![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/04\/GoFetch-logo-Apple-M-series-chip-vulnerability-with-red-wasteland-background-600x300-v2.jpg\"){kind=logo}
<\/p>\n<\/p>\n
A recently discovered flaw in M-series Apple silicon chips could allow attackers to break Macs’ security, according to researchers. “GoFetch” is an attack method targeting data memory-depending prefetchers (DMP). Apple’s M1, M2, and M3 series chips all include this feature\u2014and there’s no way to disable it for M1 or M2.<\/p>\n
Here’s everything you need to know about GoFetch and how it might affect you.<\/p>\n
In this article:<\/em><\/p>\n DMP is a feature that speeds up CPU processing by predicting the next memory address that an app will access.<\/p>\n GoFetch is a side-channel attack that builds on concepts from the “Augury” exploit of 2022. (We discussed Augury in episode 238<\/a> of the Intego Mac Podcast.) GoFetch can exploit a flaw in DMP to extract secret keys from constant-time implementations of various cryptographic algorithms. Concerningly, this includes both classical as well as modern, post-quantum cryptographic algorithms.<\/p>\n In effect, the results are similar in concept to speculative execution<\/a> vulnerabilities like Spectre<\/a>. By exploiting a feature that’s intended to improve processing speed, attackers can do potentially malicious things. In this case, they can extract private encryption keys.<\/a><\/p>\n The researchers did not mention iPads or Apple Vision Pro. However, given that they share the same M1 or M2 processors as Macs, it should theoretically be possible to exploit the same vulnerability on these Apple products, too.<\/a><\/p>\n Apple has known about GoFetch since December 5, 2023. So far, Apple has not made any public statement about GoFetch.<\/p>\n As for whether Apple will attempt to mitigate the vulnerability, we can only speculate. However, it seems somewhat unlikely that Apple will try to mitigate the flaw through software patches\u2014unless a threat actor begins exploiting GoFetch in the wild. Why? For one thing, disabling DMP entirely would cause “heavy performance penalties,” according to the researchers. Not only that, but it “is likely not possible on M1 and M2 CPUs.” Another potential mitigation\u2014only running cryptographic code on Icestorm (efficiency) CPU cores\u2014would also “likely incur a significant performance penalty.”<\/p>\n The researchers suggest that developers of cryptography libraries can mitigate the flaw on M3 processors by setting the “DIT bit” to enable data-independent timing. However, this does not fix the problem for M1 or M2 processors.<\/p>\n Apple has not yet officially announced its M4 line of processors; only time will tell whether GoFetch may affect these chips as well.<\/a><\/p>\n The researchers published their findings on March 21, 2024. As far as we know, attackers have not yet exploited GoFetch in any real-world attack scenarios since then. But in theory, threat actors could begin to exploit GoFetch in the wild, now that the flaw is public knowledge.<\/a><\/p>\n For now, users of Apple products with M1, M2, or M3 processors shouldn’t worry about GoFetch.<\/p>\n If at some point Apple becomes aware of threat actors exploiting the flaw in the wild\u2014and especially if the public were also aware of this fact\u2014Apple would presumably attempt to mitigate GoFetch. Such a mitigation could hypothetically come in the form of an update to Lockdown Mode, to avoid performance penalties for everyday users who might be less likely to experience an attack exploiting GoFetch.<\/a><\/p>\n If there’s ever any Mac malware that exploits GoFetch, Intego will quickly add detection for it to keep our customers safe.<\/p>\n If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.<\/a><\/p>\n We briefly discussed key points about GoFetch on episode 338<\/a> of the Intego Mac Podcast. For a deeper dive, we recommend reading Dan Goodin’s coverage,<\/a> as well as the researchers’ site<\/a>. You can also read the researchers’ highly technical white paper<\/a> (PDF).<\/p>\n\n
What is the GoFetch attack, and how could it affect Macs?<\/h3>\n
Does the flaw impact M1 or M2 iPads, or Apple Vision Pro?<\/h3>\n
Does Apple know about the flaw, and will Apple fix it?<\/h3>\n
Have attackers exploited GoFetch in the wild?<\/h3>\n
Should I be worried about GoFetch?<\/h3>\n
Could malware leverage GoFetch? How can I keep my Mac safe?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, is a powerful solution designed to protect against, detect, and eliminate Mac malware.<\/p>\nHow can I learn more?<\/h3>\n