Apple’s unfixable CPU exploit: 3 practical security takeaways
Image: Apple
All systems can be exploited. Whether that’s a freebie giveaway or computer hardware, humans will often find the weaknesses. Back in in 2018, Intel first swallowed this bitter pill when the widespread Spectre vulnerability came to light. Then in the more recent past, AMD got hit last summer with Zenbleed and Inception. Now it’s Apple’s turn, with a massive, unpatchable vulnerability in M-series CPUs that can leak encryption keys.
As reported by Ars Technica, this security flaw allowed academic researchers to pull end-to-end encryption keys from Apple’s processors, using an app with normal third-party software permissions in macOS. Called GoFetch, the attack they created works through what’s called a side-channel vulnerability—using sensitive information discovered through watching standard behavior. It’s a bit akin to observing armored-car guards carry bags out of a business, and valuing the contents based on how heavy they seem (e.g., gold vs. paper cash).
Chip nerds can read the fuller technical details in Ars Technica’s rundown of the situation, as well as a few details about Intel’s 13th-gen Raptor Lake processors (which also operate similarly but aren’t affected by GoFetch). But the gist of it is that Apple’s data memory-dependent prefetcher (DMP), which guesses what data is needed next and then loads it preemptively, sometimes mixes up the data it’s pulling with the location of information it wants to pull. By treating the data like it’s an address to access, the DMP can thus leak the information.
Scary stuff—especially if you’re a security-minded Apple fan who bought into the promises of top-grade protection and performance. But this news just highlights the current reality of technology, even if you’re a PC owner who’s been through this rodeo already. In fact, PC users can take this discovery as a reminder of a few basic truths.
Further reading: The best antivirus software for Windows
Obscurity never lasts forever
Once upon a time, Mac users held it over PC owners that their systems never got viruses. In fact, at least one precious Reddit user has stated that Macs never get viruses, but they can get malware. But as Gizmodo rightly points out, Macs have always been vulnerable to viruses and other malware. And the numbers of those getting infected have risen along with the popularity of Apple devices. (Beware what you most wish for, Linux users.)
But people often believe in security through obscurity, with potentially devastating results. It’s not just hardware—people make up passwords they think that can’t be guessed, but in fact are easily done so by a computer. They hide their SSID on their router, even though it can be sniffed out. A few may even purposely limit what sites they visit, believing that reputable sites can’t ever become infected with malware.
Obscurity can reduce your risk, but it sometimes only delays the inevitable.
Security is not a static goal
Marketing departments have embraced security as a new buzzword. Apple, Microsoft, and other large corporations list it as you might expect to see specs for new hardware. And while you definitely want baked-in protections for your devices, they’re only a part of staying safe. Safer, if you will.
But the game of security is one of cat-and-mouse, with attackers always pushing the goalposts further and further out. (They’re just as smart as those who come up with the safeguards, if not sometimes even more clever.) New technologies render old methods of security obsolete all the time. Keeping up is the only way to attenuate risk.
Your hardware and software isn’t capable of bearing the brunt of all your protection. How you approach your digital life matters, too. For example, the data you save and share (as well how you store it) matter. For example, with ransomware becoming so prevalent, having current offline backups of your files is a key way to avoid becoming hamstrung if you’re ever hit. Maybe you save your most sensitive files in a virtual encrypted drive, too, either by using VeraCrypt or a tool in a security suite like ESET Home Security Premium.
And of course, you’ll want to always ensure that your hardware and software are set to automatically update, so you get mitigations for vulnerabilities as soon as they’re available.
Threats will only intensify as time passes
The speed of modern CPUs come in part from their optimizations—like the use of prefetchers. Hardware and software will only become more complex in the future, opening up even more vulnerabilities and design flaws that can be exploited. With AI also in the mix to accelerate exploits, security is becoming a red-hot field…and right now, cybersecurity experts are in short supply.
Because things will be changing more rapidly with each passing year, your best hope is to become equally more nimble, too. Remaining current with the news is just one part of it. Ideally, you should create a multilayered approach to protecting yourself, too.
Think of it like a car—we know that a car crashes happen, with deadly results. Over time, we’ve mandated seatbelts, upgraded materials to have better force absorption, standardized airbags, switched to anti-lock brakes, devised proximity detectors and audio warnings, and more, all to improve safety.
Online security is moving in a similar direction. For now, using a password manager, good antivirus suite, and having good habits about online browsing and messaging is still sufficient. But what the software will cover and how much active involvement you’ll have in defending yourself will require more alertness. Get prepared now.
Author: Alaina Yee, Senior Editor
Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering software, PC building, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.