A recently identified vulnerability in Apple’s M-series processors could have serious consequences for crypto users, with the potential to compromise the private keys essential for securing digital assets. This flaw, which lies deep in the microarchitecture of these chips, was first reported by Ars Technica and detailed in a paper published by a collective of researchers from top US universities.
Mac users take note: This is crucial for crypto owners
The vulnerability stems from a lateral channel in the chip’s data memory-dependent prefetcher (DMP), a mechanism designed to increase computing efficiency. However, this feature inadvertently enables the extraction of secret keys during cryptographic operations, a process fundamental to the security of cryptocurrencies and other digital transactions.
“From D.M.P. […] uses the data values to make predictions […] if a data value ‘looks like’ a pointer, it will be treated as an ‘address’ […] the data from this ‘address’ will be brought to the cache, leaking over cache side channels,” the researchers explained, highlighting the unintended risk posed by this hardware optimization.
Called “GoFetch” by its discoverers, this attack method does not require administrative access, which raises alarm bells about the ease with which attackers can exploit this vulnerability.
According to the team, “We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible over a cache channel and is sufficient to reveal the secret key over time.” This discovery is particularly concerning for cryptocurrency holders, as private keys are the linchpin of security for digital wallets and transactions.
What exactly does this mean?
The implications of GoFetch are enormous, affecting not only traditional encryption protocols but also those designed to withstand quantum computing attacks. This compromises a wide range of cryptographic keys, including RSA and Diffie-Hellman, along with post-quantum algorithms such as Kyber-512 and Dilithium-2.
The researchers reported that “The GoFetch app takes less than an hour to extract a 2048-bit RSA key and just over two hours to extract a 2048-bit Diffie-Hellman key,” increasing its efficiency and risk of this attack vector is highlighted.
Mitigation of this vulnerability poses a significant challenge due to its hardware-based nature. While software-based defenses can be developed, they often come at the cost of reduced performance, especially on devices with older M-series chips.
“For developers of cryptographic software running on M1 and M2 processors […] they will have to deploy other defenses, almost all of which carry significant performance penalties,” the researchers noted, indicating a difficult path forward for developers and users alike.
Apple has yet to make a public statement regarding the GoFetch findings, leaving the tech community and crypto users eagerly awaiting a response. In the meantime, the researchers advise end users to be on the lookout for software updates that specifically address this vulnerability.
Source: https://cryptobenelux.com/2024/03/23/apple-gebruikers-gewaarschuwd-uw-crypto-mogelijk-in-gevaar/
