New vuln in Apple M-series allowing secret keys extraction can't be patched

Nature of the vulnerability

  • Side‑channel attack, dubbed GoFetch, on Apple M‑series data memory‑dependent prefetcher (DMP).
  • Breaks assumptions of constant‑time crypto by speculatively prefetching data that “looks like” pointers.
  • Allows extraction of keys from common crypto implementations (OpenSSL DH, Go RSA, Kyber, Dilithium) when attacker can feed chosen inputs and monitor cache timings.
  • Works on M1 and M2; M3’s DIT bit can disable the problematic behavior when libraries opt in.
  • Secure Enclave keys are reported as unaffected; attack targets user‑/kernel‑space crypto, not enclave‑stored keys.

Practical exploitability & threat models

  • Requires: unprivileged attacker code on the same machine and the ability to trigger repeated private‑key operations for a long period.
  • Discussion emphasizes co‑located processes; remote‑only attacks over a network are viewed as impractical due to tiny timing deltas and noise, though some cite prior remote timing work in general.
  • Possible vectors debated: malicious JavaScript in browsers, shared servers, password managers, TLS session keys, client certs. Realistic end‑to‑end scenarios remain unclear.

Impact on average users

  • One side: “total non‑issue” for most; risk far outweighed by social engineering, password reuse, and unpatched software.
  • Other side: dismissing it repeats early Spectre/Meltdown attitudes; JS proofs‑of‑concept eventually appeared there too.

Centralization of identity, payment, and apps

  • Strong critique of phones as single points of failure for identity, payments, and app auth.
  • Preference for physically separate tokens (bank hardware devices, smartcards) with legally backed responsibilities and distinct “rituals” for high‑value actions.
  • Counter‑view: mobile‑centric ecosystems with biometrics (Apple Pay, passkeys) have significantly improved security/convenience and are widely accepted by banks and regulators.

Speculation, prefetching, and CPU design

  • Broader worry that speculative techniques and prefetchers are inherently risky for crypto.
  • Suggestions: hardware flags or modes for constant‑time crypto, dedicated secure hardware (TPM, Secure Enclave, HSMs, hardware keys), or even cores/CPUs dedicated to “trusted vs untrusted” code.
  • Others argue speculation is essential for modern performance; the real gap is a formal side‑channel model.

Other reactions

  • Some accuse the “can’t be patched” framing of being clickbait; others note lack of any known M1/M2 mitigation despite coordinated disclosure.
  • Debate over “security through obscurity” and whether more open architectures (e.g., RISC‑V) improve trust in the hardware root.