M1RACLES: the first security flaw found on the Apple M1 chip

Cybersecurity specialists report finding the first security flaw in Apple M1 chips, which cannot be conventionally corrected and would require a silicon redesign. The vulnerability is of reduced severity and it is even mentioned that its exploitation is irrelevant although it is certainly striking that a security flaw has already appeared in such sophisticated development.

The vulnerability was discovered by Hector Martin, software engineer at Asahi Linux, a project for migrating Linux systems to hardware developed by Apple. The vulnerability was tracked as CVE-2021-30747 and was nicknamed M1RACLES.

The researcher claims that this flaw would allow two applications running on the same device to exchange data with each other through a secret channel and without employing CPU resources such as memory, files or any other notable feature. Martin specified that this error does not pose a practical threat so many threat actors could ignore this finding.

However, the researcher detailed a scenario of potential risk related to this flaw: “This error could be exploited by misleading advertising companies, which could abuse an application pre-installed on an M1 chip-based device to track and collect information.” Still, this is an unlikely scenario, as marketing companies resort to much less complex practices for data collection.

It is a fact that the M1RACLES flaw compromises the integrity of an operating system by allowing a CPU process to send data to another CPU process over a secret channel, although the expert believed the failure was the result of a human error as part of the M1 chip design: “This may be a design team error at Apple, it’s a real possibility,” Martin adds.

This investigation was presented to Apple, although the company has not revealed whether there are plans to fix this flaw in later versions of the M1 chip. It should be noted that from the outset the expert stated that the flaw does not pose a real security risk to the chip installed on the latest Apple devices.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.