Author: Blockchain Knight
There may be a serious vulnerability in Apple's Macbooks and iPads that could expose Crypto keys and passwords on some devices.
According to researchers from multiple universities, there is a vulnerability in Apple’s M-series chips that could allow hackers to steal Crypto keys, including security keys for Crypto asset wallets, through malware attacks< /strong>.
Although the risk of this vulnerability may be low in reality, if users hold a large amount of Crypto assets on a Macbook with M series chips, they have to pay attention to this situation.
The following is some key information disclosed in the report.
Researchers announced last week that they had discovered a critical vulnerability in Apple's M-series chips used in Macs and iPads that could potentially be exploited by attackers to obtain Crypto security keys and codes.
The problem boils down to a technology called "prefetching," which Apple's own M-series chips use to speed up user interaction with the device.
With "prefetching" technology, devices can monitor a user's most common activities and save the data on the user's device, speeding up interactions. But this technology can now apparently be exploited.
The researchers said they were able to create an application that successfully "tricked" the processor into placing some prefetched data into cache, which the application could then access and use to reconstruct the Crypto key. This is a potentially huge problem.
If the user's Mac or iPad is equipped with Apple's M-series processors (including M1, M2 or M3), then the device may be affected by this vulnerability.
The M1 processor was launched on MacBook Air, MacBook Pro, and Mac Mini in late 2020, and was later expanded to Mac desktops and even iPad tablets.
M2 processors and the current M3 processors are also susceptible in computers and tablets, and the M2 chip is even used in Apple's Vision Pro headphones.
But according to Ars Technica, in the M3 chip, the data memory prefetcher affected by the vulnerability adds a "special bit" that developers can call to disable it. Data saving function, although there will be a certain performance impactas a result.
If users are equipped with older Macs with Intel processors, they will not be affected. Apple used Intel processors for years before developing its own chips.
Similarly, if the user's iPad (whether old or new) uses Apple's A-series chip (the same chip used in the iPhone), then there seems to be no risk. Only the M1, M2 and M3 chips are vulnerable due to the way they are designed.
The A14, A15 and A16 l chips in Apple’s recently launched iPhones and iPads are indeed variants of M-series chips, but research reports and media reports have not pointed out that they have vulnerabilities.
So what can users do to solve this problem? Unfortunately, nothing can be done.
Because this is a chip-level vulnerability, related to the unique architecture of Apple chips. This means Apple can't fix it with a patch. What app developers can do is implement fixes to avoid the vulnerability, but there's obviously a performance tradeoff in doing so, so such apps may feel more sluggish once updated.
Of course, to eliminate the risk, users can also remove their Crypto wallet from the vulnerable Apple device. Migrate them to other devices such as Windows PC, iPhone, Android phone, etc.
Errata Security CEO Robert Graham also said: "Take your Crypto asset wallet off the device, at least for now. I guess there are people who want to carry out this attack now. , and are working hard."
Although devices equipped with M1-M3 chips do have vulnerabilities, hackers do not just turn on a switch and take away your funds. Typically, the user needs to install malware on the device, and the attacker then needs to use the exploited software to extract the private keys and access the associated wallet.
Apple's macOS is also quite resistant to malware because you have to manually allow such apps to be installed on your device.
Mac blocks unsigned third-party software by default. Still, if you're adventurous and install apps from "unidentified" developers, you should still be careful when using a potentially vulnerable M-chip device.
According to Zero Day, this attack can also be carried out on a shared cloud server that holds user keys, so this is another potential attack vector.
Alternatively, it is also possible to carry out this attack on a website via Javascript code, which is much more effective for ordinary users because no software needs to be installed. Of course, this is only theoretically possible.
According to Zero Day reports, this vulnerability may also be used to decrypt the contents of web browser cookies, which may allow attackers to gain access to email accounts, etc., and log in to users' sensitive accounts. .
According to current reports about the vulnerability, hardware wallets from companies such as Ledger and Trezor are apparently not compromised, as the private keys need to be installed on an Apple device with an M1-M3 chip to be affected.
Still, it is a good countermeasure to avoid connecting your hardware wallet to a vulnerable device just in case.
Centralized exchanges such as Coinbase store users' funds in custodial wallets. Since users do not have private keys on their devices, they are not directly exposed to risks.
However, if users save their Coinbase account passwords in the Crypto Secure Password Manager on a vulnerable Apple device, they may need to change the password rather than update it in the manager.
As mentioned previously, an attacker could theoretically exploit this vulnerability to decrypt account passwords from browsing cookies.
There is no doubt that this is a serious vulnerability, but the likelihood of affecting ordinary Crypto users seems low. To crack passwords through this vulnerability, you must first gradually extract enough data from the cache to reconstruct the key. This process may take about 1-10 hours, or even longer.
This doesn’t mean it’s impossible or won’t happen to users, but it’s not a quick-fix attack.
Users should still take precautions to ensure they are not at risk, but if the reports are accurate, it doesn't sound like this is a widespread threat to the average user.
Academics have uncovered a severe vulnerability in Apple's M-series chips, allowing hackers to access encryption keys. This "unpatchable" flaw poses a significant challenge to Apple's security infrastructure.
AlexAnswers to recent questions from readers. If you have any questions, you can leave a message. After being sorted out, we will answer them together next time.
JinseFinanceAvenged Sevenfold's M. Shadows bids adieu to Twitter/X, citing a lack of interest. His departure signifies a shift from NFTs and a recognisable digital identity to an abstract, uncharted digital space, urging followers to explore the limitless possibilities of self-discovery.
JoyOn December 5, after thorough testing of mitigation measures, Mocaverse informed other Animoca Brands subsidiaries about the potential security issue.
BrianDealmaking in the crypto and digital asset space will be especially tense, according to a new report by BRG.
TheBlockAfter Genesis Trading's lending arm shut down its services last week, the rumor mill started buzzing about a possible bankruptcy of DCG
BitcoinistDoes M&M’s need the Bored Ape Yacht Club? Or is it the other way around? Is this partnership cool or ...
BitcoinistThe Ethereum scaling solution has surpassed $1 billion in total value locked within a matter of weeks.
CointelegraphBlue-chip NFT families like Azuki, Clone X, and Doodles lead the steady growth of a market worth more than $17 billion.
CointelegraphBlue Chip NFT collections such as Azuki, Clone X and Doodles are leading the steady growth of a market that has traded over $17 billion since 2020.
Cointelegraph