Asahi Linux developer Hector Martin has revealed a covert channel vulnerability in the Apple M1 chip that he dubbed M1RACLES, and in the process, he’s gently criticized the way security flaws have started to be shared with the public.
Martin’s executive summary for M1RACLES sounds dire: “A flaw in the design of the Apple Silicon ‘M1’ chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange. […] The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.“ (Emphasis his.)
He also noted that this was the result of an intentional decision on Apple’s part. “Basically, Apple decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS,” he explained. “And then it turned out that removing that feature made it much harder for existing OSes to mitigate this vulnerability.” The company would have to make a change on the silicon level with its followup to the M1 to mitigate this flaw.
But he also made it clear in the FAQ that Mac owners shouldn’t be particularly worried about M1RACLES because that covert channel affects two bits. It can be expanded, and Martin said that transfer rates over 1 MB/s are possible “without much optimization,” but any malicious apps that might take advantage of such methods would be far more likely to share information via other channels. Calling this a two-bit vulnerability would be both technically and linguistically correct. It’s a real security flaw, sure, but it‘s unlikely to pose a real threat to Apple’s customers.
So why bother coming up with a catchy name, drawing up a logo, and setting up a website in the first place? Martin addressed that in the FAQ: “Poking fun at how ridiculous infosec click-bait vulnerability reporting has become lately. Just because it has a flashy website or it makes the news doesn't mean you need to care,” he wrote. “If you've read all the way to here, congratulations! You're one of the rare people who doesn't just retweet based on the page title :-) […] Honestly, I just wanted to play Bad Apple!! over an M1 vulnerability. You have to admit that's kind of cool.“
It has become increasingly common for vulnerability disclosures to include all the elements Martin parodied with M1RACLES. Nobody cares about CVE identifiers—they care about names like Heartbleed, Meltdown, and Spectre. Researchers didn’t just say there were problems with drivers from Intel, Nvidia, AMD, and many other companies; they called their report Screwed Drivers. Early malware targeting the M1 wasn’t simply called M1_Malware_1; it was dubbed Silver Sparrow. Honestly it’s kind of surprising researchers haven’t started to sell tee-shirts alongside their reports.
M1RACLES does in some ways mean that we’ve reached a sort of meta-branding where a catchy name, logo, and website that were created ironically are effective, of course, but at least we all have our tongues planted firmly in our cheeks. More information about the flaw should be available at the Mitre listing for CVE-2021-30747 at some point in the future. Martin’s efforts to bring Linux to the M1 via Asahi Linux—whose m1n1 “experimentation playground for Apple Silicon” was used to discover this flaw—can also be followed via the project’s website.
If that was the design intent behind this, then slow clap for the evil geniuses at Apple.
Then again, my interpretation can be wrong and who cares anyway: catchy name and video!