April 29, 2024 By Sue Poremba 3 min read

The “need for speed” is having a negative impact on many Mac users right now.

The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP).

DMP’s benefits and vulnerabilities

DMP predicts memory addresses that the code is most likely to access by scanning the cache and prefetching that information. This technology gives Apple users improved computer speed and overall computing performance. That intuitive computing is one of the benefits of using Apple products for their enhanced efficiency and productivity.

However, the GoFetch vulnerability in DMP has turned the positives into a serious liability. As described by Ars Technica, GoFetch, a side-channel flaw, “allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.” Simply, data stored in the M-chips can be mistaken for a legitimate memory address and cached. However, if a malicious app gains access through the vulnerability, it can repeatedly push this error and eventually decrypt the key. A group of researchers found that the vulnerability actually “poses severe risks to the constant-time coding paradigm.”

Critically, the GoFetch vulnerability stems from the core design of the M-series chips, meaning Apple cannot fix the weakness with a simple software patch. Instead, any mitigation will require a protective code added to third-party encryption software. This could drastically slow performance, particularly on older M1 and M2 Mac models.

Performance versus security in vulnerability management

The GoFetch vulnerability highlights a long-standing problem for developers, IT and security teams: balancing the importance of security versus performance. In this case, the vulnerability management around GoFetch would have a negative impact on the performance of Mac computers (other Apple devices, like iPads, don’t appear to be impacted yet). Speed is the selling point for chip makers; computer speed is vital to productivity. But it also means that security takes a back seat.

By sacrificing security in preference for performance, users are exposed to attacks on their encryption keys, potentially compromising sensitive data.

Fixing the security in chip development would require manufacturers to share details about chip development, but it would also mean vulnerability management could be implemented much earlier. In the long run, that will improve performance.

The solution for GoFetch

GoFetch is a hardware flaw, so there is no easy fix; developers can’t simply update the software code and send it out to users as they can with SaaS.

Apple has stated that if users with an M-3 chip device enable data-independent timing (DIT), they will be able to disable DMP and add security: “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”

But that doesn’t help those with M1 and M2 devices, and the researchers admit that disabling DMP is a drastic move for M3 devices. They suggest other defense approaches that include:

  • Using efficiency cores by running all cryptographic code on Icestorm cores, which doesn’t require user code changes
  • Applying cryptographic blinding-like techniques to add/remove masks to sensitive values before/after being stored/loaded from memory
  • Hardware support that broadens third-party contracts to address DMP vulnerabilities

As of this writing, there have been no reports of a major cyberattack around the GoFetch vulnerability, but it is only a matter of time. Any organization or user using Mac devices will want to step up their defenses and be aware of the potential risk because, as the researchers concluded, “DMPs pose a significant security threat to modern software, breaking a wide variety of state-of-the-art cryptographic implementations.”

More from News

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Biden-⁠Harris administration releases roadmap to enhance internet routing

2 min read - The Biden-Harris Administration has taken another step toward improving the nation’s cybersecurity. In September, the White House Office of the National Cyber Director (ONCD) announced it was putting policies in place to address a key security vulnerability associated with the Border Gateway Protocol (BGP). BGP is a set of rules that helps the internet work by selecting the best route for data to travel between networks. It is a fundamental protocol that allows networks to communicate with each other. However,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today