The beginning of the year has been dominated by two security vulnerabilities, known as Meltdown and Spectre. Both, in their own way, allow any local user to access a system’s memory and misuse the contents for malicious purposes. Let’s see why this is bad and why it may become worse in the future…
In technical terms, Meltdown breaks down the boundary that prevents user applications from accessing privileged system memory space. This vulnerability has been confirmed to exist in all Intel processors produced since 1995, except for Intel Itanium and Intel Atom before 2013. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP and Lenovo. Spectre is similar, but allows an attacker to use a CPU's cache channel to read arbitrary memory from a running process. Unlike Meltdown, Spectre is known to affect Intel, AMD and ARM processors. This includes computers, tablets and smartphones made by Apple, Microsoft, Dell, HP, Google and Lenovo, among others. Spectre is much more difficult to successfully exploit than Meltdown, as its attack surface is limited to user space processes, such as web browsers and desktop applications.
Technicalities apart, abusing Spectre or Meltdown allows an attacker to download the contents of the memory from your device and dissect it offline to extract your passwords, private SSH keys or certificates, or any other juicy information. Fortunately, the memory does not come with a big sign saying “Password here!”. Therefore, any extraction process would be slow, cumbersome and not straightforward. Hence, while proofs of concept do exist, no systematic exploitation of either Spectre or Meltdown has yet been reported.
So far, so good, no? Not quite. First of all, and most problematic so far, the fixes greatly depend on your computer’s hardware, i.e. the chip set. While the most recent and popular chip sets will receive fixes in a timely manner, other hardware might not: think of your computer’s BIOS, or your Internet-of-things device (see our Bulletin article “IoTs: The treasure trove of CERN”). So we may end up with many embedded devices that will never receive a fix for Spectre or Meltdown. Secondly, there are fears that applying the current fixes will naturally slow down any computer: depending on what your computer is used for, reported performance drops vary between a few per cent and up to 30%. But there is no need to panic (yet), as newer fixes might correct that, too. Thirdly, Intel and probably others have allegedly known about these vulnerabilities for a while. This may mean that people with malicious intent were already exploiting these vulnerabilities long before they became public knowledge. However, so far no reports have confirmed whether or not this has actually happened. And, as a result of all these things, this may be just the beginning. As with past scares of this nature, the focus of security research and the way in which the vulnerabilities are exploited will change! Think of the POODLE SSLv3 vulnerability found in the aftermath of the Heartbleed OpenSSL vulnerability: Spectre and Meltdown are probably just the first known vulnerabilities linked to exploiting hardware weaknesses. The next generations of Spectre and Meltdown may be more intrusive and easier to exploit, and may not quickly become public knowledge. A feast for security agencies and criminals, a pain for those of us responsible for defending our IT systems…
So, this is just the beginning. Be prepared for more to come. Raise the bar! Make sure that all your systems are automatically updated when your hardware or operating system provider issues new fixes. Use the standard (automatic) update mechanisms of Windows, Linux, Mac, Android or iOS devices. And keep an eye on your embedded devices. Try to keep them up-to-date, too. Or, if you can’t, don’t connect them to the Internet or allow just anyone to access them.
You can find more details on CERN’s strategy regarding Spectre and Meltdown here.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.