Apple’s M1 chip contains “unfixable” hardware flaw, researcher claims

The bug, which cannot be easily exploited, is more likely to be abused by advertising companies than cyber criminals

A flaw has been discovered in the design of Apple's flagship M1 CPU that allows any two applications under an operating system (OS) to covertly exchange data between them without using memory, sockets, files, or other regular channels.

The vulnerability, which is baked into the hardware, facilitates communication between processes running as different users and under different privilege levels, creating covert channels for data exchange.

It's being tracked as CVE-2021-30747 and was dubbed M1racles by the researcher who discovered it, Hector Martin. Because the flaw is embedded in the silicon, it cannot be fixed without changing the chip technology.

This flaw is among the first hardware-embedded issues known to affect the M1 chip, after it was introduced into machines last year. It cannot be easily exploited and doesn't represent a major threat to users, however.

Malware cannot exploit this vulnerability to infect machines, or take over computers, but it does give malware strains already installed on devices additional capabilities, given the data exchange nature of the bug.

"If you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way," Martin said. "Chances are it could communicate in plenty of expected ways anyway.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

"Honestly, I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals. Apple could catch them if they tried, though, for App Store apps."

Martin added that nobody's likely to find a nefarious use for the vulnerability in practical circumstances, but the flaw does violate the OS security model. Users aren't supposed to be able to send data between processes in secret, and they aren't supposed to be able to write to random CPU system registers, either.

Virtual machines (VMs) aren't affected by the flaw, and the only mitigation, therefore, is running the entire OS as a VM. Martin added, however, that this isn't practical given it has a major performance impact.

The researcher disclosed the flaw 90 days after initially notifying Apple. Although Apple has acknowledged the flaw, it's unclear whether a fix is planned for future generations of its custom CPU.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021