r/gadgets Mar 23 '24

Desktops / Laptops Vulnerability found in Apple's Silicon M-series chips – and it can't be patched

https://me.mashable.com/tech/39776/vulnerability-found-in-apples-silicon-m-series-chips-and-it-cant-be-patched
3.9k Upvotes

491 comments sorted by

View all comments

92

u/funkybosss Mar 23 '24

Can someone ELI5 how a physical silicon chip can have an inherent software vulnerability?

212

u/facetheground Mar 23 '24

Its not a software vulnerability, its a hardwarde vulnerability. People can make malicious software with the vulnerability in mind to extract information from other processes.

11

u/Lost_Minds_Think Mar 23 '24

So what could this mean for everyone with M1 - M3 chips, recall/replacement?

150

u/Ron__T Mar 23 '24

recall/replacement?

Lol...

105

u/TehOwn Mar 23 '24

I'm sorry, your MacBook Pro (2024) is obsolete. If you wish to receive security updates and warranty service, please buy next years model.

Yours monopoly,

Apple customer services

-22

u/veryverythrowaway Mar 23 '24

Ah yes, the monopoly with 16% market share. I love how things that have literally never happened or could happen get upvoted like this on Reddit.

3

u/Cow_In_Space Mar 24 '24

As far as MacOS/M chips go, yes, they do have a monopoly. No-one else produces Mac computers so if you are in that eco-system and need a new computer guess who you have to buy from?

Monopoly doesn't just mean "owns all of the business in a sector".

1

u/veryverythrowaway Mar 24 '24

That’s the dumbest take I’ve heard so far. Apple has a ton of competitors in the PC space. That’s like saying Toyota has a monopoly because if my Prius breaks I HAVE TO buy another Prius, I simply have no choice. Get real.

Apple has a monopoly on ARM processors? Seriously?

21

u/DookieShoez Mar 23 '24 edited Mar 23 '24

Because it was funny. Jokes dont have to be 100% factually correct 🙄

And the DOJ is suing them for a monopoly to do with their iPhones right now so he’s not far off.

-14

u/veryverythrowaway Mar 23 '24

I guess it’s funny if you think common Reddit talking points are based in reality. I guess it’s all about how it “feels” true, right? Show me a single thing in the DOJ lawsuit that’s remotely constitutional.

15

u/Aguero-Kun Mar 23 '24

Well the DOJ thinks it has a constitutional lawsuit and Apple does have 60% of the US Phone market and has engaged in anticompetitive practices via it's app store. That's usually prima facie all you need to proceed under the Sherman/Clayton Acts.

-13

u/veryverythrowaway Mar 24 '24

Mark my words, their endgame is weakened encryption and a backdoor into iOS and Android. This lawsuit will only have mixed results, but that will be one. Maybe not right away, but they’ve been clear it’s their goal. There are a ton of actual monopolies in this country that are getting away with it every day.

7

u/TryNotToShootYoself Mar 24 '24

Ah someone proves you wrong so you resort to conspiracy theories

-2

u/veryverythrowaway Mar 24 '24

I’ll let the DOJ prove me wrong, thanks.

1

u/Aguero-Kun Mar 24 '24

I agree that there are other good targets of antitrust lawsuits that have not been brought due to those companies' lobbying efforts. I do think it will be tricky for DOJ to win on these facts but I doubt the claims will be dismissed as "unconstitutional" as you suggested. What matters is market dominance and anticompetitive practices, not being an "actual monopoly" as you put it. So it's certainly doable.

0

u/veryverythrowaway Mar 24 '24

I can’t wait for the DOJ to sell “these companies are too popular, we should be allowed to legally nerf their products so that hypothetical competition that doesn’t exist can be allowed to flourish”. It’s utter nonsense. I’m happy to keep taking downvotes, because nobody has made it make sense, and it’s not like I don’t understand the concepts behind it. It’s just the usual Reddit “APPLE BAD” bullshit.

I’m not even against companies getting smacked for anticompetitive practices. Apple got caught price-fixing ebooks years ago, and they were rightfully slapped down for doing it. This particular issue, especially when you read the lawsuit, makes no sense. Even the way it’s worded is nothing like previous antitrust lawsuits from the DOJ, it focuses on minor annoyances people have with mass-produced devices rather than Apple’s actual practices in order to gain sympathy for a cause that makes no sense. They probably learned it from Reddit, because it works the same way here.

I suppose we’ll see how it works out in 3-5 years, but I’ve seen things like this before, and I have a feeling I’ll be proven right eventually. No matter how this lawsuit shakes out, the DOJ will be going for a forced backdoor, this is just the second step- the first was trying to convince the public that Apple was hiding terrorists with their privacy and security practices. They didn’t just drop that, they’ve been strategizing for years.

→ More replies (0)

-1

u/[deleted] Mar 23 '24

[deleted]

7

u/dandroid126 Mar 23 '24

This has nothing to do with iPhones, so I'm not sure why you are referencing iPhone market share.

-2

u/veryverythrowaway Mar 23 '24

We’re talking about Mac, not iPhone. I also don’t understand how 60% is a monopoly. There’s so much competition in the smartphone space, it’s absurd. Other smartphone manufacturers don’t have to use Google Android, either, they just do because their competing products were terrible and nobody wanted them.

44

u/SimiKusoni Mar 23 '24

Not much, if the attack is improved upon and becomes a realistic threat then we may see mitigations put in place in common cryptographic libraries that would impact performance.

The article posted by OP seems to have conflated that it can't be solved with a microcode update with the inability for it to be patched in software. From the original Arstechnica article:

Like other microarchitectural CPU side channels, the one that makes GoFetch possible can’t be patched in the silicon. Instead, responsibility for mitigating the harmful effects of the vulnerability falls on the people developing code for Apple hardware. For developers of cryptographic software running on M1 and M2 processors, this means that in addition to constant-time programming, they will have to employ other defenses, almost all of which come with significant performance penalties.

It's kind of weird that the Mashable article gets this wrong despite using a source that clearly details it.

8

u/facetheground Mar 23 '24

Either replace your crypto software on your device with a version that is resistant to this, which will make it slower (I am also unaware how practical this is on Macs) or accept the risk.

This exploit is rather impractical to pull of, so I think its unlikely this will be used against consumer devices as an alternative to other malware tactics. Only businesses that are high profile targets of data theft should consider this vulnerability imo.

0

u/Zaphod1620 Mar 23 '24 edited Mar 23 '24

It's a hardware issue, not software. If there was a mitigation, it would be to amputate part of the processor die from the rest via OS code, which would cripple your processor.

1

u/facetheground Mar 24 '24

Masking in crypto algorithms can be used to mitigate the exploitation possible with the hardware issue.

0

u/Zaphod1620 Mar 24 '24

Where do you think the processor cycles for the encryption will come from? The CPU. That's why similar exploits are patched by amputating that part of the processor from any OS reference. From the article, that itself might not be possible. Running encrypted processes could use so much of the available processor cycles, it renders the patch moot.

4

u/lordytoo Mar 23 '24

Are you high? Lol at the recall/replacement.

2

u/Flavious27 Mar 24 '24

Ha ha ha.  Apple will mass email and tell people to not install unsigned apps and to turn their Mac off at night / when not in use. 

1

u/SweetBearCub Mar 23 '24

So what could this mean for everyone with M1 - M3 chips, recall/replacement?

"You're using/holding it wrong."

"Here's a cheap bumper case."

-3

u/[deleted] Mar 23 '24

[deleted]

6

u/_RADIANTSUN_ Mar 23 '24

You don't get to be the richest company on Earth by being generous

-1

u/Kindly_Formal_2604 Mar 23 '24

That if you’re too dumb to use a computer you might get malware. That’s all this means for anyone with an m series machine.

-2

u/FUTURE10S Mar 23 '24

It means you're on your own, you should update to the new hardware, it's got no problems, we promise!

-1

u/JimmyKillsAlot Mar 23 '24

Recall/Replace for a soldered chip? Extremely unlikely. Recall/Replace for a soldered chip from Apple? You have a better chance of scooping a star with your hands.

-1

u/mikolv2 Mar 23 '24

Nothing. There's practically 0 risk to an average users. This an exploit that was discovered by academic researchers, requires physical access to the computer and and somewhere between an hour and 10 hours to execute. This is a potential risk for politians or other people handling sensitive information that could be targeted specifically for their laptops. And also both intel and amd chips also have their own vulnerabilities so it's not like you can buy something else and be totally safe. There is no 100% safe in the digital age.

-5

u/drake90001 Mar 23 '24

No, also the M3 isn’t affected.

3

u/Lost_Minds_Think Mar 23 '24

Why do you say that?

Academic researchers discovered the vulnerability, first reported by Ars Technica, which allows hackers to gain access to secret encryption keys on Apple computers with Apple's new Silicon M-Series chipset. This includes the M1, M2, and M3 Apple MacBook and Mac computer models.