M1RACLES, the unpatchable bug that impacts new Apple M1 chips

A security expert has discovered a vulnerability in Apple M1 chips, dubbed M1RACLES, that cannot be fixed.

Software engineer Hector Martin from Asahi Linux has discovered a vulnerability in the new Apple M1 chips, tracked as CVE-2021-30747, that was named M1RACLES.

The expert pointed out that the issue can only be fixed with a redesign of the circuits, but the good news is that the severity of the vulnerability is very low and doesn’t pose a major security risk because there are other side channels to leak data.

The M1RACLES vulnerability allows two apps running on the same device to exchange data through a covert channel at the CPU’s level, without using memory, sockets, files, or any other normal operating system features

The flaw stems from the fact that the Arm system register encoded as s3_5_c15_c10_1 contains two bits that can be read and written at EL0 (Exception Level 0, application level privilege) from all cores simultaneously.

“The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process. A demo app to access this register is available here.” said Hector Martin.

“A malicious pair of cooperating processes may build a robust channel out of this two-bit state, by using a clock-and-data protocol (e.g. one side writes 1x to send data, the other side writes 00 to request the next bit). This allows the processes to exchange an arbitrary amount of data, bound only by CPU overhead.”

The expert doesn’t understand the purpose of this register, but he believes that it hasn’t been made accessible to EL0 intentionally.

The expert explained that that he only fears possible exploitation of the bug by shady advertising companies, which could abuse an app they already had installed on a device for cross-app tracking.

“Honestly, I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals. Apple could catch them if they tried, though, for App Store apps (see below).” continues the report.

Martin reported the issue to Apple, but at the time of this writing, it is not clear if they plan to review the design of the M1 chips to fix it.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, M1RACLES)

[adrotate banner=”5″]

[adrotate banner=”13″]