A team of researchers at MIT has managed to crack the purported last line of defense on Apple's M1 chip, creating a security loophole on the hardware level.

M1 chips are largely considered quite secure, despite some vulnerabilities discovered in the past. However, this particular issue stands out because of its inability to be patched out or otherwise updated. Since it’s tied to the hardware, the only way to address it would be to replace the chip.

Glowing Blue Circuit With Security Lock

The attack, dubbed "PACMAN" by the research team (there's a reason for it), can bypass the M1's Pointer Authentication defense and won't leave any evidence behind. The function essentially adds a special coded signature to various memory functions and requires authentication before running those functions. These Pointer Authentication Codes (PAC) are meant to shut down security bugs before they can do significant harm.

A PACMAN attack tries to guess the correct code to trick the chip into thinking a bug isn't a bug. And since the number of individual PAC values is finite, it's not too difficult to try all the possibilities. The silver lining in all of this is that a PACMAN attack is extremely reliant on specificity. It has to know exactly what type of bug it's supposed to let through, and it can't compromise anything if there's no bug for it to try and wave through Pointer Authentication.

Bouncer unhooking velvet rope

While PACMAN attacks don't pose an immediate threat to most M1 Mac systems, it is still a security loophole that could be exploited. The MIT team is hoping that knowledge of this weakness will prompt designers and engineers to come up with ways to close the exploit off in the future.

Source