It’s not unpatchable, but the performance impact will be huge
Those of you who are the proud owners of an M1, M2 or M3-based Apple device have had it tough. The newly disclosed GoFetch attack is worrisome enough to ruin a perfect Friday, as it allows attackers to steal secret encryption keys from your system. Even worse, the vulnerability does not require root access to exploit, all it requires is the same access level as any third-party application to start stealing keys. The time taken is not encouraging, for example, it takes less than an hour to extract a 2048-bit RSA key and more than two hours to extract a 2048-bit Diffie-Hellman key.
The vulnerability stems from Apple’s decision not to follow standard practices when designing prefetchers that rely on data memory in M-series chips. GoFetch is described as unpatchable, which is true for the M1 and M2, but not the M3. There are multiple ways to mitigate the vulnerability, and while Intel and AMD processors are vulnerable to vulnerabilities like Specter, patching can have a severe negative impact on performance. The articles in Bleeping Computer and Ars Technica don’t specify how big an impact this has on the M3’s performance, possibly because it hasn’t been fully tested, but the impact could be significant.
Stay tuned for more news, and be very careful about the apps you install on your new Mac.