Data Security, Encryption, Vulnerability Management

GoFetch: Apple chips vulnerable to encryption key stealing attack

Share

Apple M-series chips are vulnerable to a side-channel attack called “GoFetch,” which exploits data memory-dependent prefetchers (DMPs) to extract secret encryption keys.

DMPs are a feature of some modern processors that use memory access patterns to predict which data might be useful, and preload that data into cache memory for fast access.

A group of researchers discovered that the DMP process in Apple M-series chips (M1, M2 and M3) could be probed using attacker-selected inputs, and its prefetching behavior analyzed to ultimately predict encryption keys generated by the intended target. The researchers published their findings in a paper shared on their website Thursday.  

“This bug can extract encryption keys, which is a problem for servers (using TLS) or for those organizations where users are encrypting information. Largely, it will probably be highly secure environments that need to worry the most over this, but any organization running Apple CPUs and using encryption should be concerned,” John Bambanek, president of Bambanek Consulting, told SC Media in an email.

‘GoFetch’ exploit effective against classic and quantum-resistant cryptography

The researchers’ GoFetch exploit involves feeding “guesses” into the targeted cryptographic application and observing changes in memory access on the system indicating prefetching patterns. By refining their inputs based on the observed changes, and correlating signals from the DMP to bits of cryptographic data, an attacker could ultimately infer the targeted encryption keys.

This attack essentially circumvents the safeguards of constant-time cryptography, which prevents side-channel extraction of encryption keys by eliminating any relationship between secret data contents and their execution timing.

The GoFetch researchers demonstrated that their proof-of-concept exploit works against Go RSA-2048 encryption, OpenSSL Diffie-Hellman key exchange (DHKE), and even the post-quantum encryption protocols CRYSTALS-Kyber and CRYSTALS-Dilithium. The attack takes a minimum of about 49 minutes (against Go RSA keys) and up to 15 hours (against Dilithium keys) to complete on average.

The attack was primarily tested on Apple’s M1 processor, but the group’s investigations of the M2 and M3 CPUs indicated similar DMP activation patterns, suggesting they are likely vulnerable to the same exploit, the researchers said.

The Intel 13th generation Raptor Lake processor also uses a DMP in its microarchitecture, but the researchers found it was not as susceptible to attack due to its more restrictive activation criteria.

Apple M chip DMPs not patchable; some mitigations available

As a microarchitectural hardware feature of Apple chips, the DMPs susceptible to GoFetch cannot be directly “patched.” However, some mitigations are available to prevent or lower the likelihood of attack.

The attack requires the attacker’s GoFetch process (which probes and monitors the DMP) to run locally on the same machine as the targeted process, so avoiding the installation of suspicious programs is one line of defense.  

Apple cited the ability to enable data-independent timing (DIT) as a mitigation for GoFetch in an email to SC Media. Enabling DIT, which is available on M3 processors, disables the vulnerable DMP feature, Ars Technica reported.

The researchers also noted that DMP does not activate for processes running on Apple’s Icestorm efficiency cores. Restricting cryptographic processes to these smaller cores will prevent GoFetch attacks but will also likely result in a performance reduction.

Cryptographic software providers can also use techniques like input blinding to mask the contents being fetched, but this also presents challenges in terms of performance penalties. Overall, users are recommended to keep any cryptographic software up to date as providers make changes to counter side-channel attack risks.     

“The researchers have said they will be releasing the proof-of-concept soon, which will significantly lower the difficulty to exploit this bug,” Bambenek commented. “There isn’t much for [users] to do except to wait for encryption software writers to release updates and to see whether those vendors will create a configurable option so CISOs can choose speed or higher security.”

The GoFetch vulnerability was disclosed to Apple in December 2023 and the researchers’ paper states Apple was investigating the PoC. An Apple spokesperson expressed gratitude toward the researchers in a comment to SC Media without disclosing further details about an investigation.

The vulnerability was also reported to the Go Crypto, OpenSSL and CRYSTALS teams. Go Crypto said the attack was considered low severity, OpenSSL said local side-channel attacks fall outside of its threat model, and CRYSTALS acknowledged that hardware fixes would be needed to resolve the issue in the long term.

SC Media reached out to the GoFetch team to ask about industry reactions to their research and did not receive a reply.