There’s a vulnerability in Apple’s Mac chips – and the fix could be as bad as the flaw

A group of university researchers have revealed a vulnerability in Apple’s M-series chips that can be exploited to access cryptographic keys. Dubbed “GoFetch,” the vulnerability can be used by an attacker to access a user’s encrypted files.

On the GoFetch overview website, researchers explain that GoFetch targets the M-series chips’ memory-dependent prefetcher (DMP), which predicts the memory addresses that running code will use, to optimize performance . However, Apple’s DMP implementation sometimes confuses the actual contents of memory with the pointer used to predict the memory address, which “explicitly violates a requirement of the constant-time programming paradigm, which prohibits mixing data and memory access patterns. An attacker can exploit this confusion to correctly guess the bits of a cryptographic key until the entire key is discovered.

An attacker using GoFetch does not need root access to the Mac; the only access needed is the typical access a user has. The researchers were able to perform GoFetch on the M1, M2, and M3 Macs and reported their findings to Apple last December. Research into Intel-based Macs is planned for the future.

GoFetch researchers provide extensive details in a GoFetch article available online, which also recommends ways Apple can implement a fix based on the chip’s current architecture. The most “drastic” solution would be to disable DMP, while another possibility would be to run cryptographic code on the chip’s efficiency cores, as these cores do not have DMP functionality.

Other suggestions include cryptographic blindness and implementing ad hoc defenses that interfere with specific points of attack. In the long term, the researchers recommend that Apple find ways for macOS to better manage DMP usage and “selectively disable DMP when running security-critical applications.”

Unfortunately, any patch will affect the chip’s performance when processing cryptographic code, something Apple may not want to sacrifice. GoFetch notified Apple of the flaw on December 5, 2023, but Apple has not yet released a patch. As ArsTechnica notes, the DMP on the new M3 chips has a switch that developers can invoke to disable the feature. However, researchers don’t yet know what kind of penalty will occur when this performance optimization is turned off.

how to protect yourself from GoFetch

DMP vulnerabilities are not new: in 2022, university researchers revealed Augury, the first introduction to the DMP exploit which, at the time, did not pose a serious risk. However, it seems that with GoFetch, Apple has not yet fixed the problem, probably due to performance issues.

DMP-based attacks are not common and require a hacker to have physical access to a Mac. So, the best way to prevent an attack is to secure your user account on your Mac with a strong password and not let people you don’t know use your Mac. For more information on Mac security, read “how to Tell if Your Mac Has Been Hacked” and “How Secure is Your Mac?” Also consider running an antivirus program on your Mac.