issue here.
