Apple’s M1 chip contains “unfixable” hardware flaw, researcher claims

The bug, which cannot be easily exploited, is more likely to be abused by advertising companies than cyber criminals

A flaw has been discovered in the design of Apple's flagship M1 CPU that allows any two applications under an operating system (OS) to covertly exchange data between them without using memory, sockets, files, or other regular channels.

The vulnerability, which is baked into the hardware, facilitates communication between processes running as different users and under different privilege levels, creating covert channels for data exchange.

It's being tracked as CVE-2021-30747 and was dubbed M1racles by the researcher who discovered it, Hector Martin. Because the flaw is embedded in the silicon, it cannot be fixed without changing the chip technology.

This flaw is among the first hardware-embedded issues known to affect the M1 chip, after it was introduced into machines last year. It cannot be easily exploited and doesn't represent a major threat to users, however.

Malware cannot exploit this vulnerability to infect machines, or take over computers, but it does give malware strains already installed on devices additional capabilities, given the data exchange nature of the bug.

"If you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way," Martin said. "Chances are it could communicate in plenty of expected ways anyway.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

"Honestly, I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals. Apple could catch them if they tried, though, for App Store apps."

Martin added that nobody's likely to find a nefarious use for the vulnerability in practical circumstances, but the flaw does violate the OS security model. Users aren't supposed to be able to send data between processes in secret, and they aren't supposed to be able to write to random CPU system registers, either.

Virtual machines (VMs) aren't affected by the flaw, and the only mitigation, therefore, is running the entire OS as a VM. Martin added, however, that this isn't practical given it has a major performance impact.

The researcher disclosed the flaw 90 days after initially notifying Apple. Although Apple has acknowledged the flaw, it's unclear whether a fix is planned for future generations of its custom CPU.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
FBI still frowns on ransomware payments
ransomware

FBI still frowns on ransomware payments

11 Jun 2021
Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw
zero-day exploit

Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw

9 Jun 2021

Most Popular

Best paying tech jobs of 2021
Careers & training

Best paying tech jobs of 2021

7 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Mythic launches power-sipping AI chip
Hardware

Mythic launches power-sipping AI chip

8 Jun 2021