Apple’s M1 chip contains “unfixable” hardware flaw, researcher claims

The bug, which cannot be easily exploited, is more likely to be abused by advertising companies than cyber criminals

A flaw has been discovered in the design of Apple's flagship M1 CPU that allows any two applications under an operating system (OS) to covertly exchange data between them without using memory, sockets, files, or other regular channels.

The vulnerability, which is baked into the hardware, facilitates communication between processes running as different users and under different privilege levels, creating covert channels for data exchange.

It's being tracked as CVE-2021-30747 and was dubbed M1racles by the researcher who discovered it, Hector Martin. Because the flaw is embedded in the silicon, it cannot be fixed without changing the chip technology.

This flaw is among the first hardware-embedded issues known to affect the M1 chip, after it was introduced into machines last year. It cannot be easily exploited and doesn't represent a major threat to users, however.

Malware cannot exploit this vulnerability to infect machines, or take over computers, but it does give malware strains already installed on devices additional capabilities, given the data exchange nature of the bug.

"If you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way," Martin said. "Chances are it could communicate in plenty of expected ways anyway.

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

"Honestly, I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals. Apple could catch them if they tried, though, for App Store apps."

Martin added that nobody's likely to find a nefarious use for the vulnerability in practical circumstances, but the flaw does violate the OS security model. Users aren't supposed to be able to send data between processes in secret, and they aren't supposed to be able to write to random CPU system registers, either.

Virtual machines (VMs) aren't affected by the flaw, and the only mitigation, therefore, is running the entire OS as a VM. Martin added, however, that this isn't practical given it has a major performance impact.

The researcher disclosed the flaw 90 days after initially notifying Apple. Although Apple has acknowledged the flaw, it's unclear whether a fix is planned for future generations of its custom CPU.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022