A team of seven researchers from various universities in the U.S. have developed a new side-channel attack called "GoFetch," which poses a significant threat to Apple's M1, M2, and M3 processors. The attack exploits a vulnerability in the data memory-dependent prefetchers (DMPs) found in these modern Apple CPUs, enabling the theft of secret cryptographic keys from the CPU's cache.

Constant-time cryptographic implementations, which are designed to prevent sensitive data leaks, are the primary targets of the GoFetch attack. The researchers discovered a flaw in Apple's DMP system that violates the constant-time good practices by activating and attempting to dereference data loaded from memory that resembles a pointer. By carefully crafting special inputs, the attackers can infer bits of the secret key through DMP activations, eventually reconstructing the entire cryptographic key.

The vulnerability affects Apple's M1 processors, and given the similar prefetching behavior of the M2 and M3 processors, it is highly likely that they are also vulnerable. The researchers reported their findings to Apple on December 5, 2023, but as this is a hardware-based vulnerability, there is no way to fix it in the impacted CPUs.

While disabling DMP on some CPUs, like the M3, may remove the prefetching behavior exploited by GoFetch, this is not possible on the M1 and M2 processors. Other defense measures recommended by the researchers include input blinding and DMP activation masking, which can obfuscate the attacker's input on the DMP level.

Apple could potentially introduce mitigations for the GoFetch attack through software patches in macOS. However, such fixes have historically caused performance hits in cryptographic functions. As a result, Apple users are advised to practice safe computing habits, such as regularly updating their operating system and software, and installing software only from official and reputable sources to mitigate the risk of malware infections.

It's important to note that the GoFetch attack does not require physical access for exploitation, making it possible for attackers to execute it remotely if they can run code on the target machine, such as through malware infection.

BleepingComputer reached out to Apple seeking comment on the GoFetch attack and any plans for security updates. However, Apple's spokesperson only shared a developer page detailing a mitigation strategy, suggesting that no additional information is available at this time.

For more information on the GoFetch attack and its technical aspects, the researchers' technical paper provides in-depth details, including a proof-of-concept exploit set to be released at a later date.