Hackers have a new way to try and steal your crypto—and if you’re using an Apple device made in the last half decade, there’s not much you can do to mitigate the attack.
Security researchers have discovered a vulnerability in Apple’s latest computer chips—its M1, M2, and M3 series, which powers all of its latest devices—that could let hackers steal cryptographic keys designed to protect data from disclosure. That includes the keys to software crypto wallets installed on vulnerable Apple devices.
The likely target for a malicious exploit would be “high-end users, like someone who has a cryptocurrency wallet with a lot of money,” Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, told author and journalist Kim Zetter. While not a “practical” attack, it could be aimed at web browser encryption—which would affect browser-based applications like MetaMask, iCloud backups, or email accounts.
The potential hack has been dubbed the “GoFetch exploit” in an eponymous report released by a team of scientists from the University of Illinois Urbana-Champaign (UIUC), University of Texas, Austin, Georgia Tech, UC Berkeley, University of Washington, and Carnegie Mellon University. It works by gaining access to the computer’s CPU cache through Data Memory-Dependent Prefetchers (DMPs) built into the chips.
“In a cache side-channel attack, an attacker infers a victim program’s secret by observing the side effects of the victim program’s secret-dependent accesses to the processor cache,” the researchers said, adding that the experiment was validated using the Apple M1’s 4 Firestorm (performance) cores. “We assume that the attacker and the victim do not share memory, but that the attacker can monitor any microarchitectural side channels available to it, e.g., cache latency.”
Today’s disclosure is different from the so-called “Augury” pre-fetchers exploit announced in 2022, although it involves a similar mechanism.
The researchers said they notified Apple of their findings on December 5, 2023, and that more than 100 days had elapsed prior to the public release of the research paper and accompanying website.
In an email, an Apple spokesperson told Decrypt that the company is grateful for the collaborative efforts of researchers and highlighted the significant impact of their work in advancing understanding of specific security threats.
While they did not comment further, the Apple spokesperson pointed Decrypt to a developer post by Apple that shows how to mitigate the attack. The recommended workaround could slow down application performance, because it would mean assuming “worst-case” processing speeds to avoid invoking the cache. Further, changes would need to be made by creators of MacOS software, not users.
Despite its published post, Apple’s response fell short, Zetter says.
“Apple added a fix for this in its M3 chips released in [October],” Zetter tweeted, “but developers were not told about the fix in [October] so they could enable it. Apple added an instruction to its developer site on how to enable the fix only yesterday.”
For crypto users, that means it’s up to wallet makers like MetaMask and Phantom to implement a patch to protect against the exploit. It’s unclear if either company has yet made those efforts and representatives for MetaMask and Phantom did not immediately respond to Decrypt‘s request for comment.
For now, if you have a crypto wallet installed on a vulnerable Apple device, all you can do is remove the wallet from the device to play it safe. (If you’re on an older Apple device with, say, an Intel chip, you’re in the clear.)
Apple users have long considered themselves safe from malware attacks because of the way MacOS and iOS devices are designed. Nonetheless, a separate report in January, cybersecurity firm Kaspersky sounded the alarm on “unusual creativity” in building malware targeting both Intel and Apple Silicon devices.
Kaspersky said the Apple malware targeted Exodus wallet users, attempting to get them to download a fake, malicious version of the software.
Edited by Ryan Ozawa.
Stay on top of crypto news, get daily updates in your inbox.