The discovery of Meltdown and Spectre chip vulnerabilities is the hot topic these days. These vulnerabilities were discovered earlier this week by a team of security researchers at Google. These vulnerabilities do not only target a narrow variety of devices but almost every modern computer in existence. The threat is increased in those that are based on Intel, AMD, and ARM processors.
The U.S.-government sponsored Computer Emergency Response Team (CERT) running out of Carnegie Mellon stated Wednesday that the true, long-term solution was simply to replace the vulnerable computer chips entirely. “The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware.” However, it changed its statement later saying, “Operating system and some application updates mitigate these attacks.” The body still left a warning that it might not work in all cases. “Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.”
There is a debate going on whether all the devices need to be recalled or would a software patch provide a permanent fix to the problem. The vendors are quiet on the issue and have made no statement related to a recall. There is no doubt that an overall replacement of the chip is a permanent solution but it is not a cheap one and some say that an overall hardware replacement would be taking things too far.
Perhaps the more concerning issue is one of the Spectre chips. This tricks applications into giving up pieces of their memory. This vulnerability is harder to exploit and it also makes it more difficult to fix with software patches. As software patches are being rolled out for the meltdown, there are still no fixes for the Spectre.
The team wrote in their paper, “While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs.” One of the authors of the paper, Daniel Gruss told Forbes, “We believe that Spectre might haunt us for a longer while since it is difficult to generically mitigate it.”
Matthew Hickey, director of cybersecurity company Hacker House said, “CPU bugs have never resulted in a recall before as they get patched with microcode… This is a good case for arguing that we should have better protections as consumers for our technology. We would recall cars if they weren’t safe, why not faulty hardware?” However, there has been a CPU recall once before. This happened back in 1994 when a bug was discovered in the Intel Pentium processor.
CPUs are the only devices affected by these vulnerabilities. They affect all iPhone and Mac users as well. Apple said in a blog post on Thursday, “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.” They advise the users to only download applications from trusted sources and they claim that the Apple watch is unaffected by it.
“This is, without doubt, the most disturbing issue to hit the industry for decades,” says Ross Brewer, vice president at security firm LogRhythm. “This really is the big one, and everyone—consumers and businesses alike—must pay attention. Not only is the attack surface the biggest we’ve seen, with so many devices at risk globally, the exposure window is also huge as it is reliant on people voluntarily patching their systems, which obviously has a significant lag,”
Brewer went on to add, “Fear aside, attention must turn to the ‘what now,’ As this vulnerability opens the door to theft of credentials, logins, and other private information, any unusual network activity needs to be detected, investigated and remediated as soon as it occurs.”
Ryan Kalember, senior vice president at security firm Proofpoint also shared his thoughts on the topic, “Like most organizations, chip manufacturers have long prioritized speed over security—and that has led to a tremendous amount of sensitive data placed at risk of unauthorized access via Meltdown and Spectre. While the vast majority of computing devices are impacted by these flaws, the sky is not falling. Both vulnerabilities require an attacker to be able to run their code on the device they are attacking…If there is some good news, it’s fortunate that these vulnerabilities were discovered and disclosed by respected researchers as opposed to being exploited in a large scale, potentially-damaging global attack.”
One thing we can be certain about is that the timely discovery of these discoveries and the rolling out of software patches will save many users from falling victim to opportunist hackers. We can also be sure that all the chips produced in the future will take these vulnerabilities into account and will move towards safer chips.