Researchers discover PACMAN, a new hardware attack to hack Apple Mac devices with M1 chips

Cybersecurity specialists report the detection of PACMAN, a new hardware vector attack targeting a function of Apple M1 chips that would allow threat actors to execute arbitrary code on affected systems, in a relatively uncomplicated attack and capable of compromising one of the most secure implementations today.

The affected feature is Pointer Authentication, which adds the PAC cryptographic signature to pointers that allow the operating system to detect and block unexpected changes that could lead to data leaks. MIT experts, in charge of the finding, mention that this attack variant would allow hackers with physical access to a Mac computer with Apple M1 to access the underlying file system.

A successful attack would require threat actors to find a memory flaw in the affected device’s software and that under normal conditions should be blocked by PAC: “The PACMAN attack takes known software bugs and turns them into serious primitive exploitation, which could lead to arbitrary code execution. To do this, it is necessary to know the PAC value for a particular victim.”

This is possible through what the researchers call “Oracle PAC,” described as the ability to know if a PAC matches a specific pointer: “Oracle PAC should never fail if an incorrect assumption is submitted; we apply brute force to all possible PAC values using PAC Oracle.”

Security risk dismissed

Apple can’t issue patches to address hardware bugs, so this bug will remain uncorrected. The good news is that Mac device users simply need to keep their systems up to date to prevent exploitation of these types of flaws: “While the hardware mechanisms abused in the PACMAN attack cannot be fixed with software features, the memory errors linked to exploitation can be corrected,” the experts mention.

These findings were notified to Apple along with a proof of concept a few months ago. In this regard, the company issued a statement mentioning that this side-channel attack does not represent a security risk for users of Mac devices, since its exploitation requires the presence of other vulnerabilities in M1 chips.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.