My reading of this is that for this (truly horrible) attack to get you, you'd need to run an app in which it's embedded for an extended period of time on your computer. So the bad guys could hack me if I downloaded an app from a sketchy source (unlikely) or they managed to hack any one of Adobe or Mozilla or Microsoft Office or Chrome or Safari or Apple Music or Emacs or YouTube or or or … (less unlikely).
@timbray It seems like a difficult thing to do. It is still something to keep an eye on because some of the other side-channel attacks not related to Apple's chips have been demonstrated with JS or WASM code.
@timbray Note that the problem is ironically exacerbated by regulatory moves to permit third-party app stores, which are pretty much guaranteed to result in more malware apps being installed by far more people.
@freeagent @timbray Because (a) it brings in the entire iOS ecosystem including vast numbers of iPhone users who only minimally understand this stuff, and (b) third party app stores give an impression of safety that users have always associated with the Apple App Store but are likely to be far less safe. That's just two.
@freeagent @timbray I'm not talking about this particular vulnerability, I'm talking about the overall problem of more malware once there are multiple app stores.
@freeagent @timbray Most people just assume what's in official stores is safe. One you have 3rd party stores popping up the opportunities for confusion become immense.
@lauren @timbray The assumption that apps in the official stores are safe is bad in the first place. This is just one of many stories: https://lifehacker.com/great-now-the-apple-app-store-has-malware-too-1849386738
@timbray @arstechnica Attacks only get better, so cryptographers should definitely worry about this, but…
I would like a lot more details on just how practical it is now. It says it takes an hour…presumably the target system needed to be actively using the secret key the entire time? In what circumstances does that happen? Seems rare for https, but maybe disk encryption keys? Did they make the rest of the system artificially quiet, or were a full set of normal processes running?
@DirkK @arstechnica MacOS doesn't prevent any program from spinning off a background thread to silently do computation without any effect on the user interface, whether it's being used or not. And the M-series chips have plenty of high-powered CPUs so you'd likely never even notice it was happening.
@timbray @arstechnica The question isn’t about the attacking program, it’s about the target. Am I wrong that the target needs to be continually using the same key for that hour? Does that routinely happen? Can the attacker force it to happen?