Apple M1 PACMAN Security Flaw Exposes Chips To Spectre-Style Attacks, Game Over?

Apple M1 MacBook with Pacman
MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) researchers say they have discovered an unpatchable vulnerability affecting Apple's custom Arm-based M1 silicon at the chip's last level of defense. Since it is not possible to patch out the flaw, are owners of M1 devices sitting ducks? Not necessarily.

Note that this doesn't affect all Arm processors. Apple's M1 SoC is the first desktop processor to support Arm Pointer Authentication, which is a security mechanism that verifies software using a cryptographic hash called Pointer Authentication Code (PAC). According to the researchers, other companies including Samsung and Qualcomm have either announced or are expected to ship new chips supporting Pointer Authentication, but so far only Apple has done so.

They may want to rethink those plans. In a recently published paper, the researchers contend it is possible to leverage speculative execution attacks to bypass this protection mechanism. These types of attacks, which they've dubbed "PACMAN," are somewhat reminiscent of Spectre and Meltdown.

"In this paper, we propose the PACMAN attack, which extends speculative execution attacks to bypass Pointer Authentication by constructing a PAC oracle. Given a pointer in a victim execution context, a PAC oracle can be used to precisely distinguish between a correct PAC and an incorrect one without causing any crashes," the researchers state in their paper.

Pacman Attack figure
Unfortunately, bypassing this last level of defense would give an attacker unauthorized access at the kernel level, at which point they could pretty much "do whatever they'd like on a device." That's not good, obviously. The researchers say they developed several proof of concepts that accomplish this very thing. They haven't tested it on Apple's new M2 chip, though, so it's unclear if it's vulnerable to PACMAN attacks.

Is it game over for M1-based MacBook owners, though? There are reports that physical access to a machine is needed, though CSAIL affiliate and the paper's co-author Joseph Ravichandran tells HotHardware that those reports are erroneous.

"We actually did all our experiments over the network on a machine in another room. PACMAN works just fine remotely if you have unprivileged code execution," the researchers explain an FAQ.

That said, the researchers also say there is no reason to be worried so long as users keep their software up to date.

"PACMAN is an exploitation technique—on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the FAQ adds.

Apple also downplayed the security risk in a statement.

"We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own," Apple said.

Nevertheless, the researchers say their findings have important implications for designers considering implementing Pointer Authentication in future products.

For a deeper dive into the technical bits, you can check out the full research paper (PDF).

This article was updated with information from the PACMAN FAQ in regards to remote exploitation.