蘋果的 M 系列晶片使加密貨幣持有者面臨嚴重的安全風險

Apple M 系列晶片中的漏洞允許駭客從易受攻擊的 Apple 裝置中提取加密金鑰。此漏洞被稱為“GoFetch 漏洞”，可透過資料記憶體相關預取器(DMP) 授予對電腦CPU 快取的存取權限，從而允許攻擊者透過觀察對處理器快取的依賴於秘密的存取的副作用來推斷秘密密鑰。

Apple's M-Series Chips: A Grave Security Threat to Crypto Holders

蘋果的 M 系列晶片：對加密貨幣持有者的嚴重安全威脅

In a groundbreaking exposé, security researchers have uncovered a severe vulnerability in Apple's latest M-series computer chips, including the M1, M2, and M3 models powering all of the company's recent devices. This vulnerability has sent shockwaves through the cryptocurrency community, as it potentially allows hackers to pilfer cryptographic keys, the very foundation of data protection, including those safeguarding crypto wallets.

在一次突破性的曝光中，安全研究人員發現了 Apple 最新 M 系列電腦晶片中的嚴重漏洞，其中包括為該公司所有最新設備提供支援的 M1、M2 和 M3 型號。該漏洞在加密貨幣社群引起了衝擊，因為它可能允許駭客竊取加密金鑰，而加密金鑰是資料保護的基礎，包括保護加密錢包的資料保護。

Dubbed the "GoFetch exploit," this flaw leverages Data Memory-Dependent Prefetchers (DMPs) embedded within the chips to infiltrate the computer's CPU cache. Through this side-channel attack, malicious actors can infer sensitive information, including cryptographic keys, by observing the cache's response to the victim's program's secret-dependent accesses.

這個漏洞被稱為“GoFetch 漏洞”，它利用嵌入在晶片中的資料記憶體相關預取器 (DMP) 來滲透電腦的 CPU 快取。透過這種旁路攻擊，惡意行為者可以透過觀察快取對受害者程式的秘密相關存取的回應來推斷敏感訊息，包括加密金鑰。

The potential impact of this exploit cannot be overstated. It could compromise the security of software crypto wallets installed on vulnerable Apple devices, exposing users to the risk of financial ruin. Moreover, the exploitation could extend to web browser encryption, potentially affecting popular applications like MetaMask, iCloud backups, and email accounts.

這漏洞的潛在影響怎麼強調都不為過。它可能會損害安裝在易受攻擊的蘋果設備上的軟體加密錢包的安全性，使用戶面臨財務破產的風險。此外，該漏洞還可能擴展到 Web 瀏覽器加密，可能會影響 MetaMask、iCloud 備份和電子郵件帳戶等熱門應用程式。

The disclosure of this vulnerability has sent ripples of unease throughout the security community. Researchers from prestigious institutions such as the University of Illinois Urbana-Champaign, University of Texas, Austin, Georgia Tech, UC Berkeley, University of Washington, and Carnegie Mellon University, collaborated on the discovery. They responsibly notified Apple of their findings on December 5, 2023, allowing the company over 100 days to address the issue before the public release of their research paper and accompanying website.

此漏洞的揭露在整個安全社區引起了不安。來自伊利諾大學香檳分校、德州大學奧斯汀分校、喬治亞理工學院、加州大學柏克萊分校、華盛頓大學和卡內基美隆大學等著名機構的研究人員合作完成了這項發現。他們於 2023 年 12 月 5 日負責任地向 Apple 通報了他們的調查結果，允許該公司在公開發布其研究論文和隨附網站之前有 100 多天的時間來解決該問題。

In response, Apple has released a statement expressing gratitude for the researchers' collaboration and acknowledging the significance of their work in identifying potential security threats. However, the company's response has been met with skepticism. Critics argue that Apple's published developer post, intended to mitigate the attack, falls short of providing a comprehensive solution.

作為回應，蘋果公司發布了一份聲明，對研究人員的合作表示感謝，並承認他們的工作在識別潛在安全威脅方面的重要性。然而，該公司的回應遭到了質疑。批評者認為，蘋果發布的開發者貼文旨在減輕攻擊，但未能提供全面的解決方案。

"Apple added a fix for this in its M3 chips released in [October]," tweeted journalist Kim Zetter. "But developers were not told about the fix in [October] so they could enable it. Apple added an instruction to its developer site on how to enable the fix only yesterday."

記者 Kim Zetter 在推特上寫道：“蘋果在 10 月發布的 M3 晶片中添加了對此問題的修復。” “但開發者在 10 月並沒有被告知該修復程序，因此他們可以啟用該修復程序。蘋果公司昨天才在其開發者網站上添加瞭如何啟用該修復程序的說明。”

This delay has left crypto users in a precarious position. The onus now falls upon wallet providers like MetaMask and Phantom to implement patches to safeguard their users against this exploit. As of now, it remains uncertain whether these companies have taken such measures.

這種延遲使加密貨幣用戶處於危險的境地。現在，MetaMask 和 Phantom 等錢包提供者有責任實施補丁，以保護其用戶免受這種攻擊。截至目前，這些公司是否採取了此類措施仍不確定。

The discovery of the GoFetch exploit has shattered the illusion of invulnerability surrounding MacOS and iOS devices. Previously, Apple users took solace in the belief that their systems were immune to malware attacks. However, as evidenced by this latest revelation, no system is impenetrable.

GoFetch 漏洞的發現打破了 MacOS 和 iOS 裝置無懈可擊的幻想。在此之前，蘋果用戶相信他們的系統不會受到惡意軟體攻擊，這讓他們感到安慰。然而，正如最新的披露所證明的那樣，沒有任何系統是堅不可摧的。

In January, cybersecurity firm Kaspersky raised concerns about the increasing "unusual creativity" in malware development, targeting both Intel and Apple Silicon devices. Kaspersky specifically highlighted malware targeting Exodus wallet users, attempting to trick them into downloading a malicious version of the software.

一月份，網路安全公司卡巴斯基對針對英特爾和蘋果晶片設備的惡意軟體開發中日益增長的「異常創造力」表示擔憂。卡巴斯基特別強調了針對 Exodus 錢包用戶的惡意軟體，試圖誘騙他們下載該軟體的惡意版本。

Crypto holders facing this unprecedented threat should exercise caution. The wisest course of action is to remove crypto wallets from vulnerable Apple devices until a comprehensive solution is available. While the exploit primarily affects devices with M-series chips, users with older Apple devices equipped with Intel chips can breathe a sigh of relief for now.

面臨這前所未有的威脅的加密貨幣持有者應該謹慎行事。最明智的做法是從易受攻擊的 Apple 裝置中刪除加密錢包，直到出現全面的解決方案。雖然該漏洞主要影響配備 M 系列晶片的設備，但使用配備英特爾晶片的舊款 Apple 設備的用戶現在可以鬆一口氣了。

The onus now falls upon Apple to prioritize the security of its users and provide a robust solution to this critical vulnerability. The company must engage in proactive communication with developers to ensure that the necessary patches are implemented swiftly and effectively.

現在，蘋果有責任優先考慮用戶的安全，並為這一關鍵漏洞提供強大的解決方案。公司必須與開發人員積極溝通，以確保快速有效地實施必要的修補程式。

In the meantime, crypto users must remain vigilant and adopt best practices to protect their digital assets. Regular software updates, strong passwords, and multi-factor authentication are essential measures in defending against potential threats.

同時，加密貨幣用戶必須保持警惕並採取最佳實踐來保護他們的數位資產。定期軟體更新、強密碼和多因素身份驗證是防禦潛在威脅的重要措施。

As the digital realm continues to evolve, so too must the security measures employed to safeguard our data and finances. The discovery of the GoFetch exploit serves as a stark reminder that complacency can have dire consequences. By staying informed, taking proactive steps, and demanding accountability from technology companies, we can collectively mitigate these threats and ensure the integrity of our crypto investments.

隨著數位領域的不斷發展，用於保護我們的數據和財務的安全措施也必須如此。 GoFetch 漏洞的發現清楚地提醒我們，自滿可能會帶來可怕的後果。透過隨時了解情況、採取積極主動的措施並要求科技公司承擔責任，我們可以共同減輕這些威脅並確保我們的加密投資的完整性。