A so-called PACMAN M1 chip attack, created by MIT security researchers, managed to defeat what has been described as “the last line of security” on Apple Silicon.
When designing the M1 chip, Apple created several layers of security, each designed to protect against an attacker who managed to penetrate the previous one. The final tier is a security feature known as PAC – and it’s now defeated…
Pointer authentication is a security feature that helps protect the CPU from an attacker who has gained memory access. hands store memory addresses, and pointer authentication code (PAC) checks for unexpected pointer changes caused by an attack.
However, the Massachusetts Institute of Technology (MIT) team managed to defeat PAC with an attack they dubbed PACMAN. The work was performed by researchers at the Computer Science and Artificial Intelligence Laboratory (CSAIL).
MIT CSAIL found that the M1 implementation of Pointer Authentication can be overcome with a hardware attack that the researchers developed […]
PACMAN is an attack that can find the right value to successfully pass the pointer authentication so that a hacker can gain access to the computer.
Joseph Ravichandran of MIT CSAIL, co-lead author of a paper explaining PACMAN, said in an MIT article, “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. Now PACMAN fixes these bugs.” more serious, the total attack surface could be a lot bigger.”
According to MIT CSAIL, a software patch will not solve the problem, as the PACMAN attack involves a hardware device.
The team says the vulnerability has been found in other ARM chips, not just the M1 — but it hasn’t had a chance to test it against the M2 yet.
The real world risk is low because PACMAN requires physical access to a Mac; the attack cannot be performed remotely.
The team has notified Apple and will reveal more details at the International Symposium on Computer Architecture on June 18. Apple has not commented.
PACMAN is the third vulnerability discovered in the M1 chip. In May last year, security researcher Hector Martin discovered a flaw called M1RACLES, which allowed two apps to covertly exchange data. He also put together a funny FAQ about the limited nature of the risk, which reads in part:
Can malware use this vulnerability to take over my computer?
Can malware use this vulnerability to steal my private information?
Can malware use this vulnerability to rickroll me?
Yes. I mean, it can also rickroll you without using it.
Can this be exploited from within Java apps?
Wait, do people still use Java?
Last month, a cross-university team discovered a vulnerability called Augury, which again sounded much worse than it is. The bad news is that the chip can leak data at rest, as this would circumvent many forms of protection. The good news is that they haven’t demonstrated any viable exploits yet and think it’s unlikely to be used in practice.
FTC: We use auto affiliate links that generate revenue. More.
Check out 9to5Mac on YouTube for more Apple news: