Every time new hardware is made available to a mass public, these copies are usually inspected by third parties who seek to test their security mechanisms.
Researchers at the Massachusetts Institute of Technology Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) discovered that Apple’s M1 chip has a security flaw that cannot be fixed by software patches, but was quickly listed as harmless by its manufacturer.
PACMAN, the vulnerability detected in the M1 chip
The M1 is an Apple-designed chip based on the ARM architecture and implemented in various Mac and iPad models. After its launch in 2020, it has garnered generally positive reviews, thanks to its good performance and efficiency.
By subjecting this chip to a security audit, MIT CSAIL researchers discovered that pointer authentication, a function that acts as a last line of defense against typical software vulnerabilities, can be bypassed through a special hardware attack. In this case, the MIT CSAIL-created instance, named PACMAN, was able to demonstrate its ability to find the correct value to successfully pass pointer authentication.
A Pointer Authentication Code (PAC for short) is a signature that verifies that the state of running software has not been maliciously altered. By cracking this code, the attacker has the key to decrypt any encrypted data that passes through the chip.
The team demonstrated that it is possible to “guess” a value for the PAC and reveal whether or not the guess was correct through a hardware-side channel. The most exposed part of this is that there is only a limited number of possible values for this code, a condition that makes it possible to try all possible variables until the correct one is found, without leaving a trace.
Although this possibility is open, PACMAN is not a magical portal to bypass all the security of the M1 chip. PACMAN can only take an already existing bug in the installed software. According to the scientists, there is no immediate cause for alarm, since PACMAN cannot compromise a system without an existing software bug.
Apple received notification of this vulnerability, responding via a press release with a message intended to convey reassurance. “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis, as well as details shared with us by researchers, we have concluded that this issue does not pose an immediate risk to our users and is insufficient to bypass security protections of the operating system itself.the company noted.
It should be noted that although the aforementioned Apple chip was used for these tests, what this vulnerability does is bring out a problem in the design of the ISA ARM architecture, also affecting chips from other manufacturers.