Apple: M1 chip's GoFetch vulnerability headlines may be over sensationalizing "unpatchable"

A new security vulnerability has been discovered in Apple's Mac and MacBook computers. Hackers can apparently harvest encryption keys from Macs and MacBooks with the M1 chip set. The new chip flaw hits Apple Silicon and steals cryptographic keys from the system cache — 'GoFetch' vulnerability attacks Apple M1, M2, M3 processors, can't be fixed in hardware.

The attack method called GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance. 

Think of it like a program sneakily peeking into your computer's temporary memory to exfiltrate sensitive data involved in security & password protection. There’s also no information available that suggests the GoFetch attack can be used to bypass Apple ID authentication or break into a Mac. Only the M3 generation and Intel affected processors allow the DMP to be disabled. The exploit resides in the physical silicon so “unpatchable” is an apt description, although this does not mean it cannot be mitigated.

GoFetch could allow hackers to steal secret login information along with other highly secure information from your Mac.

Once GoFetch attack begins, the attack program looks for patterns in this pre-loaded data, things that resemble the way secure cryptographic keys (think of them like ultra-complex passwords) are constructed. GoFetch uses precise timing to extract bits and pieces of those security keys, essentially piecing them together over time.

While the GoFetch attack can potentially extract cryptographic keys from systems using Apple CPUs, it doesn’t directly relate to the functionality of the Apple ID authentication, such as biometrics, FaceID, TouchID, etc.

The flaw is specific to Apple's M1-series and A14 chips, so Intel-based Macs and other devices aren't affected.

Heres the thing... The attack needs a malicious program running directly on your Mac. This isn't something that can easily happen remotely. Enterprise endpoint administrators overseeing large macOS deployments should exercise caution and educate users on what this is, and how to protect themselves. To exploit the vulnerability, an attacker would have to fool a user into installing a malicious app, and unsigned Mac apps are blocked by default.

While the exploit is tied to hardware, Apple may be working on a fix for the M3 processors – which are rumored to have the DMP turned off. Users should be installing security updates immediately. Ways to prevent your users from this would be, to some, a bit of common sense. While Apple works on a fix for this vulnerability, you can take proactive steps to minimize your risk.

• Strengthen your Mac’s security with a strong password for your user account.
• Consider reputable antivirus software for an additional layer of protection.
• Never leave your machine unattended; exercise extreme caution if anyone requests access.
• Do not store sensitive information on your Mac, for now. Move to (for some a work approved) external hard drive to be safe.
• Avoid opening suspicious attachments.
• Avoid clicking on click-bait type links on news sites, game sites, or any other social media or news websites.
• Phishing is the largest attack surface threat regarding GoFetch that could be used.

How to Check If a Link is Safe

Learn why checking the safety of a link is important, how to check if a link is safe to click on and what to do if you click on a malicious link.

Keeper Security Blog - Cybersecurity News & Product UpdatesAranza Trevino

GoFetch is a reminder no device is completely invulnerable. Awareness and smart practices are your best defense.

Apple has so far chosen not to openly implement protection against these types of attacks thus far, likely because of the performance hit wouldn’t be justified by the very low probability of a real-world attack. Historically, Apple have been very "closed-mouth" about the specific steps taken to address security issues. For information regarding Apple vulnerabilities see the bookmark below:

Apple security releases

This document lists security updates and Rapid Security Responses for Apple software.

Apple Support

So what are your thoughts? Is this being over sensationalized? Is this fear mongering? It kind of seems like the tech blogging community tried to break the internet with this one. The real-world probability of exploiters leveraging GoFetch, seems like its more work than you get reward here. I think it seems too early to tell one way or the other how this will play out, particularly where UEM administrators will be canning all these expensive MacBooks from thier fleet of devices.

Do you have a additional concerns about the Apple M1 Chip? Apple has provided the following details to follow up on your questions here...

• Call Customer Support 1 (800) MY–APPLE (800–692–7753)
• Outside the USA—Contact Apple for support and service by phone
  • See a list of Apple phone numbers around the world.:
    Contact Apple for support and service - Apple Support
• Submit your Apple Feedback here: Product Feedback - Apple
• Contact the corporate office Contact - How to Contact Us - Apple

About Author: Alex Mercer, Senior Sales Engineer Specialist at Ivanti, Inc, formerly MobileIron. Alex has direct experience with a wide variety of MDM providers, mobile threat tech, identity solutions, and certified apple & android expert.