Hackers have a new way to try to steal cryptocurrencies. And if he's using an Apple device manufactured in the last five years, there's not much you can do to mitigate the attack.
Security researchers have discovered a vulnerability in Apple's latest computer chips – the M1, M2, and M3 series that power all of the company's latest devices. This vulnerability could allow hackers to steal encryption keys designed to prevent data leaks. This includes keys for software crypto wallets installed on vulnerable Apple devices.
Matthew Green, a cryptologist and computer science professor at Johns Hopkins University, told author and journalist Kim Zetter that the most likely targets for malicious exploits are “cryptocurrencies with big money. “It's probably high-end users, like people who have wallets.” Although not a “practical” attack, it may be aimed at encrypting web browsers and may affect browser-based applications such as MetaMask, iCloud backups, and email accounts.
This potential hack targets the University of Illinois at Urbana-Champaign (UIUC), the University of Texas at Austin, the Georgia Institute of Technology, the University of California, Berkeley, the University of Washington, and Carnegie Mellon University. It works by accessing the computer's CPU cache through a data memory dependent prefetcher (DMP) built into the chip.
“In a cache side-channel attack, an attacker infers a victim program's secret by observing the side effects of accesses to the processor cache that rely on the victim program's secret,” the researchers said. It added that the experiment was validated using four processors of the Apple M1 Firestorm (performance) core. “We assume that the attacker and victim do not share memory, but that the attacker can observe available microarchitectural side channels (such as cache latency).”
Today's disclosure is different from the so-called “Augury” prefetcher exploit announced in 2022, although it includes a similar mechanism.
The researchers said they notified Apple of their findings on December 5, 2023, and more than 100 days passed before the research paper and accompanying website were made publicly available.
An Apple spokesperson said in an email. Decryption The company thanked the researchers for their collaborative efforts and emphasized the significant impact their work has had on advancing our understanding of specific security threats.
They had no further comment, but an Apple spokesperson noted: Decryption To Apple's developer post showing how to mitigate the attack. The recommended workaround assumes “worst-case” processing speeds to avoid cache calls, which can reduce application performance. Furthermore, changes must be made by the author of his MacOS software, not by the user.
Despite publishing the post, Zetter said Apple's response was inadequate.
“Apple added a fix for this issue in the M3 chip released in 2016. [October]”Zetter” tweeted“But the developers were not informed about the fix.” [October] they could make it possible. Apple yesterday added instructions on how to enable the fix to its developer site. ”
For cryptocurrency users, this means it is up to wallet creators like MetaMask and Phantom to implement patches that protect against exploits. It's unclear whether either company has any such efforts yet, and representatives for MetaMask and Phantom did not immediately respond. DecryptionThis is a comment request from .
For now, if you have a cryptocurrency wallet installed on a vulnerable Apple device, all you can do is safely remove it from your device. (For example, if you have an older Apple device with an Intel chip, you're fine.)
Apple users have long believed that they are safe from malware attacks because of the way MacOS and iOS devices are designed. Nevertheless, in a separate report in January, cybersecurity firm Kaspersky warned of “unusual creativity” in building malware targeting both Intel and Apple Silicon devices.
Kaspersky said Apple's malware targeted Exodus wallet users and tried to trick them into downloading a fake malicious version of the software.
Edited by Ryan Ozawa.
