What the M1 and Apple Silicon mean for Mac security
The M1 chip makes the Mac platform more secure in a number of ways, but it could also signal a change toward a locked-down version of macOS that could have its own security drawbacks.
-l.jpg)
Credit: Andrew O'Hara, AppleInsider
Apple's M1 chip has a number of significant benefits in terms of efficiency, battery life, and overall performance, but one area that has been overlooked by comparison is how the Apple Silicon switch affects computer security in terms of protection against malware and malicious attacks.
AppleInsider spoke with security researchers Patrick Wardle and Rick Mark to get their takes on the security benefits of M1, some of the potential downsides, and what makes M1 unique among ARM-based chips.
The first category is exploit mitigation, which are mechanisms that can help protect against remote code execution or zero-day vulnerability exploits. This includes a hardware-level security mechanism called pointer authentication that makes it much harder for an attacker to modify pointers in memory and provides a level of defense against buffer overflow exploits.
Many of these hardware-level benefits were immediately gained when Apple switched its desktops to ARM. Mark, a member of the team that developed the checkra1n exploit, said that Apple's work with pointer authentication provides security "that Intel cannot yet match."
The other category includes both operating system-level protections and defenses against attacks that would require physical access to a device.
For one, Mark pointed out that M1-equipped Macs are also no longer vulnerable to the checkm8 vulnerability that affected the T2. In fact, M1 Macs don't even have a T2 chip. Instead, the security functionality that the T2 supported is baked into the M1.
This category also includes two features mentioned specifically in Apple security documentation: system integrity and data protection.
System integrity allows for a hardware-level verification of the operating system during startup. It also continues to operate in the background to protect macOS authorizations as it runs. That shores up protections against sophisticated malware that could try to subvert macOS in a persistent manner.
"It really takes away another pretty insidious attack vector, or at least makes it a lot more difficult," Wardle said.
Additionally, the M1 chip also allows third-party developers to use file-level encryption to protect user data without impacting system performance. In other words, third-party will be able to more easily encrypt user data for privacy and security. That's a capability that wasn't available in past Mac devices.
"I think [the M1] makes exploitation a lot more difficult, it makes certain kinds of persistence very difficult, and provides better security and privacy," Wardle said. "If you care dearly about security and privacy, the M1 is kind of a no-brainer in comparison to the older systems."
Many average users may not even notice these features, Mark added. A lot of this happens in the background, so Mac owners may only notice that some software needs to be updated because of the shift from external extensions (kext) to system extensions.
For those working in the security field, however, Mark said that the M1 could advance security research on the iPhone -- even without access to a Security Research Device. That's because Apple has left an "escape hatch to run unsigned code" on the chip.
Mark said the biggest issue with Apple Silicon currently is the lack of documentation. For example, on M1 Macs, certain Apple systems like iBoot, the Secure Enclave Processor, and processor extensions are not publicly documented.
"This means that external validation of the security components of a M1 based Mac are a lot harder to analyze and verify," Mark said.
Mark added that Apple hasn't always been forthcoming with hardware security flaws. He cites the checkm8 vulnerability as an example. Unlike Apple, Mark said that "Intel engaged with the community after disclosure" of Spectre and Meltdown.
One potential issue with the shift to Apple Silicon security may become problematic down the road. As Apple slowly makes macOS more iOS-like, the opaqueness of the operating system could complicate the jobs of security researchers and security tools.
Using iOS as an example, Wardle said there are benefits to being locked down. Out of the box, the iPhone is an incredibly secure device. But the iPhone's defense mechanisms make it hard to know whether a device has been compromised. On a Mac, savvy users can view a process list or otherwise poke around the system. That isn't the case on an iPhone.
"Even for me, as a security researcher, it's very difficult to answer the question 'Is my iPhone not hacked?'" Wardle said.
Advanced attackers, like government agencies, can take advantage of this. Wardle said that although the bar for security is being raised, "there's always going to be malware." Once that malware is on a locked-down device like an iPhone, it can be nearly impossible for the average user to know that they've been compromised.
"Once these adversaries have penetrated the very difficult exterior, they're going to remain undetected because users or security tools are basically handcuffed," Wardle said. "You kind of reach this interesting inflection point where the security of the system can be used against it."
A simple example is an exploit deployed over iMessage, which has happened in the past. Since iMesssage is end-to-end encrypted, even Apple can't detect these attacks.
Although rare, iPhone exploits do exist. Because of the device's security mechanisms, they're a lot harder to detect and mitigate. If macOS becomes more locked down in terms of what users and researchers can do, the Mac could end up in a similar situation. Mac exploits could become just as rare, and in theory, just as invisible.
Wardle did say that the security benefits of M1 are going to be positive for the vast majority of Mac users. The ability to access security tools or mechanisms can even expand the "attack surface," making a device more vulnerable to attack. But locked-down systems do have those aforementioned problems.
"I don't really know what the answer is, but I think it's really important that we have this discussion," Wardle said.
Additionally, the M1 doesn't necessarily protect against users downloading a malicious application or a piece of malware bypassing app notarization. Nothing is hack-proof, so users will still need to practice discretion.
Compared to other ARM chips, Mark said that "Apple has been remarkable at implementing both the absolute latest version of the ARM spec and creating clever extensions. This is in part why you can't run ARM macOS on any other hardware, there's just no chips that are quite as advanced commonly available."
Wardle says that it's incredible what Apple managed to accomplish with the M1, both from a security point of view as well as features like performance, price point, and battery life.
"I think we'll look at the M1 chip and I think we'll see it as an event in Apple's history that is maybe as impactful as when they introduced the iPhone," Wardle said. "I think it's game-changing."
Credit: Andrew O'Hara, AppleInsider
Apple's M1 chip has a number of significant benefits in terms of efficiency, battery life, and overall performance, but one area that has been overlooked by comparison is how the Apple Silicon switch affects computer security in terms of protection against malware and malicious attacks.
AppleInsider spoke with security researchers Patrick Wardle and Rick Mark to get their takes on the security benefits of M1, some of the potential downsides, and what makes M1 unique among ARM-based chips.
Apple Silicon security benefits
Although there are some key differences, M1-equipped Macs provide a level of security that takes several steps closer to the iPhone and further away from Intel Macs. These security features can be fit broadly into a couple of categories, according to Wardle, who is a Mac security researcher and the creator of a suite of free Mac security tools.The first category is exploit mitigation, which are mechanisms that can help protect against remote code execution or zero-day vulnerability exploits. This includes a hardware-level security mechanism called pointer authentication that makes it much harder for an attacker to modify pointers in memory and provides a level of defense against buffer overflow exploits.
Many of these hardware-level benefits were immediately gained when Apple switched its desktops to ARM. Mark, a member of the team that developed the checkra1n exploit, said that Apple's work with pointer authentication provides security "that Intel cannot yet match."
The other category includes both operating system-level protections and defenses against attacks that would require physical access to a device.
For one, Mark pointed out that M1-equipped Macs are also no longer vulnerable to the checkm8 vulnerability that affected the T2. In fact, M1 Macs don't even have a T2 chip. Instead, the security functionality that the T2 supported is baked into the M1.
This category also includes two features mentioned specifically in Apple security documentation: system integrity and data protection.
System integrity allows for a hardware-level verification of the operating system during startup. It also continues to operate in the background to protect macOS authorizations as it runs. That shores up protections against sophisticated malware that could try to subvert macOS in a persistent manner.
"It really takes away another pretty insidious attack vector, or at least makes it a lot more difficult," Wardle said.
Additionally, the M1 chip also allows third-party developers to use file-level encryption to protect user data without impacting system performance. In other words, third-party will be able to more easily encrypt user data for privacy and security. That's a capability that wasn't available in past Mac devices.
"I think [the M1] makes exploitation a lot more difficult, it makes certain kinds of persistence very difficult, and provides better security and privacy," Wardle said. "If you care dearly about security and privacy, the M1 is kind of a no-brainer in comparison to the older systems."
Many average users may not even notice these features, Mark added. A lot of this happens in the background, so Mac owners may only notice that some software needs to be updated because of the shift from external extensions (kext) to system extensions.
For those working in the security field, however, Mark said that the M1 could advance security research on the iPhone -- even without access to a Security Research Device. That's because Apple has left an "escape hatch to run unsigned code" on the chip.
Potential downsides to M1
Despite the benefits and additional security features, there may be a few security drawbacks to the Apple Silicon chip. Some of those are present now, while others many manifest down the road.Mark said the biggest issue with Apple Silicon currently is the lack of documentation. For example, on M1 Macs, certain Apple systems like iBoot, the Secure Enclave Processor, and processor extensions are not publicly documented.
"This means that external validation of the security components of a M1 based Mac are a lot harder to analyze and verify," Mark said.
Mark added that Apple hasn't always been forthcoming with hardware security flaws. He cites the checkm8 vulnerability as an example. Unlike Apple, Mark said that "Intel engaged with the community after disclosure" of Spectre and Meltdown.
One potential issue with the shift to Apple Silicon security may become problematic down the road. As Apple slowly makes macOS more iOS-like, the opaqueness of the operating system could complicate the jobs of security researchers and security tools.
Using iOS as an example, Wardle said there are benefits to being locked down. Out of the box, the iPhone is an incredibly secure device. But the iPhone's defense mechanisms make it hard to know whether a device has been compromised. On a Mac, savvy users can view a process list or otherwise poke around the system. That isn't the case on an iPhone.
"Even for me, as a security researcher, it's very difficult to answer the question 'Is my iPhone not hacked?'" Wardle said.
Advanced attackers, like government agencies, can take advantage of this. Wardle said that although the bar for security is being raised, "there's always going to be malware." Once that malware is on a locked-down device like an iPhone, it can be nearly impossible for the average user to know that they've been compromised.
"Once these adversaries have penetrated the very difficult exterior, they're going to remain undetected because users or security tools are basically handcuffed," Wardle said. "You kind of reach this interesting inflection point where the security of the system can be used against it."
A simple example is an exploit deployed over iMessage, which has happened in the past. Since iMesssage is end-to-end encrypted, even Apple can't detect these attacks.
Although rare, iPhone exploits do exist. Because of the device's security mechanisms, they're a lot harder to detect and mitigate. If macOS becomes more locked down in terms of what users and researchers can do, the Mac could end up in a similar situation. Mac exploits could become just as rare, and in theory, just as invisible.
Wardle did say that the security benefits of M1 are going to be positive for the vast majority of Mac users. The ability to access security tools or mechanisms can even expand the "attack surface," making a device more vulnerable to attack. But locked-down systems do have those aforementioned problems.
"I don't really know what the answer is, but I think it's really important that we have this discussion," Wardle said.
Additionally, the M1 doesn't necessarily protect against users downloading a malicious application or a piece of malware bypassing app notarization. Nothing is hack-proof, so users will still need to practice discretion.
The future of M1 and ARM
The security benefits of the M1 are only small pieces of the Apple Silicon puzzle. Beyond security, the M1 represents a leap forward for Apple computers -- and is likely heralding a broader shift to ARM-based chips in the laptop and desktop space. Microsoft, for example, is working on its own ARM-based hardware.Compared to other ARM chips, Mark said that "Apple has been remarkable at implementing both the absolute latest version of the ARM spec and creating clever extensions. This is in part why you can't run ARM macOS on any other hardware, there's just no chips that are quite as advanced commonly available."
Wardle says that it's incredible what Apple managed to accomplish with the M1, both from a security point of view as well as features like performance, price point, and battery life.
"I think we'll look at the M1 chip and I think we'll see it as an event in Apple's history that is maybe as impactful as when they introduced the iPhone," Wardle said. "I think it's game-changing."
Comments
Does anyone know if Spectre and Meltdown will affect M1? https://meltdownattack.com <--
M1 isn't equal to ARM, but the ARM website itself says ARM may be affected: https://developer.arm.com/support/arm-security-updates <--
I'm particularly curious about the Rowhammer attack.
Apple should update this page to discuss M1 Macs: https://support.apple.com/en-us/HT208394
This is particularly the case with iPhones compared to Android devices, but it also applies to Macs when compared with Windows.
More victims vs. victims that are more valuable?
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Web_clients <--
This chart clearly shows that Apple's OSes are clearly something that hackers and scammers will target.
Besides all that, even if macOS was the most secure OS on the market without ever been a single compromise in any of the code that a hacker could exploit, what exactly is your point in an article about what ASi mans for Mac security? Are you really suggesting that Apple and its users should concern themselves with security?
Your final question was "should Apple and its users concern themselves with security?" Is that a trick question? I don't understand why you would ask a question with an obvious answer. You asked "what is your point about what ASi means for Mac Security?" What do you mean "what is my point?" If you go back and read my post, my point was that ASi might be impacted by Spectre, Meltdown, and Rowhammer. I was asking if M1 was affected. Read my post again, and you will see that that was my question. I wasn't telling you the answer, I was asking a question. Why would you attack someone who asks a question and doesn't know the answer?
If you want to attack me, then tell me what the answer is, and ridicule my ignorance, instead of attacking someone who asks a question and doesn't know the answer. What's the point in attacking someone who doesn't have the answer and simply asks a sincere question?
Apple pay a decent bounty for hackers who identify security vulnerabilities to them.
They're also a company many people want to work for, so showing chutzpah by finding flaws may be a way in.
Mac users are also generally speaking an affluent bunch, so may present as higher value targets for malevolent types, worth investing time into.
Apple also aren't a popular company amongst many hacker communities, so there could be a certain prestige or karmic justice in exposing vulnerability in the big bad corp.
Bear in mind also, that the single digit market share has somewhat changed in meaning in the last 10 years. Pre-2007 those percentages probably wouldn't even count mobile devices, so now you're talking about a much bigger pool. In terms of non-mobile computing it looks like the web trackers are registering macOS at more like 20%, and it's not immediately apparent what the absolute numbers are. 20% of a big number is still a big number, and worth considering.
Also bear in mind that with the move to M1, macOS and iOS will be sharing a processor architecture and an increasing amount of system architecture and code. Targetting both together, especially with things like Safari injection attacks will be increasingly possible, so targetting macOS becomes easier for hackers who are already targetting iOS. Hackers are just like everyone else and will be lazy when they can.
Stop whining. Your questions are never sincere, they're meandering wonderings.
Burglars don't steal the money from the tills of 50 shops when they could steal the diamonds from one jewellery shop.
Having said that, iOS alone has 1 billion active users and has matched the size of the Windows market. Not only does MacOS share much of the same foundation as iOS but now that the hardware is the same, even more code is in common between these two market segments / platforms.
Finally, the page you reference already addresses Apple's position on Spectre and Meltdown. Clearly, Apple is very aware of these types of attacks. Why would you expect the M1 to be any different? More specifically, why would you expect the M1 to be more vulnerable. Apple has addressed these attacks already and have stated so. Why pretend this is something new that Apple hasn't considered?
Spectre (CVE-2017-5753 and CVE-2017-5715) theoretically impacts any processor design which uses speculative execution (a technique used to speed up a single thread on a processor), but the negative security impact of speculative execution had been known for years beforehand. The exact vulnerabilities given the "Spectre" name require the ability to run code on the same core uninterrupted for a while to train the branch prediction, and that gets you a few bytes of target data. Then you have to start again to get a few more bytes. Bad for servers (especially servers where your adversary can buy the ability to run software, like AWS), but mostly a non-issue for personal machines.
Meltdown (CVE-2017-5754) involves relying on out-of-order execution (again, a technique used on modern processors to improve thread performance). When you try to read a given memory location, some processor designs sometimes copy the memory into cache before they check whether you are allowed to read the data. This is more reliable, and takes much less time than training the branch predictor for Spectre, but it still requires the ability to already run arbitrary code on the system in question. Again, bad for servers, especially multi-tenant systems like AWS, but mostly not a problem for personal machines.
Rowhammer is a physical property of dynamic RAM. With low-privilege code, you can potentially retrieve data from adjacent RAM locations to the locations you are using, but you have no control over where the system puts you, and no way to see actual memory addresses. And if you have control over the memory layout, you already have the ability to execute privileged code. This is almost entirely a non-issue for any machine, because exploiting it effectively requires having a level of access which makes exploiting it unnecessary.
All of these are substantially overhyped. Don't run programs from sketchy sources, and they're basically non-issues.