The disclosure of serious security vulnerabilities in countless computer processing chips found inside everything from laptops to smart phones to cloud servers set the cyber security world ablaze last week and could change the way major manufacturers design their chips from here on out.
In short, security researchers say the vulnerabilities, dubbed Spectre and Meltdown, take advantage of a clever trick used by modern central processing units (CPUs) where the processing chip will continually “guess” the data it’s most likely to need to complete some operations and pre-load that information. The idea is that if the guess is correct, the data will be more quickly accessible, and if it’s wrong, the data is thrown out — no harm, no foul.
But researchers said they found out that the little trick could be exploited by a hacker to expose system data that was never supposed to be read — potentially “sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications,” according to Google’s security team. (For more technical information on how Spectre and Meltdown work, the difference between the two and the responses from the various corporations involved, click here.)
The researchers who disclosed the vulnerabilities and the United Kingdom’s National Cyber Security Centre reportedly said they’re unaware of any hackers taking advantage of the exploits, but noted the attacks would be very difficult to spot if they had happened.
This all sounds bad since the vulnerability is widespread and deep in the architecture of modern computing. But what does it mean for you?
Well, that depends on who you are and, in some cases, who your enemies are.
Are you … an average home computer user?
Let’s start with some good news. While it’s likely that your home computer or smartphone is affected by one or both of the vulnerabilities, there’s also a good chance it has been patched or a security update is available to help with Meltdown. Spectre, researchers said, is harder to fix but is also harder to exploit.
“If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don’t have to worry,” cyber security researcher Robert Graham wrote on his website, Errata Security. “If you aren’t up to date, then there’s a lot of other nasties out there you should probably also be worrying about. I mention this because while this bug is big in the news, it’s probably not news the average consumer needs to concern themselves with.”
The security patches are expected to slow data processing performance, but Graham said that for average home computer use, including high-end gaming, users will most likely not notice a significant difference in speed.
It’s important to note that for a hacker to take advantage of the newly disclosed vulnerabilities on your laptop or phone, he or she would already have to have compromised your system through another weakness — which means you were already open to a lot of the other “nasties” that Graham was referring to.
The best defense, as always, is good cyber security hygiene [PDF]. Jake Williams, a former Defense Department official involved in cyber operations, told RealClearLife that in particular view of these newly disclosed vulnerabilities, users should not enter any sensitive information into a website while their browser has other windows open, as one of the vulnerabilities can take advantage of a less-secure website to peek over at the more secure ones.
Williams suggested isolating sensitive sessions further by using a private browsing window, like Incognito Mode in Chrome. He also suggested making sure you’ve got the latest security updates A.S.A.P. because while there’s no public “weaponization” of the exploits yet, one could appear within days.
Are you … a large corporation?
“This is where you see the game change,” said Williams, whose cybersecurity firm Rendition InfoSec had been advising corporate clients on their response.
A large corporation could be affected by the vulnerabilities for three significant reasons: You could have information worth stealing, you potentially use cloud services and, if you process a lot of data, the slowdown that comes with the patches could be a big deal.
The danger to cloud service customers is particularly insidious, the researchers said, because depending on the cloud’s infrastructure, multiple customers could be vulnerable to having their data stolen if one of them has infected the host. As The New York Times pointed out, a hacker could simply rent some shared server space as the springboard for an attack.
“[T]he isolation between guests can simply be circumvented with Meltdown, fully exposing the data of all other guests on the same host,” the technical paper on Meltdown [PDF] says, referring to cloud providers. Amazon, Google and Microsoft reportedly said that they had patched or were patching their cloud service systems.
In addition to the exploitation danger, the corporation also has to consider the slow-down speeds likely to come with the security patches. Intel said the impact would be “workload dependent,” meaning the bigger the operation, the bigger the slowdown — perhaps up to 30 percent, according to Times. Williams said this could be a bigger deal than it sounds because some companies’ operations won’t be able to tolerate even a 10 percent slow down.
Are you … a government agency with top secret information to hide?
In a rare public appearance in 2016, Robert Joyce, then the head of the National Security Agency’s elite hacking unit, gave a public speech to generally describe how the team goes about its work. Key to virtually every network infiltration, he said, was the “toe-hold.”
That meant a small crack in the system — usually a compromised user account with very limited access — from which an attacker would try to “move laterally” through the system, fighting for greater and greater access all the way, exploring mazes of permissions and backtracking from dead ends. But Williams said the newly disclosed vulnerabilities turn that toe-hold into an open field.
Once the attacker is just a little way inside, “it goes from clawing for every inch to taking candy from a baby,” Williams said.
There have been rumblings of the vulnerabilities online since the summer among researchers and developers, and Williams said he would be amazed if nation-state hackers weren’t already aware and exploiting them before the formal, public disclosure this week.
That doesn’t mean that any government systems are necessarily any more vulnerable today than they were yesterday, Williams said, but if a sophisticated hacker had a toe-hold in a system but was having trouble moving around in it freely, that job may have gotten much easier.
It also means that it just became a lot harder for government network defenders to discover and root out the bad guys.
“I think that there are a lot of those systems that have lots of people that [could become] toe-holds in very specific areas, the assumption is that they can’t break out of those,” Williams said of government networks. “They’ve basically been put in a box… with the fundamental assumption that they can’t break out, and that if they could, it would be so loud and noisy that somebody would notice. And these [vulnerabilities] violate that assumption.”
Coincidentally, in November the CIA announced its foray into commercial cloud services with a partnership with Amazon. The cyber giant would build a “Secret Region” of its cloud for classified use by the spy agency and others in government with proper high-level clearance.
The CIA and Amazon declined to comment to Real Clear Life on whether the “Secret Region” is believed to be affected by Meltdown or Spectre, but Thursday Amazon said more generally, “All but a small single-digit percentage of instances across the Amazon EC2 [Elastic Compute Cloud] fleet are already protected. The remaining ones will be completed in the next several hours.”
This article was featured in the InsideHook newsletter. Sign up now.