Your computer, your phone, your tablet, your TV server: if it has a computer chip and can be accessed, it is vulnerable to Spectre and Meltdown. These are the names of data security vulnerabilities found in the physical hardware that is used in nearly all computers and handheld devices dating back over 20 years. Companies of all levels have been scrambling to patch their systems and servers in the past couple weeks, because nearly every computer system in your network or connected to the cloud is susceptible, even the Nintendo Switch and Apple TV devices.
Spectre and Meltdown are, in total, three different variations of a flaw that can exploit the way processor chips handle data, including passwords, encryption keys, photos, and other sensitive information, allowing a potential hacker to guess where the information is kept on the chip and then steal it.
While there are no reports yet of attacks using this vector, the vulnerability is now public and it is reportedly difficult to detect an intrusion, as traditional logs would not catch this activity.
What do I need to do?
To put it simply: patch!
Make sure to update your operating system, internet browsers, programs, and all other software regularly, as patches are being actively rolled out to add protections. Check for firmware updates as well. If you make use of cloud services and virtual environments, check with your service providers to see if their servers and infrastructure are being updated. Keep your antivirus updated and active.
Some of the emergency patches may cause unexpected crashes and errors because of conflicts in different software (such as some antivirus programs), which your IT team will need to mitigate. This is why it is advised to keep backups of all of your data.
In some cases, you will need to investigate whether you need to disable or activate a feature on your software, browser, or for the systems in your organization. For example, Google Chrome suggests turning on “Strict Site Isolation” for its browser.
The vulnerability itself cannot actually be “patched” as it exists on a hardware level, but software vendors of operating systems, applications, and malware detectors alike have been creating their own patches to mitigate the existing problem. Eventually, replacing old hardware may become necessary, once CPU manufacturers are able to redesign their products to no longer have this physical vulnerability.
How do Spectre and Meltdown work?
Both vulnerabilities exploit processors’ Speculative Execution and caching features, which are used by the chips to increase speed and system performance.
Speculative execution allows the chip to predict the logical path for a program that is running, thus speeding performance by jumping ahead before the program itself has fully run, or by computing frequently-used functions in advance while the system is idle. The CPU Cache, meanwhile, is used to expedite memory access, storing information on the processor itself rather than in the RAM (memory card) to circumvent the time it would take to communicate with that other chip. While there are protections in place to prevent an outside process from receiving that sensitive data until after there is confirmation of access permission, it does not protect the program from figuring out where on the chip that secure information is being stored.
Spectre, whose name came from Speculative Execution, is an attack method used on nearly any modern processor, and it is able to trick other programs into accessing that stored memory. It has been verified on Intel, AMD, and ARM processors.
Meltdown is a vulnerability that is currently specific to Intel and some ARM processors, abusing the way the chip checks permissions to release the secure information.
Both styles rely on a side-channel attack to gain the information once it is cached and located. Other variations and methods may be discovered in time, which is why regular patching will be increasingly important.
What is being done?
The vulnerability has existed for well over a decade, unknown and allegedly unused, until it was found first by a cybersecurity researcher at Google last summer. This is what makes it a zero-day threat: while the flaw existed before, it was not known about and is now fully public. Developers are racing against hackers to provide a defense.
When it was first discovered in the summer of 2017, the vulnerabilities were kept tightly secret among some larger companies as they attempted to research and mitigate what fixes they could implement before needing to release the information to the public, where potential hackers would learn of it. Its public release earlier this month was the first that most companies and service providers heard of the vulnerability, and thus many application developers, service providers, and companies of all sizes are scrambling to add their own patches. Many of these companies have banded together in spite of business competition to share patch information and coordinate with the original researchers to understand the vulnerability and develop ways to mitigate it.
This is an ongoing effort because the underlying problem is in how the processor chips physically function. The software patches and fixes exist to eliminate methods or to create further barriers against potential hackers exploiting this existing flaw. On a hardware level, manufacturing companies such as Intel have been working to redesign their processors for the future.
Will the fixes impact my system performance?
Since the flaw lies in how processors expedite processes, a lingering concern is whether any fixes or patches will noticeably impact the system performance. Most sources suggest that the standard user will not notice any change in processing speed.
“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” Intel reported.
Some solutions impact performance more than others, with upwards of a 30% decrease in processing speed reported in some few cases. These factors vary from system to system and program to program; for example, Google Chrome’s Strict Site Isolation feature will increase its memory use by 10-20%, thus further taxing your system.
Information Security is an ever-evolving world, and this vulnerability was found by teams dedicated to finding the flaws before they were abused. It is not the first, nor will it be the last in this continuous battle of information security. This case has, however, highlighted the need for service providers and businesses to coordinate and communicate quickly to protect their systems and their users around the globe.
If you have a small to medium business and want to be sure that your systems are covered and as up to date as possible against threats such as this, Tiro Security offers a Virtual CISO on an hourly or project basis. Our vCISO’s can assess your risks and help you implement a cost effective full security program. We would be happy to hear from you and discuss what solutions best fit your needs.