New findings from academics revealed a severe vulnerability in Apple’s M-series chips, which could potentially enable malevolent actors the ability to access confidential encryption keys from MacBook devices.
The report — published on March 21 by a group of researchers from multiple United States-based universities — identified the vulnerability as a side channel exploit, which allows hackers to illicitly obtain end-to-end encryption keys when Apple chips execute commonly used cryptographic protocols.
However, unlike conventional vulnerabilities that can be remedied through direct patches, this particular issue is deeply rooted in the microarchitectural design of the silicon itself, making it “unpatchable.”
To properly address the flaw, third-party cryptographic software would need to be utilized and could severely hamper the performance of the Apple M-series chips, particularly the earlier iterations, such as the M1 and M2 chips.
These findings highlight a major flaw and challenge for Apple’s hardware security infrastructure. Hackers could intercept and exploit memory access patterns to extract sensitive information, such as encryption keys utilized by cryptographic applications.
The researchers labeled this type of hack a “GoFetch” exploit. The hack functions seamlessly within the user environment and requires only standard user privileges, similar to those needed by regular applications.
After the research surfaced, users in online Mac forums began to question whether or not there is now cause for major concern or necessary action regarding password keychains.
One user said they believed that Apple would mitigate the problem within their operating system directly — if not, they would be “more worried.”
Another user said this flaw has been known to Apple for a while and pointed out that it could be why Apple’s M3 has “an added instruction to disable DMP.” The user said the previous research on the topic was called an “augury” and dates back to 2022.
This finding comes as Apple finds itself in an extensive antitrust lawsuit with the U. S. Department of Justice (DOJ), which claims its Apple App Store rules and “monopoly” illegally throttled competition and suffocated innovation.
The DOJ has also alleged that Apple severed access to competing digital wallets, which provide a “wide variety of enhanced features,” while blocking developers from delivering their own payment services to users.