A group of university researchers has revealed a vulnerability in Apple’s M-series chips that can be exploited to gain access to cryptographic keys. Dubbed “GoFetch,” the vulnerability can be used by an attacker to access a user’s encrypted files.
On the GoFetch overview website, the researchers explain that GoFetch targets the M-series chips’ data memory-dependent prefetcher (DMP), which predicts the memory addresses that running code will use, to optimize performance. However, Apple’s DMP implementation sometimes confuses actual memory content with the pointer used to predict the memory address, which “explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns.” An attacker can exploit this confusion to correctly guess bits of a cryptographic key until the whole key is uncovered.
An attacker using GoFetch doesn’t need root access to the Mac; the only access needed is the typical access a user has. The researchers were able to perform GoFetch on M1, M2, and M3 Macs and reported their findings to Apple last December. Research on Intel-based Macs is slated for the future.
The GoFetch researchers provide in-depth details in a GoFetch paper available online, which also recommends ways Apple can implement a fix based on the current chip architecture. The most “drastic” fix would be to disable the DMP, while another possibility is to run cryptographic code on the chip’s efficiency cores because these cores do not have DMP functionality.
Other suggestions include cryptographic blinding and implementing ad-hoc defenses that interfere with specific points of attack. Long-term, the researchers recommend that Apple find ways for macOS to better manage the DMP usage and “selectively disable the DMP when running security-critical applications.”
Unfortunately, any fix will affect the chip’s performance when processing cryptographic code, which Apple might not want to sacrifice. GoFetch told Apple about the flaw on December 5, 2023, but Apple has yet to push out a fix. As ArsTechnica notes, the DMP on the new M3 chips has a switch that developers can invoke to disable the feature. However, the researchers don’t yet know what kind of penalty will occur when this performance optimization is turned off.
How to protect yourself from GoFetch
DMP vulnerabilities aren’t new–in 2022, university researchers revealed Augury, the initial introduction to the DMP exploit that, at the time, wasn’t a serious risk. However it appears that with GoFetch, Apple has yet to address the issue, possibly due to the performance issues.
DMP-based attacks aren’t common, and they require a hacker to have physical access to a Mac. So, the best way to prevent an attack is you secure your user account on your Mac with a strong password, and do not let people you don’t know use your Mac. For more information on Mac security, read “How to know if your Mac has been hacked” and “How secure is your Mac?” Also consider running an antivirus program on your Mac.
