Apple’s legal woes mount as vulnerability threatening crypto security comes to light
Academic researchers have unearthed a significant vulnerability within Apple’s M-series computing chips, potentially jeopardizing the security of private crypto keys.
On the same day, the US Department of Justice (DOJ) filed an antitrust case against the iPhone maker, alleging monopoly practices detrimental to consumers, developers, and competitors.
The vulnerability
The research team identified the chips’ data memory-dependent prefetcher (DMP) vulnerability.
Crypto analyst George explained that DMP is a hardware optimization that anticipates and preloads data into the CPU cache ahead of demand. However, it faces an issue where it occasionally confuses sensitive data, such as encryption keys, for memory addresses.
This phenomenon, known as “dereferencing pointers,” creates a vulnerability known as “side-channel attacks.”
The researchers demonstrated the capability to extract various encryption keys — including RSA, Diffie-Hellman, Kyber, and Dilithium — within 1 to 10 hours using a GoFetch attack. However, this exploit needs malicious and targeted crypto apps to operate on the same CPU cluster.
For the attack to succeed, the malicious app must provide inputs to the crypto app and prompt it to execute operations, thereby gradually leaking the key. This exploit is interactive rather than passive and must bypass macOS security measures to perform on the system.
Unfortunately, rectifying this flaw is not straightforward as it originates from the microarchitectural design of the chips, rendering it unpatchable. However, implementing defensive measures within third-party encryption software can mitigate the risk.
Legal trouble
US authorities, supported by 16 state attorney generals, filed legal actions against Apple for its “walled garden” business model, which helped establish an allegedly illegal monopoly in the smartphone market.
The lawsuit alleged that Apple implemented “shapeshifting rules and restrictions in its App Store guidelines and developer agreements that would allow Apple to extract higher fees, thwart innovation, offer a less secure or degraded user experience, and throttle competitive alternatives.”
They added that these suppressive rules were implemented across varying products, including text messaging, smartwatches, and digital wallets, among many others.
Crypto community members have highlighted the importance of this lawsuit to the industry, with Hish Bouabdallah, the founder of Tribes Protocol, saying:
“If Apple loses this battle, it could pave the way for crypto payments in the U.S., enabling seamless transactions using services like Coinbase Wallet with just a double tap and FaceID.”