Researcher uncovers flaw on M1 chips, but you probably shouldn't be worried
The M1RACLES bug reportedly allows one process to talk to another, bypassing the operating system's security model that prevents such cross-talk.
When Apple launched its brand new in-house ARM-based M1 chip last year, the company last year, it touted the chip’s capable performance as well as improved security over its predecessors and existing rivals in the industry. However, no computer system is completely secure and devoid of flaws, and Apple’s new chipset is no exception. A developer has discovered a vulnerability in the processor’s hardware that cannot be patched via a software update.
According to The Register, Linux developer Hector Martin found a new vulnerability in the M1 chipset, which he has called M1RACLES, or M1ssing Register Access Controls Leak EL0 State. The flaw allows one process running on a system powered by Apple’s chipset to talk to another process, bypassing the operating system's security model that prevents such cross-talk.
This kind of vulnerability is used by malicious actors in what is called a side-channel attack, by taking advantage of the information that can be leaked in the process. Normally, an operating system will restrict communication between processes to ensure the security of the data being processed by either side, such as passwords or authentication keys.
However, Martin says that while the security vulnerability is due to the way Apple has designed the chip, there’s not much that can be done in terms of a software fix. According to him, the flaw affects systems running macOS Big Sur (which was designed to run on the M1 chip), iOS and iPadOS, as well as Linux distributions on kernel version 5.13 and higher.
"Basically, Apple decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS. And then it turned out that removing that feature made it much harder for existing OSes to mitigate this vulnerability," Martin says on the disclosure website.
He claims that he mailed Apple about the security flaw and that the company acknowledged the vulnerability and assigned it CVE-2021-30747. He states that he published the disclosure on the website 90 days after the initial disclosure to the company.
“Really, nobody's going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system. Covert channels can't leak data from uncooperative apps or systems,” Martin explains, adding that users should probably worry about malware, which is a much more dangerous threat than this particular security flaw.