In the recent news, researchers from MIT have uncovered an unpatchable vulnerability in Apple M1 chips that could enable attackers to break through its last line of security defenses. The unpatchable vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device’s memory, a type of attack that forces memory to spill out to other locations on the chip.
Researchers from MIT Have Created a Novel Attack to Test the Unpatchable Vulnerability
Researchers from MIT have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The unpatchable vulnerability shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it, making it an unpatchable vulnerability.
Moreover, the researchers from MIT demonstrated that the attack even works against the kernel — the software core of a device’s operating system — which has “massive implications for future security work on all ARM systems with pointer authentication enabled,” says Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper.
“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system,” Ravichandran added. “We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was.”
Apple Has Implemented Pointer Authentication on its ARM-Based Chips
Apple has implemented pointer authentication on all of its custom ARM-based silicon so far, including the M1, M1 Pro and M1 Max, and a number of other chip manufacturers, including Qualcomm and Samsung, have either announced or are expected to ship new processors supporting the hardware-level security feature. MIT said it has not yet tested the attack on Apple’s unreleased M2 chip, which also supports pointer authentication.
“If not mitigated, our attack will affect the majority of mobile devices, and likely even desktop devices in the coming years,” MIT said in the research paper about the unpatchable vulnerability.