Vulnerabilities in modern computers leak passwords and sensitive data
Spectre and Meltdown are the names of theoretical attack techniques which exploit weaknesses in many modern microprocessor chips. The attacks seem to be extremely limited in scope – able only to allow an unauthorised programme to read data from parts of the computer memory that it ought not to have access to. However, almost all modern computer chips (Intel, AMD, ARM, and more) are vulnerable to one or more of the attacks, which means many millions of devices at risk.
Software-based fixes have to be applied across all layers of affected devices (patches to operating systems, firmware and application software) and promise to have side effects – which involve a quantifiable reduction in performance. The actual impact will vary by chip, OS, and application. Hardware fixes may be some time in coming and, of course, will involve replacing hardware. The scale of the problem and the possible economic impact of the current patch and prospect of hardware replacement may lead to understandable anxiety.
The attacks are, from a certain perspective, cool and appealingly complicated. They abuse chip performance techniques called “branch prediction” and “speculative execution,” which speed up computations by doing some calculations on data in advance of knowing whether they will be required by the software. It’s kind of like the computational equivalent of a Blue Peter project, “Here’s one I did earlier.”
The problem is that data worked on in this way can be peeked at, and worse, an attacker can fool a chip to explore data that should be in a secure context, allowing a well-built exploit programme to examine memory for sensitive data of interest – passwords, encryption keys, perhaps, or payment card details. This behaviour is not currently logged in the normal places and so leaves few digital traces. Both Meltdown and Spectre come under a category of exploits called side channel attacks, which undermine the confidentiality of data.
The good news is that these theoretical attacks are going to be difficult to exploit even if they are hard to fix. The return for attackers aiming at end-user devices is going to be poor compared to using existing malware. The impacts on performance and leaking data beyond secure boundaries in the chip are going to be felt most keenly in some cloud providers, and those running certain types of virtual machines in data centres.
There do not seem to be any exploits in the wild yet, although that might only be a matter of weeks (experience suggests 30 days average time between the announcement of a vulnerability and an exploit appearing, and these are quite complicated attack methods).
What should businesses do now?
- Don’t panic.
- Make sure you apply appropriate patches as per your patch policy and note devices where patches are not yet available.
- Do you record chip type as part of your inventory? This is a good reason to start.
- Review and test devices. How might unauthorised software appear on your device? If exploit code appears in the wild, anti-malware protections may need updating.
- If you have virtual servers shared with others, focus efforts on these, perhaps involving conversations with your hosting/cloud provider.
- Post-patch performance should be examined against pre-patch measures of performance to determine the impact and whether there need to be changes as a consequence.
- Hardware replacement or migration of data onto platforms that do not suffer this vulnerability is only likely to be required in cases of really sensitive data handling and for most organizations, normal hardware replacement schedules will remove the issues over time