苹果的 M 系列芯片使加密货币持有者面临严重的安全风险

Apple M 系列芯片中的漏洞允许黑客从易受攻击的 Apple 设备中提取加密密钥。此漏洞被称为“GoFetch 漏洞”，可通过数据内存相关预取器 (DMP) 授予对计算机 CPU 缓存的访问权限，从而允许攻击者通过观察对处理器缓存的依赖于秘密的访问的副作用来推断秘密密钥。

Apple's M-Series Chips: A Grave Security Threat to Crypto Holders

苹果的 M 系列芯片：对加密货币持有者的严重安全威胁

In a groundbreaking exposé, security researchers have uncovered a severe vulnerability in Apple's latest M-series computer chips, including the M1, M2, and M3 models powering all of the company's recent devices. This vulnerability has sent shockwaves through the cryptocurrency community, as it potentially allows hackers to pilfer cryptographic keys, the very foundation of data protection, including those safeguarding crypto wallets.

在一次突破性的曝光中，安全研究人员发现了 Apple 最新 M 系列计算机芯片中的严重漏洞，其中包括为该公司所有最新设备提供支持的 M1、M2 和 M3 型号。该漏洞在加密货币社区引起了冲击，因为它可能允许黑客窃取加密密钥，而加密密钥是数据保护的基础，包括保护加密钱包的数据保护。

Dubbed the "GoFetch exploit," this flaw leverages Data Memory-Dependent Prefetchers (DMPs) embedded within the chips to infiltrate the computer's CPU cache. Through this side-channel attack, malicious actors can infer sensitive information, including cryptographic keys, by observing the cache's response to the victim's program's secret-dependent accesses.

该漏洞被称为“GoFetch 漏洞”，它利用嵌入在芯片中的数据内存相关预取器 (DMP) 来渗透计算机的 CPU 缓存。通过这种旁路攻击，恶意行为者可以通过观察缓存对受害者程序的秘密相关访问的响应来推断敏感信息，包括加密密钥。

The potential impact of this exploit cannot be overstated. It could compromise the security of software crypto wallets installed on vulnerable Apple devices, exposing users to the risk of financial ruin. Moreover, the exploitation could extend to web browser encryption, potentially affecting popular applications like MetaMask, iCloud backups, and email accounts.

这一漏洞的潜在影响怎么强调都不为过。它可能会损害安装在易受攻击的苹果设备上的软件加密钱包的安全性，使用户面临财务破产的风险。此外，该漏洞还可能扩展到 Web 浏览器加密，从而可能影响 MetaMask、iCloud 备份和电子邮件帐户等流行应用程序。

The disclosure of this vulnerability has sent ripples of unease throughout the security community. Researchers from prestigious institutions such as the University of Illinois Urbana-Champaign, University of Texas, Austin, Georgia Tech, UC Berkeley, University of Washington, and Carnegie Mellon University, collaborated on the discovery. They responsibly notified Apple of their findings on December 5, 2023, allowing the company over 100 days to address the issue before the public release of their research paper and accompanying website.

此漏洞的披露在整个安全社区引起了不安。来自伊利诺伊大学香槟分校、德克萨斯大学奥斯汀分校、佐治亚理工学院、加州大学伯克利分校、华盛顿大学和卡内基梅隆大学等著名机构的研究人员合作完成了这一发现。他们于 2023 年 12 月 5 日负责任地向 Apple 通报了他们的调查结果，允许该公司在公开发布其研究论文和随附网站之前有 100 多天的时间来解决该问题。

In response, Apple has released a statement expressing gratitude for the researchers' collaboration and acknowledging the significance of their work in identifying potential security threats. However, the company's response has been met with skepticism. Critics argue that Apple's published developer post, intended to mitigate the attack, falls short of providing a comprehensive solution.

作为回应，苹果公司发布了一份声明，对研究人员的合作表示感谢，并承认他们的工作在识别潜在安全威胁方面的重要性。然而，该公司的回应遭到了质疑。批评者认为，苹果发布的开发者帖子旨在减轻攻击，但未能提供全面的解决方案。

"Apple added a fix for this in its M3 chips released in [October]," tweeted journalist Kim Zetter. "But developers were not told about the fix in [October] so they could enable it. Apple added an instruction to its developer site on how to enable the fix only yesterday."

记者 Kim Zetter 在推特上写道：“苹果在 10 月发布的 M3 芯片中添加了对此问题的修复。” “但开发者在 10 月份并没有被告知该修复程序，因此他们可以启用该修复程序。苹果公司昨天才在其开发者网站上添加了如何启用该修复程序的说明。”

This delay has left crypto users in a precarious position. The onus now falls upon wallet providers like MetaMask and Phantom to implement patches to safeguard their users against this exploit. As of now, it remains uncertain whether these companies have taken such measures.

这种延迟使加密货币用户处于危险的境地。现在，MetaMask 和 Phantom 等钱包提供商有责任实施补丁，以保护其用户免受这种攻击。截至目前，这些公司是否采取了此类措施仍不确定。

The discovery of the GoFetch exploit has shattered the illusion of invulnerability surrounding MacOS and iOS devices. Previously, Apple users took solace in the belief that their systems were immune to malware attacks. However, as evidenced by this latest revelation, no system is impenetrable.

GoFetch 漏洞的发现打破了 MacOS 和 iOS 设备无懈可击的幻想。此前，苹果用户相信他们的系统不会受到恶意软件攻击，这让他们感到安慰。然而，正如最新的披露所证明的那样，没有任何系统是坚不可摧的。

In January, cybersecurity firm Kaspersky raised concerns about the increasing "unusual creativity" in malware development, targeting both Intel and Apple Silicon devices. Kaspersky specifically highlighted malware targeting Exodus wallet users, attempting to trick them into downloading a malicious version of the software.

一月份，网络安全公司卡巴斯基对针对英特尔和苹果芯片设备的恶意软件开发中日益增长的“异常创造力”表示担忧。卡巴斯基特别强调了针对 Exodus 钱包用户的恶意软件，试图诱骗他们下载该软件的恶意版本。

Crypto holders facing this unprecedented threat should exercise caution. The wisest course of action is to remove crypto wallets from vulnerable Apple devices until a comprehensive solution is available. While the exploit primarily affects devices with M-series chips, users with older Apple devices equipped with Intel chips can breathe a sigh of relief for now.

面临这一前所未有的威胁的加密货币持有者应该谨慎行事。最明智的做法是从易受攻击的 Apple 设备中删除加密钱包，直到出现全面的解决方案。虽然该漏洞主要影响配备 M 系列芯片的设备，但使用配备英特尔芯片的旧款 Apple 设备的用户现在可以松一口气了。

The onus now falls upon Apple to prioritize the security of its users and provide a robust solution to this critical vulnerability. The company must engage in proactive communication with developers to ensure that the necessary patches are implemented swiftly and effectively.

现在，苹果有责任优先考虑用户的安全，并为这一关键漏洞提供强大的解决方案。公司必须与开发人员积极沟通，以确保快速有效地实施必要的补丁。

In the meantime, crypto users must remain vigilant and adopt best practices to protect their digital assets. Regular software updates, strong passwords, and multi-factor authentication are essential measures in defending against potential threats.

与此同时，加密货币用户必须保持警惕并采取最佳实践来保护他们的数字资产。定期软件更新、强密码和多因素身份验证是防御潜在威胁的重要措施。

As the digital realm continues to evolve, so too must the security measures employed to safeguard our data and finances. The discovery of the GoFetch exploit serves as a stark reminder that complacency can have dire consequences. By staying informed, taking proactive steps, and demanding accountability from technology companies, we can collectively mitigate these threats and ensure the integrity of our crypto investments.

随着数字领域的不断发展，用于保护我们的数据和财务的安全措施也必须如此。 GoFetch 漏洞的发现清楚地提醒我们，自满可能会带来可怕的后果。通过及时了解情况、采取积极主动的措施并要求技术公司承担责任，我们可以共同减轻这些威胁并确保我们的加密投资的完整性。