Unpatchable Apples M1 Chip Vulnerability discovered by MIT

What is a Pointer Authentication Code?

Back in 2020, Apple released the very first MacBook sporting the new custom-built M1 chip. Apple takes pride in its self-built Silicon, after using Intel chips in its Mac lineup for the past 16 years or so.

Of course, Apple has a good reason to be proud. The M1 chip is a 16 billion transistors, 8-Core CPU, and 8-Core GPU beast capable of some serious work with minimal power consumption and heat buildup. The 13-inch MacBook Pro, MacBook Air, and Mac Mini models, as well as the iMac and M1 iPad Pro, are currently using the M1 chip, so having an unpatchable vulnerability in this chip is bad news for Apple and its customers.

The vulnerability everyone is talking about lies in the PaC (Pointer Authentication Codes) part of the chip. This security mitigation feature is not new. It was devised to help mitigate common exploitation techniques (Buffer Overflow, etc.) and it was present on iOS devices ever since the A12 chip back on iPhone XS / iPhone XR in 2019. The feature itself has been bypassed before by jailbreak developers on iOS, but not easily. It has slowed down the jailbreak scene quite a bit thanks, in part, to it being relatively hard to bypass.

The researchers from MIT’s Computer Science lab have managed to find a way around this hardware-level protection which combine speculative execution with memory corruption to be able to bypass PaC without leaving any trace. This is impressive in itself, considering how advanced PaC is, but if we factor in the fact that PaC is hardware-level protection, it means Apple cannot do anything about it.

Kernel vulnerabilities, Userland vulnerabilities, and any other type of software-only vulnerability can easily be addressed by Apple with a security patch / OTA update. Sure, the already vulnerable versions will remain vulnerable but the users have the ability to update to a patched version and dodge any attacks.

This is not the case this time. PaC is hardware-level. Apple cannot patch the hardware in software, no matter how much they try. It’s a flaw in how their Silicon works and nothing short of a complete hardware revision (new fixed chip) would patch the vulnerability.

How does the new PaC attack work?

The aptly named “Pacman” attack works by brute-forcing a cryptographic pointer authentication code. They employ speculative execution for this. Speculative Execution is not new either. It’s a feature used by many modern CPUs to speed up the device’s performance.

The MIT researchers take advantage of speculative execution to be able to brute-force a correct PaC. They essentially keep guessing PaCs until they get the correct one.

MIT’s proof of concept shows that even the Kernel can be attacked in this way, which would mean bad news for Apple on the devices that utilize PaC, and it would particularly help jailbreak developers on iOS since iPhones and iPads all have PaC nowadays.

However, this PaC attack isn’t a magic bullet. A security researcher would still need to pair it with another bug that would normally not be exploitable because of PaC (such as a Buffer Overflow), but once paired together, the system security falls apart pretty fast. Once memory read/write access is achieved, malware, jailbreak tools, and other tools can alter the security of the device for any reason.

Such vulnerability can, in theory, be used to exfiltrate user data if paired with another vulnerability. On iOS devices, a kernel vulnerability combined with this PaC bug can easily allow for a full jailbreak to be created.

It’s currently unknown if Apple’s M2 chip also has the same vulnerability, but if it does, MIT believes multiple mobile devices and computers will be affected by this bug in the next years with not much that Apple can do.

However, MIT has already contacted Apple about the bug. They’ve taken the responsible disclosure route, so it’s expected Apple would patch this soon in newer chips. Already vulnerable devices will, however, remain vulnerable forever.

Click to rate this post!

By GeoSn0w

An iOS and Jailbreak enthusiast who has been around for quite some time in the community. I've developed my own jailbreaks before and I am currently maintaining iSecureOS, one of the first iOS Anti-Malware tools for jailbroken devices. I also run iDevice Central on YouTube with over 142.000 Subscribers! Thank you for being part of this awesome community.

Leave a Reply

Your email address will not be published. Required fields are marked *