Apple draws crypto criticism again: what you need to know
Apple has found itself under the microscope of the crypto community twice recently. What are the implications of these events?
In a recent turn of events, Apple, the tech giant, finds itself in the crosshairs of the crypto community, not once but at least twice.
The first blow comes in the form of a sophisticated side-channel attack called “GoFetch,” which has exposed a vulnerability in Apple’s M1, M2, and M3 processors. This exploit can pilfer secret cryptographic keys residing in the CPU’s cache, leaving sensitive data susceptible to compromise.
A group of seven researchers from various universities in the U.S. developed GoFetch and reported their findings to Apple. However, the nature of this hardware-based vulnerability means that impacted CPUs cannot be fixed. While software fixes could mitigate the issue, they would come at the cost of performance, particularly affecting cryptographic functions.
Adding fuel to the fire, the second blow lands courtesy of the United States Department of Justice (DOJ), which has leveled a hefty antitrust lawsuit against Apple.
The lawsuit claims that Apple’s App Store rules and developer agreements stifle competition and innovation, creating barriers for developers and users across diverse sectors, including finance and crypto.
Let’s delve deeper into the implications of these events and dissect what really is happening and how it impacts crypto.
Understanding the GoFetch attack
The GoFetch attack zeroes in on a sophisticated vulnerability within modern Apple CPUs, putting users at risk of having their private cryptographic keys compromised.
At the heart of the GoFetch assault lies a feature known as the data memory-dependent prefetcher (DMP), a component designed to enhance the speed of computing operations by predicting and fetching data ahead of time into the CPU cache.
Think of it as a forward-thinking assistant, preemptively retrieving information it believes the computer will need based on past memory access patterns. However, the DMP’s predictive prowess becomes its Achilles’ heel in the context of the GoFetch attack.
This exploit targets cryptographic processes that maintain a constant execution time, regardless of the input—a security measure aimed at thwarting data leaks.
By delving into the intricacies of Apple’s DMP implementation, the attackers uncovered a critical flaw that violates this fundamental principle of constant-time programming.
The crux of the attack lies in the prefetcher’s propensity to activate and dereference data loaded from memory, particularly data resembling pointers—an action strictly prohibited under constant-time programming guidelines.
Exploiting this flaw, attackers can craft specialized inputs designed to trigger the prefetcher, gradually revealing bits of the secret cryptographic key.
With persistence and repetition, the attackers can reconstruct the entire key, exposing sensitive information to potential compromise.
Apple’s M1 processors, and likely their successors M2 and M3, are susceptible to this vulnerability due to similar prefetching behavior.
Unfortunately, as this weakness is deeply ingrained in the hardware design of Apple CPUs, there’s no straightforward fix available.
Who’s at risk and Apple’s response
The discovery of this critical security flaw in Apple’s M-series chips has put users of Mac and iPad devices at potential risk.
What’s concerning is that users cannot address this vulnerability directly. Cryptographic application developers must implement mitigations for the problem and issue updates to their applications.
However, this process may not be straightforward, and users may find themselves in a vulnerable position until these updates are rolled out.
Security experts like Robert Graham, CEO of security consultancy Errata Security, advise caution, suggesting that individuals with substantial holdings in crypto wallets on Apple devices should consider temporarily removing them as a precautionary measure.
In response to Zero Day’s inquiry, Apple acknowledged the research findings but hasn’t provided concrete steps to address the problem.
Apple’s developer page offers guidance to application developers, suggesting the implementation of data-independent timing (DIT) to disable the prefetcher during cryptographic functions.
However, this solution comes with its own set of challenges. Disabling the prefetcher could result in decreased processor performance during cryptographic operations, raising concerns about usability and efficiency.
Furthermore, the DIT fix is only applicable to Apple’s latest M3 chips, leaving users with M1 and M2 devices vulnerable to exploitation.
Apple’s antitrust woes and crypto’s future
The DOJ’s lawsuit contends that Apple’s tight grip on its App Store has led to anti-competitive behavior, stifling innovation and imposing hefty fees on developers.
Central to the debate is Apple’s infamous 30% “Apple tax,” a commission charged on in-app purchases, including crypto transactions.
This fee model, deemed “grotesquely overpriced” by critics, became a significant obstacle for crypto developers seeking to offer their services on iOS devices in the past.
The repercussions of Apple’s fee structure are evident in the NFT marketplaces. Companies like Magic Eden, faced with the prospect of paying substantial commissions, opted to withdraw their services from the App Store in 2022 and are still holding onto their guns.
Others, like OpenSea, have had to scale back functionality to just viewing and browsing NFTs, limiting user experience and access to NFT trading.
The Bitcoin-friendly social app Damus also had to remove its BTC tipping feature. Apple delisted the app because it didn’t use Apple’s in-app payments, which Apple uses to take a cut.
Additionally, Apple’s guidelines go beyond mere fee structures, encompassing restrictions on payment systems and app distribution.
These guidelines prevent developers from offering alternative payment methods, hindering the integration of crypto into iOS apps.
For instance, Apple is facing a class-action lawsuit initiated last year, filed in Nov. 2023 in a California District Court.
The lawsuit alleges that Apple collaborated with payment platforms such as PayPal’s Venmo and Block’s Cash App to restrict peer-to-peer (P2P) payments within iOS applications.
Meanwhile, in response to the DOJ’s allegations, Apple has defended its practices, citing concerns about user privacy and security.
However, critics argue that these policies disproportionately favor Apple’s bottom line at the expense of developer freedom and consumer choice.
Experts estimate a three-to-five-year timeline for any resolution to Apple vs. DOJ case. However, app makers and the Coalition for App Fairness have voiced strong support for the DOJ’s regulatory action, citing Apple’s long history of unfairly increasing prices, degrading user experiences, and choking off competition.
