Tag Archives: Vulnerability

M1 Hot Mess

M1 Critical Flaw Discovered

Occasionally I’ll be looped in on some salacious IT industry gossip. Sometimes it’s a mildly interesting read, sometimes I’ll delete before finishing – & then there’s this, the summary of which is that the Apple M1 contains a critical, unpatchable hardware flaw that allows full admin rights via remote access.

TL;DR – Apple’s new M1 CPU has a critical vulnerability.

Source

The message sender is someone that I trust implicitly. I’ve had years of discourse with him, discussing, developing, reviewing many different projects. He’s my go-to guy for stuff that I don’t have the necessary experience in & has never, ever let me down. His skill level dwarfs mine. He has unused exploits for iPhone activation that I’ve been pleading to access without success – yet. Tasks that seem beyond capability to 95% of IT specialists are routine to this person. Whenever he asks for my assistance, I take it as a compliment & deliver the best response possible. In my opinion, the source is impeccable.

Two days after I received his message we met for a lengthy face-to-face discussion, I wanted to know more. On a sunny winter public holiday on Auckland’s Viaduct Harbour I listened intently to a fascinating story of discovery. This shit is real. He will get well paid from this discovery – although Apple’s bug bounty is subject to unwritten exclusions (Ian Beer is owed $$millions), the commercially-available rewards are now well into 7+-figures for massive, unfixable, exploitable vulnerability discoveries.

M1 in Apple's Future

The last time Apple switched processor family they ditched their own PowerPC chips produced by IBM & Motorola, opting for mainstream Intel CPUs – what a move that was. Suddenly you could run every software app on a Mac – Apple’s own BootCamp utility allowed Windows on a Mac. The entire world of software was opened up to Mac computers. The result was a sales explosion that took Mac from a niche product to the dominant laptop of this generation. From graphic studios to cafes – from the open lid of most laptops shone a backlit Apple logo.

That’s all over now, Apple have decided to move on…

By dropping Intel’s x86 CPU & going all-in with ARM, Apple recreated the major divide between themselves & the rest of the established PC manufacturers. At the same time they’ve neatly moved all their hardware into the same “walled garden” – already iPad & MacBook Pro are identically powered by M1 processors although run on separate OS – iOS vs MacOS.  Look at the screenshots of the M1 internals – littered with iOS code even though that’s a laptop CPU being examined.

The obvious future plan is to build a totally seamless environment across their entire hardware spectrum.

As an aside – Why they chose to call it M processor is beyond me. Intel already produce an M-series CPU – Apple know this, they used it in their 12″ MacBook series. Having two directly competing processors with identical monikers – what could possibly go wrong?

A further aside – Apple’s spat with Nvidia is commercially obvious – you can’t run an Nvidia graphics card on any MacOS system for 5+ years now, boosting ATi sales in the Hackintosh scene as collateral effect. Guess who bought the ARM company just as Apple took that big dive into the ARM world? Yep, Nvidia. Let’s see how this one plays out!

Now here’s the kicker – Apple, well, they still rate their own ability to build impregnable, unhackable product. Why would you do that? Personally, I think they read their own marketing propaganda a little too often. Apple aren’t anywhere near the secure fortress they portray. The most recent game-changing example being Checkra1n, which used another critical hardware vulnerability to obliterate iCloud security on iDevices up to X. On a minor scale, searching Apple on this website will reveal my own successful implementations.

For years it’s been easier to defeat MacOS security than Windows – tool-free, all you need is educated fingers. My advice – don’t believe the hype. The message that initiated this post is far more realistic than Apple’s PR. 

Flaws, Vulnerability, Exploits

Already there’s public knowledge of a benign flaw that allow harmless manipulation by a simple web browser. Let’s get real – if there’s such a simple error that exists, then there’s highly likely to be more. You don’t have to be clever to figure that one out. Finding & exploiting definitely requires clever, that’s for sure. Postulating that where there’s smoke, there might be fire is just common sense.

Revealed in the message below is breakthrough research that rocks the foundations of the mighty Apple Corporation – again. They’re pinning the ARM-architecture M1 processor (& it’s successors) to their mast as the icon of Apple’s new push to a faster, quieter, more powerful & exceptionally efficient future of computing. And if you read the fanbois internet posts, you’d be thinking Apple has re-invented heaven in silicon form. In direct contrast to the fanbois claims of nirvana, the vulnerability in every M1 processor offers full remote access.

The Message:

"ARM core has a huge vulnerability. M1 chips can be reprogrammed remotely due to having a memory package on the same plate. Obviously there’s no protection as it’s direct access to them. Serial bus connection can dump the content and rewrite it too. Now the goal is to make it via remotely implanted payload. That’s exactly what Apple does when updating firmware. Their decision to embed EFI into the CPU itself is a huge security misstep. I already reprogrammed few M1 but via soldered in pins. Takes hours. And could brick the chip. But if not you’ll reset it to factory settings or exploit it. I don’t do this for exploiting but other people will."

Evidence:

Again, this is not my research, I have not contributed, in no way am I a stakeholder. Accordingly, I have no authority over this project at all. I cannot promise you that it’ll ever be released or even used. The thing is – the vulnerability exists & if it was being used on your M1-powered Mac, you would not be aware of it. That’s how critical this flaw is. Apple created a backdoor entry for themselves – the door has been found & the lock picked. It’s open & the hinge has failed, it cannot be closed.Intending purchasers of any M1 product need to think long & hard about the risks that owning a completely pwnd CPU entails.