Linux Porter Discovered M1 Covert Channel Flaw Named ‘M1RACLES’

• A Linux hacker has discovered a flaw in M1 chips that allows two processes to talk to each other covertly.
• While this shouldn’t be allowed as it bypasses OS security layers, it is nothing to worry about in practice.
• The researcher has reported his finding to Apple, but it is doubtful that we’ll see a fix for it.

Hector Martin, a hacker who is porting Linux to Apple Silicon Macs through Asahi Linux, has discovered a novel covert channel vulnerability on the M1 chip, calling it ‘M1RACLES’ and tracked as CVE-2021-30747. The flaw lies in the design of the chip itself, allowing any two applications running under an OS to covertly exchange data between them without using memory, sockets, files, or any other features that are meant to be used for data exchange.

This problem applies even if the two intercommunicating processes belong to different users and run on different privilege levels.

Because this vulnerability is bound to the chip itself, it doesn’t matter if the user is running macOS, or Linux, or OpenBSD, or anything else on it. Every M1 device is affected by M1RACLES, and the only mitigation that can address the issue is to run the entire OS as a virtual machine. Obviously, this would impact the performance greatly, but would it be worth it? Is M1RACLES that serious to call for such a drastic measure?

The researcher who discovered and reported this to Apple says malware cannot use this vulnerability to do any serious harm to the users, like assuming control of the target system or stealing private information. Similarly, malicious Javascript running on a website cannot exploit M1RACLES in any useful way, so you can’t get harmed from being led to a specific page on the net. All in all, this looks like an interesting find that threat actors don't have a meaningful way to take advantage of.

We have reached out to chip security researcher Niels Hofmans, and here are his thoughts on the issue:

The real danger that arises from this flaw would mainly revolve around cross-app tracking, helping advertising companies get their hands onto data that should be out of their direct reach. This would still not be a practical approach, though, as Apple could easily detect the existence of the relevant code on their apps and ban them.

We don’t know if Apple is planning to address this issue, and it really isn’t anything that you should worry about at this point. M1RACLES shouldn’t be allowed as it overrides the security of any OS running on the chip, but in practice, it is pretty much innocuous.