Apple’s first-generation Silicon, the M1 chip has revolutionalized Mac experience. With faster performance and incredible battery life, Apple Silicon has enabled the Cupertino tech giant to bring iPhone app to the Mac as a unified architecture. However, the new custom chip has a flaw.
Developer Hector Martin discovered an M1 processor vulnerability that creates a covert channel among two or more pre-installed malicious apps which allows them to transmit information. Although “surreptitious data exchange” is undetectable without specialized equipment, the flaw is deemed harmless for it can not be used to install malware and transport data from the system because it does not use “memory, sockets, files, or any other normal operating system features.”
Developer discovers M1 vulnerability which Apple did not know about
Martin discovered the Apple proprietary bug (vulnerability) while figuring out M1 CPU performance to port Linux to it which the company itself was not aware of. When Martin notified the Cupertino tech giant’s product security department of the flaw, they “acknowledged the vulnerability and assigned it CVE-2021-30747.”
The ARM system register encoded as
s3_5_c15_c10_1is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process.
A malicious pair of cooperating processes may build a robust channel out of this two-bit state, by using a clock-and-data protocol (e.g. one side writes 1x to send data, the other side writes 00 to request the next bit). This allows the processes to exchange an arbitrary amount of data, bound only by CPU overhead. CPU core affinity APIs can be used to ensure that both processes are scheduled on the same CPU core cluster. This approach, without much optimization, can achieve transfer rates of over 1MB/s (less with data redundancy).
However, the vulnerability does pose a real threat to iOS. Since Apple launched iPad Pro models powered by M1.
iOS is affected, like all other OSes. There are unique privacy implications to this vulnerability on iOS, as it could be used to bypass some of its stricter privacy protections. For example, keyboard apps are not allowed to access the internet, for privacy reasons. A malicious keyboard app could use this vulnerability to send text that the user types to another malicious app, which could then send it to the internet.
But trusting App Store’s review process, Martin believes that the malware would be identified before being allowed on the digital store.
However, since iOS apps distributed through the App Store are not allowed to build code at runtime (JIT), Apple can automatically scan them at submission time and reliably detect any attempts to exploit this vulnerability using static analysis (which they already use). We do not have further information on whether Apple is planning to deploy these checks (or whether they have already done so), but they are aware of the potential issue and it would be reasonable to expect they will. It is even possible that the existing automated analysis already rejects any attempts to use system registers directly.