Today, MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) scientists released research highlighting a novel hardware attack that can disable an Apple M1 chip’s pointer authentication mechanism.
The threat, dubbed “PACMAN” by MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang and Mengjia Yan, enables attackers to stop the M1 chip from detecting software bug attacks.
This vulnerability occurs when an attacker successfully guesses the value of the pointer authentication code (PAC), a code used to verify a program hasn’t been modified maliciously, and disables it. Guessing the value isn’t difficult because an attacker can repeatedly check if the value is correct or now by using a hardware side channel.
For enterprises, this vulnerability is important to be aware of due to the increase in adoption of Apple devices in enterprise environments, with 23% of users in U.S. enterprises currently using Mac devices.
How dangerous is the Apple M1 chip vulnerability?
It’s important to note that the PACMAN exploit doesn’t completely bypass security measures on the Mac device, but prevents the M1 chip from identifying malicious software bugs that the pointer authentication mechanism would have detected.
While this isn’t an insignificant vulnerability, the researchers explain that there’s no need to panic.
“So far no end-to-end attacks have been created using PACMAN, so there is no immediate cause for concern,” said MIT CSAIL Ph.D. student and coauthor of the research, Joseph Ravichandran. “PACMAN requires an existing software vulnerability to function — the attacker needs to be able to write out-of-bounds memory. The attacker can use the existing bug combined with what we call a ‘PACMAN Gadget’ — a code sequence in the victim that allows the speculative use of a signed pointer.”
With this gadget, the attacker can try to guess the correct code. It’s important to note that this vulnerability can’t be fixed by a software patch because it exploits a hardware mechanism.
Ravichandran does note that while the vulnerability isn’t a major cause for concern, the concept behind PACMAN, and exploiting the pointer authentication mechanism could be replicated on attacks on future ARM processors that use speculative execution and pointer authentication.
Tips to defend against the vulnerability
In enterprise environments where users are using Mac devices, Ravichandran recommends that security teams keep their device software up-to-date to ensure that any software bugs are patched with new security updates.
This ensures that the attacker won’t be able to leverage any bugs to compromise the device. Patching software bugs will deny potential attackers the ability to exploit the vulnerability in the M1 chip, as they won’t be able to exploit PACMAN without a malicious bug to leverage.
One of the easiest ways to encourage employees to keep their devices up-to-date is by educating them on how to automatically install Mac OS updates with the “automatically keep my Mac up to date,” option in System Preferences.
If security teams want more visibility over patch status for multiple Mac devices, they can also use patch management tools to scan for missing patches, and push them out remotely to ensure there are no security gaps.
Original Source: “MIT researchers discover Apple M1 chip vulnerability” , June 10 , 2022