What MIT Just Found Inside Apple’s M1 Chip
A research team at MIT has uncovered a previously unnoticed vulnerability in Apple’s M1 chip, raising new concerns about Apple processor security. To deeply inspect how modern CPUs behave, the team built its own operating system, called Fractal, instead of relying on makeshift tools and workarounds. Using Fractal, they examined a hardware protection feature known as CSV2, which is supposed to prevent code from crossing security boundaries inside the chip. While CSV2 mostly does its job, the researchers discovered a gap: even when execution is blocked, the M1 still prefetches data into its cache across that boundary. This subtle behavior may give attackers enough of a foothold to build a chip architecture exploit, turning a low-level quirk into a practical MacBook vulnerability that existing defenses were never designed to catch.
Fractal: The Custom OS That Exposed the Vulnerability
To reach this level of detail, the MIT team built Fractal, a research-focused operating system of over 31,000 lines of code. Fractal runs on the three major processor families—x86_64, ARM64, and RISC-V—allowing direct, consistent comparison of different chip designs. Unlike one-off test harnesses, it supports familiar tools like the Vim editor, the GCC compiler, and the Dash shell, so researchers can port their usual workflows with minimal changes. Lead researcher Joseph Ravichandran compares Fractal to an “electron microscope” for processors: a way to observe behavior that standard operating systems hide or blur. This precision revealed that earlier studies on the M1’s branch predictor had been misled by macOS silently moving tests between cores, masking real vulnerabilities. By stripping away that noise, Fractal exposed how tightly MacBook vulnerability and performance are tied to the M1’s deepest architectural decisions.
Phantom Speculation: A Familiar Exploit Class Appears on Apple Silicon
One of the most striking discoveries is that the M1 is susceptible to a class of attacks called “Phantom speculation,” previously seen on Intel and AMD chips but not documented on Apple Silicon. Phantom speculation manipulates the processor’s speculative execution pathways, coaxing it into doing work it should never perform under normal rules. Even if the results of speculation are later discarded, the mere fact that data passed through caches or predictors can leak sensitive information. In this case, the interaction between CSV2 and the M1’s speculative mechanisms creates conditions where those phantom paths appear. That means attackers who understand these patterns might be able to craft a chip architecture exploit that reads data across what should be strict isolation boundaries. For MacBook owners, this blurs the line between performance features like speculation and potential Apple processor security weaknesses.
How Serious Is the M1 Chip Flaw for Everyday MacBook Users?
The newly identified M1 chip flaw is highly technical, and there is no indication of active attacks in the wild so far. However, the fact that data can still be fetched into cache across a blocked boundary means the theoretical attack surface is larger than Apple’s current protections assume. That could eventually impact both MacBook performance and security if future exploits manage to turn these low-level behaviors into reliable data leaks. The research also shows that earlier assumptions about safe branch prediction on Apple’s efficiency cores were incorrect, suggesting more of the chip is exposed than previously thought. Apple’s security team has been briefed on the findings and has examined the Fractal OS, but the company has not yet publicly detailed any fixes or firmware updates. Until Apple responds, the best defense is keeping systems fully updated and monitoring future security advisories.