Apple Mac computers and iPad tablets are potentially vulnerable to a serious security vulnerability that could expose encryption keys and passwords on certain devices.
Hackers could use a flaw in Apple's M-series chipsets through a malware attack to steal encryption keys, including those that secure cryptocurrency wallets, according to researchers from various universities.
And while the real-world risk of exploitation may be low, it's not something you want to ignore if you hold a large amount of cryptocurrency in a software wallet on a Mac that may be at risk. Here's a quick primer on the situation, based on what's been reported and revealed so far.
What is the problem?
Researchers Announced last week They discovered a critical vulnerability within Apple's M-series chipsets used in Macs and iPads that could potentially allow an attacker to access encryption secure keys and tokens.
The problem boils down to a technology called “prefetching,” which Apple's M-series chips enable to speed up your interactions with your device. With prefetching, the device aims to speed up interactions by keeping tabs of your most common activities and keeping data close at hand. But it seems that this technology can be exploited now.
The researchers say they were able to create an app that successfully “tricks” the processor into putting some previously fetched data into the cache, which the app can then access and use to reconstruct the encryption key. This is a potentially big problem.
Who is at risk?
If your Mac or iPad has an Apple M-series processor — M1, M2, or M3 — your device is likely vulnerable to this vulnerability. The M1 processor was introduced in late 2020 with the MacBook Air, MacBook Pro, and Mac Mini, and was later expanded to include Mac desktops and even iPad tablets.
The current M2 processor and M3 processor are also vulnerable across computers and tablets, and the M2 chip is also used in Apple Vision Pro headphone. But with the M3 chip, the cache-based prefetcher affected by the vulnerability “has a special part that developers can call to disable the feature.” Ars Technica Reports, albeit with some level of performance as a result.
What if I have an older Mac or iPad?
If you have an old Mac with an Intel processor, which Apple used for years and years before developing its own processor, you're fine. Intel chips are not affected.
Likewise, if you have an iPad (old or new) that uses one of Apple's A-series chips, which also appear in the company's iPhones, there doesn't seem to be any risk. Only the M1, M2 and M3 chips are at risk because of the way they are designed. Apple's A14, A15, and A16 chips found in recent iPhones and iPads are actually variants of the M-series chips, but the research report and media reports do not indicate that they are at risk as of this writing.
What can I do about it?
What is possible? You done to fix the problem? Nothing unfortunately. This is a chip-level vulnerability related to the unique architecture of Apple chips. This means it's not something Apple can fix with a patch. What app developers can do is implement fixes to avoid the vulnerability, but there seems to be a performance trade-off as a result, so these apps may appear much slower once they're updated.
What you can do to remove your risk, of course, is to remove any cryptocurrency wallets you have from the vulnerable Apple devices. Transfer it to another device, be it Windows PC, iPhone, Android phone, etc. Don't wait for disaster to happen.
That's exactly what Errata Security CEO Robert Graham said Tell Zero day Writer Kim Zetter to share with readers: Get your cryptocurrency wallets off your devices, at least for now. “There are people now hoping to do this [attack] “We're working on it, I think,” he told the blog.
Can my cryptocurrencies be taken?
Although devices with M1-M3 chips are already vulnerable, it's not as if hackers can just flip a switch and take your money at any moment. You will typically need to install malware on your device, after which attackers will need to use the exploit to extract private keys and gain access to the associated wallet.
Apple's macOS operating system as well Fairly resilient to malware, since you will have to manually allow this app to be installed on your device. Macs block unsigned third-party software by default. However, if you're the adventurous type and install apps from “faceless” developers, you'll need to play it safe if you're using a potentially vulnerable M-chip device.
This type of attack can also be carried out on a shared cloud server that holds your keys, so this is another potential attack vector, according to Zero day. It may also be possible to perform this type of attack on a website via Javascript code, which would be much more effective in influencing the average user, as they would not have to install anything. But that's my theory for now.
The vulnerability could also be used to decrypt the contents of a web browser cookie, according to Zero Day, which could allow attackers to access something like an email account — which could allow users to log into sensitive accounts.
What about hardware wallets?
Hardware wallets from the likes of Ledger and Trezor are clearly not at risk, based on current reports about the vulnerability, since the private keys would have to be on your Apple device with an M1-M3 chip to be affected. However, it's probably not a bad idea to avoid connecting hardware wallets to vulnerable devices, just in case.
What about centralized exchanges?
Centralized exchanges like Coinbase hold your funds in custodial wallets, and since you don't have the private keys on your device, they're not directly at risk. However, if you keep your password for your Coinbase account in a cryptographically secure password manager on your vulnerable Apple device, you may want to change your password and no Update it within the manager. Better safe than sorry.
As mentioned previously, it is theoretically possible for an attacker to decrypt account passwords from browser cookies using this vulnerability.
How serious is this really?
It is undoubtedly a serious security vulnerability, but the likelihood of it affecting the average cryptocurrency user seems very low. Depending on the type of encryption compromised by this vulnerability, it could take up to about an hour to gradually pull enough data from the cache to rebuild the key… or up to 10 hours.
This does not mean that it is impossible or that it cannot happen to you, but this is not a speeding attack or a drive-by attack. You should still take precautions to ensure you're not at risk, but if the report is accurate, it doesn't look like this would pose a widespread threat to the average user.
Edited by Guillermo Jimenez
