Apple Mac computers and iPad tablets are potentially susceptible to a serious vulnerability that could expose cryptographic keys and passwords on certain devices.
A flaw in Apple’s M-series chips can be used by hackers via a malware attack to steal cryptographic keys, including those that secure cryptocurrency wallets, according to researchers from various universities.
And while the real-world risks of the exploit might be low, it’s not something you’ll want to ignore if you hold a large amount of crypto in a software wallet on a potentially vulnerable Mac. Here’s a quick primer on the situation, based on what’s been reported and disclosed to date.
What’s the issue?
Researchers announced last week that they discovered a critical vulnerability within Apple’s M-series chips used in Macs and iPads that can potentially allow an attacker to gain access to cryptographically secure keys and codes.
Apple Macs Have a Fatal Flaw That Lets Hackers Steal Your Crypto—And There's No Fix
Hackers have a new way to try and steal your crypto—and if you're using an Apple device made in the last half decade, there's not much you can do to mitigate the attack. Security researchers have discovered a vulnerability in Apple's latest computer chips—its M1, M2, and M3 series, which powers all of its latest devices—that could let hackers steal cryptographic keys designed to protect data from disclosure. That includes the keys to software crypto wallets installed on vulnerable Apple devices....
The issue boils down to a technique called “prefetching,” which Apple’s own M-series chips enable to speed up your interactions with your device. With prefetching, the device aims to speed up interactions by keeping tabs on your most common activities and keeping data close at hand. But that technique can apparently now be exploited.
Researchers say they were able to create an app that successfully “tricked” the processor into putting some of that prefetched data into the cache, which the app could then access and use to reconstruct a cryptographic key. That’s a potentially huge problem.
Who’s at risk?
If your Mac or iPad has an Apple M-series processor—M1, M2, or M3—then your device is potentially susceptible to this vulnerability. The M1 processor rolled out in late 2020 with the MacBook Air, MacBook Pro, and Mac Mini, and later was expanded to Mac desktops and even iPad tablets.
I Spent the Weekend With the Apple Vision Pro—My Face May Never Be the Same
For an overpriced, niche device, the amount of attention the Apple Vision Pro is getting is objectively remarkable. As loudly as critics claim there are no real-world use cases for the VR headset that's not a VR headset, announced last June and delivered to customers beginning Friday, dozens of committed early adopters are coming up with new use cases every day. Himels Tech gave one of the first overviews of what it's like trying to do computing work in an Apple Vision Pro, impressively leaving...
The M2 processor and current M3 processor are also susceptible across computers and tablets, and the M2 chip is even used in the Apple Vision Pro headset. But with the M3 chip, the data memory-dependent prefetcher that’s impacted by the vulnerability “has a special bit that developers can invoke to disable the feature,” Ars Technica reports, albeit with some level of performance hit as a result.
What if I have an older Mac or iPad?
If you have an older Mac with an Intel processor, which Apple used for years and years before developing its own silicon, then you’re fine. Intel chips aren’t impacted.
Similarly, if you have an iPad (old or new) that uses one of Apple’s A-series chips, which also feature in the company’s iPhones, then there doesn’t appear to be a risk. Only the M1, M2, and M3 chips are vulnerable due to how they were designed. Apple’s A14, A15, and A16 chips from recent iPhones and iPads are indeed variants of the M-series chips, but the research report and media reports do not cite them as being vulnerable as of this writing.
What can I do about it?
What can you do to fix the issue? Nothing, unfortunately. This is a chip-level vulnerability that has to do with the unique architecture of Apple’s chips. That means it’s not something Apple can fix with a patch. What app developers can do is implement fixes to avoid the vulnerability, but there’s apparently a performance trade-off as a result, so such apps could feel much more sluggish once updated.
Ethereum Game on Blast Suffers $4.6 Million Hack—Was It a White Hat Rescue?
The team behind a Telegram-based game said Thursday that it is working with an apparent white hat hacker to return funds to users after $4.6 million worth of tokens was stolen due to an exploit. The hacker hit the newly launched game Super Sushi Samurai, which minted its tokens on Ethereum scaling network Blast. The price of its native token, SSS, plunged to a tiny fraction of a penny on the reports of the hack, which exploited a token transfer bug within the smart contract that powers the game....
What you can do to remove your risk, of course, is to get any crypto wallets you have off of your vulnerable Apple devices. Migrate them to another device, whether it’s a Windows PC, an iPhone, an Android phone, etc. Don’t wait for catastrophe to strike.
That’s exactly what Errata Security CEO Robert Graham told Zero Day writer Kim Zetter to share with readers: Get your crypto wallets off your devices, at least for now. “There are people right now hoping to do this [attack] and are working on it, I would assume,” he told the blog.
Can my crypto just be taken?
While devices with the M1-M3 chips are indeed vulnerable, it’s not like hackers can just flip a switch and take your funds at any moment. You’d typically need to install malware on your device, and then the attackers would need to use the exploited software to pull the private keys and access the associated wallet.
Apple’s macOS is also fairly resilient to malware, since you’d have to manually allow for such an app to be installed on your device. Macs block unsigned, third-party software by default. Still, if you’re the adventurous type and have installed apps from “unidentified” developers, you’ll want to play it safe if you’re using a potentially vulnerable M-chip device.
Kaspersky Warns of Mac Exploit Targeting Bitcoin and Exodus Wallets
Apple users who are generally conditioned to ignore malware alerts that usually affect more open platforms should take note: there is a verified macOS exploit targeting the latest version of the operating system that can trick Bitcoin and Exodus wallet users into downloading a fake, malicious version of their software, cybersecurity firm Kaspersky reported. Clean living helps: the newly discovered malware, Kaspersky said, is distributed through pirated applications, and unlike other proxy trojan...
This kind of attack can also be performed on a shared cloud server that holds your keys, so that’s another potential attack vector, according to Zero Day. It also might be possible to pull off this kind of attack on a website via Javascript code, which would be far more effective at impacting the average user—they wouldn’t have to install anything. But that’s theoretical for now.
The vulnerability could also potentially be used to decrypt the contents of a web browser cookie, according to Zero Day, possibly letting attackers gain access to something like an email account—which could let users log into sensitive accounts.
What about hardware wallets?
Hardware wallets from the likes of Ledger and Trezor are apparently not at risk, based on current reporting around the vulnerability, since the private keys need to be on your Apple device with an M1-M3 chip to be impacted. That said, it’s probably not a bad idea to avoid connecting hardware wallets to vulnerable devices, just in case.
What about centralized exchanges?
Centralized exchanges like Coinbase hold onto your funds in custodial wallets, and since you don’t have the private keys on your device, they’re not directly at risk. However, if you keep your password to your Coinbase account in a cryptographically secure password manager on your vulnerable Apple device, then you may want to change your password and not update it within the manager. Better safe than sorry.
OpenAI, Microsoft Block ChatGPT Hackers in China, North Korea
ChatGPT developer OpenAI said it teamed up with top investor Microsoft to thwart five “state-affiliated” cyber attacks. The cyber attacks, OpenAI said on Wednesday, came from two China-affiliated groups—Charcoal Typhoon and Salmon Typhoon—as well as from Iran-affiliated Crimson Sandstorm, North Korea-affiliated Emerald Sleet, and the Russia-affiliated Forest Blizzard. The groups attempted to use GPT-4 for company and cybersecurity tool research, code debugging, script generation, phishing campai...
And as mentioned, it’s theoretically possible for an attacker to decrypt account passwords from browser cookies using this vulnerability.
How serious is this really?
It’s a serious vulnerability, no doubt—but the likelihood of it impacting the average crypto user appears to be pretty low. Depending on the type of encryption being cracked through this vulnerability, it could take as little as about an hour to gradually pull enough data from the cache to reconstruct a key… or as long as 10 hours.
That doesn’t mean it’s impossible or that it can’t happen to you, but this isn’t a quick-hit, drive-by kind of attack. You should still take precautions to ensure that you’re not at risk, but if the report is accurate, then it doesn’t sound like this will be a widespread threat to the average user.
Edited by Guillermo Jimenez
