Researchers have disclosed a new side-channel attack named GoFetch, capable of extracting secret cryptographic keys from Apple’s M-series silicon, including the M1, M2, and M3 chips. The attack was developed and demonstrated by a team of academics from institutions including the University of Illinois Urbana-Champaign, the University of Texas at Austin, and the University of Washington.

GoFetch can be executed by a malicious application with standard user privileges and does not require physical access to the target device. Its success highlights a vulnerability in a core hardware optimization feature within the processor itself.

GoFetch Attack Mechanism Explained

GoFetch is a microarchitectural attack that exploits a hardware feature called the Data Memory-Dependent Prefetcher (DMP). This performance-enhancing component, present on Apple’s high-performance CPU cores, attempts to predict which memory addresses a program will need next by analyzing the actual data values being processed, such as pointer addresses.

The researchers demonstrated that by providing specially crafted inputs to a target cryptographic algorithm, an attacker’s program can observe the DMP’s resulting prefetching behavior. These observable actions create a side channel that leaks information directly correlated with the secret key being used during the cryptographic computation.

Vulnerable Implementations and Impact

In their proof-of-concept, the research team successfully extracted widely used cryptographic keys, including a 2048-bit RSA key and a 256-bit Diffie-Hellman key. They also confirmed the attack’s effectiveness against constant-time implementations of post-quantum cryptography algorithms CRYSTALS-Kyber and CRYSTALS-Dilithium.

Because the vulnerability is inherent to the silicon’s microarchitecture, it cannot be patched via a conventional software update. The researchers note that cryptographic library developers can implement countermeasures, such as data blinding or forcing sensitive computations to run only on the CPU’s efficiency cores, which lack the vulnerable DMP feature.