The Power of Telemetry: Uncovering Software-Based Side-Channel Attacks on Apple M1/M2 Systems by Nikhil Chawla, Chen Liu, Abhishek Chakraborty, Igor Chervatyuk, Ke Sun, Thaís Moreira Hamasaki and Henrique Kawakami.
Power analysis is a class of side-channel attacks, where power consumption data is used to infer sensitive informa- tion and extract secrets from a system. Traditionally, such attacks required physical access to the target, as well as specialized devices to measure the power consumption with enough precision. The PLATYPUS attack has shown that on-chip power meter capabilities exposed to a software interface might form a new class of power side-channel attacks. This paper presents a software-based power side-channel attack on Apple Silicon M1/M2 platforms, exploiting the System Management Controller (SMC) and its power-related keys, which provides access to the on-chip power meters through a software interface to user space software. We observed data-dependent power consumption reporting from such keys and analyzed the correlations between the power consumption and the processed data. Our work also demon- strated how an unprivileged user mode application successfully recovers bytes from an AES encryption key from a crypto- graphic service supported by a kernel mode driver in MacOS. Furthermore, we discuss the impact of software-based power side-channels in the industry, possible countermeasures, and the overall implications of software interfaces for modern on-chip power management systems.