Security & Privacy

“Unpatchable” flaw in Apple M1/M2/M3 chips: GoFetch is the new Spectre

Posted on by

A recently discovered flaw in M-series Apple silicon chips could allow attackers to break Macs’ security, according to researchers. “GoFetch” is an attack method targeting data memory-depending prefetchers (DMP). Apple’s M1, M2, and M3 series chips all include this feature—and there’s no way to disable it for M1 or M2.

Here’s everything you need to know about GoFetch and how it might affect you.

In this article:

What is the GoFetch attack, and how could it affect Macs?

DMP is a feature that speeds up CPU processing by predicting the next memory address that an app will access.

GoFetch is a side-channel attack that builds on concepts from the “Augury” exploit of 2022. (We discussed Augury in episode 238 of the Intego Mac Podcast.) GoFetch can exploit a flaw in DMP to extract secret keys from constant-time implementations of various cryptographic algorithms. Concerningly, this includes both classical as well as modern, post-quantum cryptographic algorithms.

In effect, the results are similar in concept to speculative execution vulnerabilities like Spectre. By exploiting a feature that’s intended to improve processing speed, attackers can do potentially malicious things. In this case, they can extract private encryption keys.

Does the flaw impact M1 or M2 iPads, or Apple Vision Pro?

The researchers did not mention iPads or Apple Vision Pro. However, given that they share the same M1 or M2 processors as Macs, it should theoretically be possible to exploit the same vulnerability on these Apple products, too.

Does Apple know about the flaw, and will Apple fix it?

Apple has known about GoFetch since December 5, 2023. So far, Apple has not made any public statement about GoFetch.

As for whether Apple will attempt to mitigate the vulnerability, we can only speculate. However, it seems somewhat unlikely that Apple will try to mitigate the flaw through software patches—unless a threat actor begins exploiting GoFetch in the wild. Why? For one thing, disabling DMP entirely would cause “heavy performance penalties,” according to the researchers. Not only that, but it “is likely not possible on M1 and M2 CPUs.” Another potential mitigation—only running cryptographic code on Icestorm (efficiency) CPU cores—would also “likely incur a significant performance penalty.”

The researchers suggest that developers of cryptography libraries can mitigate the flaw on M3 processors by setting the “DIT bit” to enable data-independent timing. However, this does not fix the problem for M1 or M2 processors.

Apple has not yet officially announced its M4 line of processors; only time will tell whether GoFetch may affect these chips as well.

Have attackers exploited GoFetch in the wild?

The researchers published their findings on March 21, 2024. As far as we know, attackers have not yet exploited GoFetch in any real-world attack scenarios since then. But in theory, threat actors could begin to exploit GoFetch in the wild, now that the flaw is public knowledge.

Should I be worried about GoFetch?

For now, users of Apple products with M1, M2, or M3 processors shouldn’t worry about GoFetch.

If at some point Apple becomes aware of threat actors exploiting the flaw in the wild—and especially if the public were also aware of this fact—Apple would presumably attempt to mitigate GoFetch. Such a mitigation could hypothetically come in the form of an update to Lockdown Mode, to avoid performance penalties for everyday users who might be less likely to experience an attack exploiting GoFetch.

Could malware leverage GoFetch? How can I keep my Mac safe?

If there’s ever any Mac malware that exploits GoFetch, Intego will quickly add detection for it to keep our customers safe.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

Is your Mac Secured?
Check out Intego’s store and find the right product for you.
Secure Your Digital Life Now
Is your Mac Secured?

How can I learn more?

We briefly discussed key points about GoFetch on episode 338 of the Intego Mac Podcast. For a deeper dive, we recommend reading Dan Goodin’s coverage, as well as the researchers’ site. You can also read the researchers’ highly technical white paper (PDF).

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →