“New M1 bug violates Apple’s OS’ security models, which are not supposed to send data from one process to another secretly.” 

Last year, Apple parted ways with Intel to make its own chips called M1. The Apple Silicon ‘M1’ chip was designed specifically for the Mac systems. Apple has started utilising the M1 for many products, including the MacBook Air and the MacBook Pro 13″. Apple calls it a ‘System on a Chip’ because the M1 integrates many different technologies—for CPU, I/O and Security—all on one single chip and has the most number of transistors Apple has ever put in a chip (16 billion). This allows it to have significantly faster CPU and GPU performance, faster machine learning and longer battery lives. 

However, Apple’s M1 hype has finally started to lose steam. According to reports, M1 chips were recently found to have a bug that would enable any two applications running under the operating system to covertly exchange data without using regular features such as memory, sockets or files. As per Hector Martin, a developer who discovered the bug, this allows data to be exchanged in a manner that would let it pass undetected without the use of specialised equipment. 

The bug has been named M1RACLEs (short for M1ssing Register Access Controls Leak EL0 State). The bug violates Apple’s OS’ security models, which are not supposed to send data from one process to another secretly. As scary as this sounds, this is not as harmful as many people may make it look. Hector Martin has said so himself!

Martin, who works as lead manager for the project Asahi Linux—which looks at porting Linux to M1-based Macs, first stumbled upon the flaw while using something called m1n1 in his work. He initially mistook it for a proprietary feature. But, later he realised that it was a bug that Apple developers were unaware of. He reached out to Apple, who acknowledged the bug and gave it its vulnerability designation.

ARM CPUs have a per-cluster register system that can be accessed by EL0, which is a privileged mode for user applications. The register contains two implemented bits that can be read or written and can be simultaneously accessed by all cores in a cluster. Finally, this creates a two-bit covert channel through which any process can exchange data with another process. Martin has provided a demo to explain this here. A demo video has also been provided here.

The flaw is primarily harmless, but it is a flaw. M1RACLES meets the technical requirements of a vulnerability and comes with a vulnerability designation: CVE-2021-30747. Still, the most potent danger from this is if you already have malware on your computer. This way, the malware can interact with other malware on your computer via these covert channels. However, the discovered bug cannot be used to infect a Mac outright and cannot be used to steal or tamper with user data stored on the machine. It can only be used as a communication tool between two malicious programmes.

“Advertising agencies could perhaps use the bug to abuse it for cross-app tracking.”

According to Hector Martin, advertising agencies could perhaps use the tool to abuse it for cross-app tracking. This possibility raises questions on privacy—like third party tracking usually does—but is not outright harmful. Additionally, Martin also states that this might be one of many mediums for such communication—which further decreases the danger of the bug. Plus, these covert channels are useless to individuals unless their systems have already been compromised to malicious apps. 

This vulnerability can be exploited to bypass some strict privacy protections. For instance, keyboard apps currently cannot access the internet due to privacy issues. However, a malicious keyboard app can abuse M1RACLES to send anything typed by the user to another such app—which could then send it to the internet. This, again, is not too likely since iOS apps, which are distributed only through the App Store (at least, currently), can be scanned by Apple at submission and any attempts to exploit vulnerabilities can be detected using static analysis. Furthermore, with Apple knowing this bug, it makes sense for it to be on the lookout for such abuses. It might also be possible for automated analyses to automatically reject attempts to use system registers directly in the first place.

Still, the bug violates the iOS security model. Hector Martin suspects that the access to EL0 was most likely an error rather than emanating from someone wanting to cause harm intentionally. Moreover, almost every CPU has some error of this nature, and there is no way to patch up this flaw in existing M1 chips. If you are particularly concerned about a possible compromise, perhaps the only way to ‘fix’ this issue is by running the OS as a properly configured virtual machine. This way, the virtual machine will disable guest access to the register, as mentioned earlier, and cut the covert channel. This, however, can compromise performance pretty severely. It’s probably just safe to assume that a 100 percent secure technology is the stuff of fairy tales, and hope Apple can work this out in its next generation of Macs.