Apple Silicon, beware of PACMAN: unsolvable hardware vulnerability


A hardware security flaw has emerged in the Apple Silicon M1 chips that, according to the MIT researchers who discovered it, cannot be fixed with a software patch. She was nicknamed PACMANin honor of one of the first great successful video games, because it concerns the so-called PACs or Pointer Authentication Code. These PACs are or will be implemented in many other ARM-architecture CPUs, so the implications of this discovery could be much broader – but for the moment the only confirmations come from the M1 chips.

As with the very serious Specter and Meltdown that we have seen in the world of x86 processors, the speculative execution – that is the ability of a processor to “guess” what the next operation will be and to execute it in its “free time” (more precisely a cycle in which it would otherwise do nothing) to save precious time. Basically, each pointer of the CPU is associated with an authentication code that ensures its legitimacy: if for some anomaly the values ​​do not match, the processor returns an error which generally results in a crash. A PAC can have up to 65,000 possible values, and researchers have devised a method that allows a malware to try them all without causing crashes – using a “combo” of speculative execution and memory corruption.

Once the malware has found the correct PAC, it can exploit it for execute unauthorized code on the device, with the obvious consequences for its software integrity. According to Apple, PACMAN, which theoretically can also be conducted remotely, does not represent an immediate risk to the security of end users, as it is not in itself sufficient to bypass all the security measures deployed by the operating system. It is important to note that the researchers themselves agree on this point: it is essentially necessary to start from another coexisting flaw or bug to launch an attack.

At this point it is difficult to understand exactly the extent of the vulnerability. Apple uses the PAC on all iterations of Apple’s Silicon M1, including the Pro, Max, and Ultra, and that’s where the direct feedback ends. The PAC is also present in the M2 chips so it is safe to assume that they too are vulnerable, even if as we said they have not yet been tested. For other manufacturers in the industry, such as Samsung, MediaTek and Qualcomm, there are either official confirmations of future adoption or very solid predictions / rumors. Ultimately, this technology was intended as a last line of defense to ensure the safety of an electronic device, but unfortunately it did not turn out to be as solid as hoped.

Previous articleHow to activate and customize the dark mode of Windows 11
Next articleResearchers demonstrate how Bluetooth can be used to track mobile devices
Expert tech and gaming writer, blending computer science expertise