April 29, 2024 By Sue Poremba 3 min read

The “need for speed” is having a negative impact on many Mac users right now.

The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP).

DMP’s benefits and vulnerabilities

DMP predicts memory addresses that the code is most likely to access by scanning the cache and prefetching that information. This technology gives Apple users improved computer speed and overall computing performance. That intuitive computing is one of the benefits of using Apple products for their enhanced efficiency and productivity.

However, the GoFetch vulnerability in DMP has turned the positives into a serious liability. As described by Ars Technica, GoFetch, a side-channel flaw, “allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.” Simply, data stored in the M-chips can be mistaken for a legitimate memory address and cached. However, if a malicious app gains access through the vulnerability, it can repeatedly push this error and eventually decrypt the key. A group of researchers found that the vulnerability actually “poses severe risks to the constant-time coding paradigm.”

Critically, the GoFetch vulnerability stems from the core design of the M-series chips, meaning Apple cannot fix the weakness with a simple software patch. Instead, any mitigation will require a protective code added to third-party encryption software. This could drastically slow performance, particularly on older M1 and M2 Mac models.

Performance versus security in vulnerability management

The GoFetch vulnerability highlights a long-standing problem for developers, IT and security teams: balancing the importance of security versus performance. In this case, the vulnerability management around GoFetch would have a negative impact on the performance of Mac computers (other Apple devices, like iPads, don’t appear to be impacted yet). Speed is the selling point for chip makers; computer speed is vital to productivity. But it also means that security takes a back seat.

By sacrificing security in preference for performance, users are exposed to attacks on their encryption keys, potentially compromising sensitive data.

Fixing the security in chip development would require manufacturers to share details about chip development, but it would also mean vulnerability management could be implemented much earlier. In the long run, that will improve performance.

The solution for GoFetch

GoFetch is a hardware flaw, so there is no easy fix; developers can’t simply update the software code and send it out to users as they can with SaaS.

Apple has stated that if users with an M-3 chip device enable data-independent timing (DIT), they will be able to disable DMP and add security: “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”

But that doesn’t help those with M1 and M2 devices, and the researchers admit that disabling DMP is a drastic move for M3 devices. They suggest other defense approaches that include:

  • Using efficiency cores by running all cryptographic code on Icestorm cores, which doesn’t require user code changes
  • Applying cryptographic blinding-like techniques to add/remove masks to sensitive values before/after being stored/loaded from memory
  • Hardware support that broadens third-party contracts to address DMP vulnerabilities

As of this writing, there have been no reports of a major cyberattack around the GoFetch vulnerability, but it is only a matter of time. Any organization or user using Mac devices will want to step up their defenses and be aware of the potential risk because, as the researchers concluded, “DMPs pose a significant security threat to modern software, breaking a wide variety of state-of-the-art cryptographic implementations.”

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today