A vulnerability in one of the security systems on Apple’s M1 chips was discovered by researchers at MIT, Massachusetts Institute of Technology. The flaw allows hackers to discover the pointer authentication code (known by the acronym PAC), a feature that prevents attacks related to the injection of malicious code into the memory of devices. As the PAC is a security feature present on the chip itself, that is, a type of protection for the hardware itself, it is not possible to correct this vulnerability through system updates.
Generally, when a malicious program tries to inject code into device memory, it needs to know this pointer authentication code to succeed. If the code is incorrect, the program crashes and the PAC is changed. The researchers managed to create an attack that circumvents this program’s locking mechanism and manages to discover the pointer authentication code.
🔎 MacBook Air with M2: see everything that changes on the Apple laptop
Apple devices with M1 chip are affected by vulnerability — Photo: Disclosure / Apple
They took advantage of a feature of chips with ARM architecture called speculative execution: basically, these processors execute functions before they are even requested (or not), in order to make tasks faster. In other words, the processor is already prepared for some possible user actions even before they are performed.
Thus, they test various pointer authentication codes and are able to know if the pointer is correct or not according to the result of speculation created by the chip itself. This attack was dubbed PACMAN by the researchers.
By itself, the PACMAN attack is not able to penetrate the computer system. The M1 chip has several layers of protection, the last of which is the PAC. Thus, PACMAN is only useful if a malicious program has already broken through all other layers and needs to defeat pointer authentication protection. The PACMAN attack will only be responsible for breaking the last security barrier for this malicious program.
2020 MacBook Air, MacBook Pro and Mac mini with M1 chip — Photo: Handout/Apple
The flaw can affect all Apple devices with M1, M1 Pro and M1 Max chip such as iPad, MacBook Pro, MacBook Air, iMac, Mac Studio and Mac mini. However, the team responsible for PACMAN warns that the vulnerability could affect not only Apple chips, but all other ARM architecture processors that use pointer authentication as a security device and have speculative execution. It has not yet been possible, however, to test whether PACMAN is effective on M2 chips, Apple’s new processors that were recently announced.
to the website TechCrunch, Apple spokesman Scott Radcliffe, sent a note. He said he thanks the researchers for collaborating on the proof of concept to advance understanding of these techniques. He also said that according to the analysis of the Apple team, together with the details shared by the MIT researchers, they concluded that this problem does not put any user at an immediate risk and that this attack is insufficient to break all the security of the operational system.