Researchers at MIT have discovered an unpatchable hardware vulnerability in Apple’s M1 chip. This vulnerability can allow attackers to break the memory security defenses of the chip. Researchers also confirm that no software patch can fix this vulnerability.
MIT’s researchers created a novel hardware attack that shows how pointer authentication can be defeated. The attack is called ‘Packman’ and it works by guessing a pointer authentication code. It is possible to try several possible values to find the right one. Bruteforce will not work because a bad guess will cause the crash and reset the hash value. In this case, the hacker will have to start again.
To beat this, researchers have devised a PAC oracle to distinguish between correct and incorrect guesses without causing a crash. This allows them to brute force the PAC value in around 2.94 minutes for a 16-bit PAC.
Researchers demonstrated that the attack works across privilege levels and also works against the kernel.
Apple implemented pointer authentication on all its is chips including M1, M1 Pro, and M1 Max. PAC is used to protect against the exploitation of memory corruption bugs. Qualcomm and Samsung are also working to implement it in their upcoming chips.
MIT researchers have only tested Apple’s M1 chip. So, we are not sure if this vulnerability also affects devices packed with Apple’s M2 chip. Most probably, this vulnerability could also affect M2 chips.
