Barely 48 hours into 2018 and what could be one of the biggest cyber security stories of the last ten years is already looking like it could put many of the high profile security hacks and threats of 2017 in the shade. In this article for Cyber Security Jobs, I want to take a look at the two security vulnerabilities that have come to be known as Spectre and Meltdown, what they are, what’s affected and what’s being done to mitigate the problem.
In early 2017 a new class of critical security vulnerabilities in modern processors and was discovered by Google Project Zero (as well as several other individuals from different research institutions).
Spectre and Meltdown both work by exploiting the way systems in processors work together and manipulating the interactions between certain processes to indirectly reveal information. Reading information through inference like this is known as a ‘side-channel’ attack, in that data is extracted independently and outside of the processors normal information handling paths.
These vulnerabilities are inherent to the architecture of modern processors and the techniques they use, which have evolved over the years in order to improve performance. Such techniques include pipelining, branch prediction and speculative execution. Spectre works specifically by exploiting branch prediction, effectively tricking applications to give up secure information. Meltdown doesn’t work by finding victim code but instead sets up a speculative execution in a user process that is able to access protected memory.
For a much more technically in depth explanation of how Spectre and Meltdown work, this article from Rupert Goodwins at ZDNet explains all.
Let’s not beat around the bush; Spectre and Meltdown represent a major security vulnerability that may well have existed for decades. Pretty much every laptop, PC, tablet and smartphone processor is affected by Spectre with Meltdown affecting all Intel chips made since 1995 with the exception of Itanium and Atom chips made prior to 2013. Cloud services, such as Amazon’s Web Services and Google’s Cloud Platform are also vulnerable.
The security flaws are a backdoor into critical system memory, which could store anything from passwords and encryption keys, opening you up to major security breaches. The process of extracting this information using Spectre or Meltdown is slow (bytes per second) but very sensitive information is stored at this level and very little of it is potentially needed (a password for example) in order to compromise a machine or network.
What is perhaps so worrying about these security vulnerabilities that exist at the heart of so many of our computer’s functioning is that they’ve been there for decades. Due to their nature it’s also very hard to detect whether someone has been the victim of a Spectre or Meltdown attack. In fact the UK’s National Cyber Security Centre has said there is no evidence that either has ever been used to actually steal data.
Of course, it’s highly likely that this will now change as the information behind these security vulnerabilities is now available to would-be hackers, who will quickly look to create tools to exploit both Spectre and Meltdown vulnerabilities.
The advice for all users, regardless of device manufacturer, is to update all security settings and install any new fixes. As recently as Monday 8th Jan, Intel CEO Brian Krzanich has said that the issues relating to Intel powered devices were well on their way to being fixed, with 90% of chips released in the last five years being fixed by Saturday (Jan 13th) and fixes for older chips expected in the coming weeks.
Microsoft and Linux were amongst the first OS manufacturers to release updates with Chromebooks updated to OS63 already protected. Many Android phones are expected to get updates soon as third party manufacturers scrabble to push them out to their users.
There has been a lot of talk about speed issues resulting from the new patches. Whilst security fixes relating to Spectre are unlikely to have much of an effect on performance, it could be another story when it comes to Meltdown. This is because the security fix will require the separation of the kernel and application memory systems in order to prevent the bug taking advantage of the vulnerabilities that arise from this. Estimates range as high as 30% reduction in speed on certain tasks with applications that require lots of writing files the most seriously affected and things like gaming and web browsing least affected.
A recent development was Microsoft’s decision on 9th January to halt Spectre and Meltdown updates to all machines running AMD Processors. This has been due to repeated complaints from users after not being able to boot up their computers. The software giant is now preventing all AMD machines being updated with the latest security update until it can resolve the issue in conjunction with AMD. Microsoft is blaming AMDs documentation for the problems.
Perhaps one of the most thought provoking things to come out of the chaos and confusion surrounding Spectre and Meltdown, from a cybersecurity industry point of view, has been how four independent groups of security researchers managed to find flaws that had been dormant in these processors for over 20 years within months of each other. When Daniel Gruss of Graz University of Technology in Austria and his two colleagues discovered Meltdown and reported it to Intel they were surprised to hear that Intel was already working on a fix and they were in fact the fourth group to report this class of vulnerability, along with what would come to be known as Spectre.
This does also raise the possibility of how many people may have found this vulnerability already and, if so, why it wasn’t made public. It’s no conspiracy theory to posit that security agencies like GCHQ and the NSA, after discovering security vulnerabilities will likely keep them secret in order to exploit them for the purposes of espionage. Of course, this raises the possibility of other actors discovering them independently in what’s known in the industry as ‘bug collision’.
The question that arises from the potential bug collision of Spectre and Meltdown is this – if the discovery of bugs and security flaws by simultaneous groups happens is fairly commonplace (whether coincidence or not) then is it not beholden on security agencies like the NSA or GCHQ to report the flaws sooner rather than later, in order to get them fixed and reduce the risk that other security agencies or malevolent actors will discover and exploit them?
This is a complex question that has national security, political and ethical ramifications but you can find more detail in this excellent Wired article about it.