Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

drdudj

macrumors regular
Original poster
Mar 7, 2021
149
131
Oregon
MIT researchers found an un-patchable flaw in the M1 chip's pointer authentication code, or PAC. any comments/opinions?

curious here.
 

JahBoolean

Suspended
Jul 14, 2021
552
425
A link to any aforementioned newsworthy item would be appreciated.

EDIT: That does explain the stock movement today.
 

throAU

macrumors G3
Feb 13, 2012
9,199
7,354
Perth, Western Australia
Here's what i found with 2 seconds of google:



And here's the summary:

And here's my comments as a network security guy:

If someone has unfettered physical access to your machine, you're boned.

This is a hardware hacking attack requires physical access.

The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.

And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.

It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
 
Last edited:

drdudj

macrumors regular
Original poster
Mar 7, 2021
149
131
Oregon
Here's what i found with 2 seconds of google:



And here's the summary:


And here's my comments as a network security guy:

If someone has unfettered physical access to your machine, you're boned.

This is a hardware hacking attack requires physical access.

The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.

And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.

It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.
what you say makes perfectly good sense to me, and it's kind of like I have always said, "if someone wanted to control my computer, take over my identity for personal gain, why would they waste all their time and effort to rip off my $128 and 23cents, when they can put in the same time and effort to rip off someone who's worth $128 million dollars?

thanxz for the reply
 
  • Like
Reactions: Cape Dave and Wizec

mi7chy

macrumors G4
Oct 24, 2014
10,622
11,294

PinkyMacGodess

Suspended
Mar 7, 2007
10,271
6,228
Midwest America.
what you say makes perfectly good sense to me, and it's kind of like I have always said, "if someone wanted to control my computer, take over my identity for personal gain, why would they waste all their time and effort to rip off my $128 and 23cents, when they can put in the same time and effort to rip off someone who's worth $128 million dollars?

thanxz for the reply

Why do it? Because they did it. I think they try to make it up by volume. You never know what you might find on an average 'Joe or Jane's' system. *shrug* Plus it all adds up.
 
  • Like
Reactions: JMacHack

PinkyMacGodess

Suspended
Mar 7, 2007
10,271
6,228
Midwest America.
If it requires direct physical contact, then it means it's not as exploitable. Unless you know you do work that is highly sensitive that you need to carry your machine around.

Or your desk is in a more public area. On a Mac, I'd think that any add-on would be seen fairly soon. I was freaked out to find an external credit card skimmer at the local gas station a few years ago. It was obvious it wasn't right, and I moved to a different pump that didn't have the plastic piece on the front of the slot. I told the cashier, and she looked at me with vacant eyes, so I told a few other people there. *yikes* But it made the news that night.
 

Love-hate 🍏 relationship

macrumors 68040
Sep 19, 2021
3,057
3,235
could anyone explain to me what physical access does the attacker has to use in order to hack the chip ? i dont get it

is it sth that can be done without opening the mac ?
 

joeblough

macrumors 6502a
Sep 30, 2006
619
439
could anyone explain to me what physical access does the attacker has to use in order to hack the chip ? i dont get it

is it sth that can be done without opening the mac ?

basically it means the exploit requires some kind of physical connection to the machine, vs. a network attack which could be carried out remotely. so for instance there might be some kind of USB or thunderbolt hardware bug that an attacker can leverage to take over the computer if they are able to plug something in.

i suppose an attack like this could also be possible over wifi thru careful crafting of L2 or L1 packets, which would not be possible remotely over the internet.
 

Wando64

macrumors 68020
Jul 11, 2013
2,338
3,109
Here's what i found with 2 seconds of google:



And here's the summary:


And here's my comments as a network security guy:

If someone has unfettered physical access to your machine, you're boned.

This is a hardware hacking attack requires physical access.

The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.

And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.

It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.

The article has been amended as follows:
"
The real-world risk is low because PACMAN requires physical access to a Mac; the attack cannot be carried out remotely.
Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.
"

Also, it states that all ARM chips are affected (not just the M1), and if this is true it means that potentially all Apple devices could be compromised (as well as those of many other vendors).

If all of this is confirmed, it doesn't sound good.
I am looking forward to a statement from Apple.
 
Last edited:
  • Wow
  • Like
Reactions: sorgo † and Yurk

Wando64

macrumors 68020
Jul 11, 2013
2,338
3,109
This article includes a bland statement from Apple:

“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
 
  • Sad
Reactions: sorgo †

leman

macrumors Core
Oct 14, 2008
19,521
19,677
It’s hardly a „security flaw“. The author of the article has stated that in order to carry out this exploit one needs to install a kernel extension. Basically this exploit already requires privileged access to even work. If your machine is so compromised that someone can change your security settings and patch your kernel, they already have your password and can do pretty much anything they want.
 

oz_rkie

macrumors regular
Apr 16, 2021
177
165
Looks like people may not have read the full article. The initial quote that 'Physical access is required' quoted by Macworld is wrong. Here is the snippet from the linked article.

The MIT team does clarify that NO PHYSICAL ACCESS is needed.

```
Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed.
```

PACMAN M1 chip defeats last line of Apple Silicon security (9to5mac.com)
 
  • Like
Reactions: h0ndaf4n

mabaker

macrumors 65816
Jan 19, 2008
1,215
580
It's sad that the chip designed to be impenetrable it's already hacked.
 

PinkyMacGodess

Suspended
Mar 7, 2007
10,271
6,228
Midwest America.
Or your desk is in a more public area. On a Mac, I'd think that any add-on would be seen fairly soon. I was freaked out to find an external credit card skimmer at the local gas station a few years ago. It was obvious it wasn't right, and I moved to a different pump that didn't have the plastic piece on the front of the slot. I told the cashier, and she looked at me with vacant eyes, so I told a few other people there. *yikes* But it made the news that night.

SEE SOMETHING, SAY SOMETHING!
 

bogdanw

macrumors 603
Mar 10, 2009
6,118
3,029
Apple:
"We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques," "Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own."
https://www.bleepingcomputer.com/ne...dware-attack-targets-macs-with-apple-m1-cpus/
Researcher:
“Stay tuned for a more "realistic" follow up :)
 

altaic

Suspended
Jan 26, 2004
712
484
It’s hardly a „security flaw“. The author of the article has stated that in order to carry out this exploit one needs to install a kernel extension. Basically this exploit already requires privileged access to even work. If your machine is so compromised that someone can change your security settings and patch your kernel, they already have your password and can do pretty much anything they want.
A kext is not required; they just used one for reverse engineering and to demonstrate their proof of concept.

An attacker could use an existing kernel space buffer overflow to run a speculative branch prediction attack that brute forces pointer authentication. ENOTTY on hacker news explains it well (and was validated by the paper’s author).

But, your point still stands: if an attacker is able to execute arbitrary code in kernel space, you’re already hosed.
 
  • Like
Reactions: 88Keys and jdb8167

JMacHack

Suspended
Mar 16, 2017
1,965
2,424
So if I’m understanding this correctly, the vulnerability is in pointer authentication itself, which is pretty bad considering the point of pointer authentication is to prevent attacks?
 

Analog Kid

macrumors G3
Mar 4, 2003
9,360
12,603
Here's what i found with 2 seconds of google:



And here's the summary:


And here's my comments as a network security guy:

If someone has unfettered physical access to your machine, you're boned.

This is a hardware hacking attack requires physical access.

The short version is this: nothing to worry about unless you leave your machine unattended where bad guys can get access to it - and you're interesting enough for someone to go to the trouble to do this.

And even then, there's plenty of other things they can do with physical access. The likelyhood of this being used is probably limited to nation-state sponsored attacks (NSA/FSB and the like), where the attacker could just as easily beat your password/touchId/etc. out of you with a pipe. Or drop a camera in your home to record you typing your password, etc.

It's a vulnerability, sure - but not one that has any practical application that couldn't just be achieved by more conventional means. I'm sure apple will fix it in the M3 if it hasn't been fixed in M2, but in the mean-time there's little to worry about.

From the (possibly updated) article you linked:

"Macworld stated that “Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed,” but the research team advises me that this is incorrect. No physical access is needed."

(Oops, looks like it took me longer to read that article than others above...)
 
  • Like
Reactions: jdb8167

jdb8167

macrumors 601
Nov 17, 2008
4,859
4,599
It’s hardly a „security flaw“. The author of the article has stated that in order to carry out this exploit one needs to install a kernel extension. Basically this exploit already requires privileged access to even work. If your machine is so compromised that someone can change your security settings and patch your kernel, they already have your password and can do pretty much anything they want.
Not really. What it requires is another security vulnerability. They used a KEXT to create a vulnerability for their proof of concept. This also doesn't require physical access. It requires other vulnerabilities. Physical access is required to execute the proof of concept. They weren't trying to create an exploit but to show that there is a flaw in a security feature of various very modern Arm CPUs including the M1 and probably the M2.
 
  • Like
Reactions: Wizec

Analog Kid

macrumors G3
Mar 4, 2003
9,360
12,603
So if I’m understanding this correctly, the vulnerability is in pointer authentication itself, which is pretty bad considering the point of pointer authentication is to prevent attacks?
My understanding is that PAC isn't to prevent attacks, but to prevent attacks from progressing further. It's the last lock to pick, not the first.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.