Security

Research

GoFetch security exploit can't be disabled on M1 and M2 Apple chips

For now, cryptographic work should be run on slower Icestorm cores


The GoFetch vulnerability found on Apple M-series and Intel Raptor Lake CPUs has been further unpacked by the researchers who first disclosed it.

GoFetch is a security exploit that takes advantage of data memory-dependent prefetchers (DMPs), not unlike speculative execution vulnerabilities such as Spectre. Essentially, data can be leaked out of a core's cache when DMP is enabled, creating a potential attack vector for hackers.

DMPs are present on all Apple M-series CPUs and Intel's Raptor Lake processors, and the dedicated website for GoFetch now shows how exactly the exploit is carried out. Within minutes (the footage is sped up so it's hard to say exactly how many), 560 bits of data was leaked from an RSA-protected server.

The GoFetch exploit isn't earth-shattering, as it's in a similar vein to Spectre, Meltdown, and other vectors that rely on a CPU's performance-boosting prediction features. Normally, there are software-based patches for chips that have hardware-level exploits, and usually that just involves disabling the speculative feature (and thus decreasing performance), but in the case of M1 and M2 CPUs, researchers say that's not possible.

The researchers address the common question of whether DMP can be disabled, explaining that yes, but only on some processors. "We observe that the DIT bit set on M3 CPUs effectively disables the DMP. This is not the case for the M1 and M2." So, GoFetch can be solved with a software patch for M3 and Raptor Lake CPUs, but not for M1 and M2 chips since DMP will run no matter what.

It's never good when a feature that increases performance has to be disabled because it leaks potentially sensitive data, but not being able to disable that feature at all is even worse. One workaround is to just blind the DMP to sensitive data whenever it's being stored to or loaded from memory, but the GoFetch paper [PDF] says this would require broad code rewrites and performance penalties in some cases.

However, there is one workaround that doesn't require any code rewrites. Like many modern CPUs, Apple's M-series have two types of cores: big Firestorm cores and little Icestorm cores. The DMP-based GoFetch exploit only works on Firestorm cores, including for M1 and M2 CPUs, and the GoFetch paper suggests all cryptographic work should solely be run on the Icestorm cores for the time being. Running anything on the efficiency-focused Icestorm cores is bound to be slower, but at least it should be secure.

Even this approach might not be foolproof though. If Apple comes out with a future M processor with DMP enabled in its efficiency cores, then there's nowhere that code can be run without potentially exposing sensitive data. Of course, given that DMP is not entirely secure, we'd hope that Apple either fixes it, removes it, or finds an alternative feature before making its next generation CPUs even more vulnerable. ®

Send us news
14 Comments

As the Apple Watch turns 10, disabled users demand real accessibility

Forget wrist acrobatics, we need smarter wake word detection and on-device voice recognition

Under pressure from Europe, Apple makes iOS browser options bit more reasonable

Cupertino quits screwing around with defaults – for those in the EU

Apple accused of hoodwinking UK antitrust cops

Mac maker denial of Safari self-preferencing called out by OWA

Woman uses AirTags to nab alleged parcel-pinching scum

Phew! Consumer-grade tracking devices are good for more than finding your keys and stalking

Benign bug in iOS and iPadOS crashes gizmos with just four characters

More of an Easter egg than a vuln, but a fun one to mess around with

Game not over: Epic brings Fortnite back to iOS in Europe, using its own app store

But the cost of battling Apple and Google? A hefty $1B lost in revenue

Digital wallets can allow purchases with stolen credit cards

Researchers find it's possible to downgrade authentication checks, and shabby token refresh policies

Apple is coming to take 30% cut of new Patreon subs on iOS

You don't get to be the biggest business in the world by being nice

Apple tries again to make EU DMA officials happy – with new fees

Meanwhile, UK watchdog contemplates breaking Cupertino's WebKit rule

No love lost between Apple and Nvidia as iGiant chooses Google chips for AI training

Things are getting Tensor between Cupertino and Nv

Apple agrees to terms with US store union for first time

Funny what threatening to walk off the job and shutter a retail store can do

First-time buyers, especially in China, help Apple to quarterly revenue record

iPhone cash is a little off, but AI might just turn that around