You might have recently heard about two security breaches affecting many Intel-based computers, named Meltdown and Spectre. But, what are they and why are they so critical?
A little story…
It was the 90’s and computers processors manufacturers were fiercely competing in a cat-and-mouse game to bring the best processor to the market. One day, an engineer from one of these companies came with an idea to his superiors that would make their processors up to a 30% faster than their competitors. This idea (now known as out-of-order execution and speculative execution) consisted of executing certain instructions in a non-sequential way and therefore reducing the processor’s waiting time between instructions. The company decided to implement massively this idea in all their new processors, making a real difference towards their competition.
Happy years went by until one day, in June 2017, some researchers in Google’s Project Zero, Cyberus Technology, University of Graz and others, found out that an application, without having express permission, could get information from another application or even from the main operating system. And they achieved that by exploiting that same idea used by that company when making their processors faster. The company faced then a really serious problem: either they leave an insecure processor or they get a slower one. And the problem gets bigger since three of the “top 5” is the manufacturers affected by this problem.
Later, in January 2018 this discovery was made public, receiving the names of Meltdown and Spectre and letting people know that almost all processors manufactured since 1995 are vulnerable.
What does all of this mean?
When people think about processors, the first thing that comes to their minds is the personal computer, but processors are all around. There are processors in your mobile device (phone, tablet, etc.), in your car, in airplanes and also in the management systems of the nuclear power stations in your country; and all of them could be affected.
The magnitude of the problem is so big that we don’t even know how big it is. Most manufacturers are still testing their processors to know which ones are affected, and just a bunch of them have publicly listed them.
Processor manufacturers for consumer products, such as Intel, AMD, Apple, Qualcomm, etc. have made statements about these vulnerabilities in their products. But sometimes it’s difficult to know if your device includes one of the vulnerable processors or even what is the manufacturer of that processor (who knows what processor is inside your Internet provider’s router at home?)
Other companies whose products are based on ARM architecture or use their own ones, such as IBM, NXP or Marvell, are known to have vulnerable products too, and their focus is on industrial, aeronautics and other non-consumer sectors.
And what about the “new” IoT world? Well, the devices affected by Meltdown and Spectre should be less in this case, mostly because many of these devices have “low power” processors inside. But this doesn’t mean that there are not affected products (there are many IoT Gateway devices using Intel Atom processors that are vulnerable).
Should I go to my panic room and wait for the WWIII?
This is not the first vulnerability that affects billions of processors and will not be the last one. For example, last November (2017) Intel had a big problem with their IME (Intel Management Engine) which resulted in a potential takeover of the computer (extract data, disable devices, etc) even without switching on the computer.
Vulnerabilities that affects billions of devices are not common, but we have suffered them earlier and will in the future; the only way to face them is to try to minimize the damages, and all the sectors involved must do their part. Manufacturers and operating system vendors are publishing the patches; users and IT teams should be applying them, and all individuals and companies involved should take security seriously and be alert to identify the real threats that could be found in the wild.