April 29, 2024 By Sue Poremba 3 min read

The “need for speed” is having a negative impact on many Mac users right now.

The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP).

DMP’s benefits and vulnerabilities

DMP predicts memory addresses that the code is most likely to access by scanning the cache and prefetching that information. This technology gives Apple users improved computer speed and overall computing performance. That intuitive computing is one of the benefits of using Apple products for their enhanced efficiency and productivity.

However, the GoFetch vulnerability in DMP has turned the positives into a serious liability. As described by Ars Technica, GoFetch, a side-channel flaw, “allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.” Simply, data stored in the M-chips can be mistaken for a legitimate memory address and cached. However, if a malicious app gains access through the vulnerability, it can repeatedly push this error and eventually decrypt the key. A group of researchers found that the vulnerability actually “poses severe risks to the constant-time coding paradigm.”

Critically, the GoFetch vulnerability stems from the core design of the M-series chips, meaning Apple cannot fix the weakness with a simple software patch. Instead, any mitigation will require a protective code added to third-party encryption software. This could drastically slow performance, particularly on older M1 and M2 Mac models.

Performance versus security in vulnerability management

The GoFetch vulnerability highlights a long-standing problem for developers, IT and security teams: balancing the importance of security versus performance. In this case, the vulnerability management around GoFetch would have a negative impact on the performance of Mac computers (other Apple devices, like iPads, don’t appear to be impacted yet). Speed is the selling point for chip makers; computer speed is vital to productivity. But it also means that security takes a back seat.

By sacrificing security in preference for performance, users are exposed to attacks on their encryption keys, potentially compromising sensitive data.

Fixing the security in chip development would require manufacturers to share details about chip development, but it would also mean vulnerability management could be implemented much earlier. In the long run, that will improve performance.

The solution for GoFetch

GoFetch is a hardware flaw, so there is no easy fix; developers can’t simply update the software code and send it out to users as they can with SaaS.

Apple has stated that if users with an M-3 chip device enable data-independent timing (DIT), they will be able to disable DMP and add security: “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”

But that doesn’t help those with M1 and M2 devices, and the researchers admit that disabling DMP is a drastic move for M3 devices. They suggest other defense approaches that include:

  • Using efficiency cores by running all cryptographic code on Icestorm cores, which doesn’t require user code changes
  • Applying cryptographic blinding-like techniques to add/remove masks to sensitive values before/after being stored/loaded from memory
  • Hardware support that broadens third-party contracts to address DMP vulnerabilities

As of this writing, there have been no reports of a major cyberattack around the GoFetch vulnerability, but it is only a matter of time. Any organization or user using Mac devices will want to step up their defenses and be aware of the potential risk because, as the researchers concluded, “DMPs pose a significant security threat to modern software, breaking a wide variety of state-of-the-art cryptographic implementations.”

More from News

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today