security

Meltdown and Spectre: An introduction

You might have recently heard about two security breaches affecting many Intel-based computers, named Meltdown and Spectre. But, what are they and why are they so critical?

A short story…

It was in the 90’s and computers processors manufacturers were fiercely competing in a cat-and-mouse game to bring the best processor to the market. One day, an engineer from one of these companies came up with an idea to his superiors that would make their processors up to 30% faster than their competitors. This idea (now known as out-of-order execution and speculative execution) consisted of executing certain instructions in a non-sequential way and therefore reducing the processor’s waiting time between instructions. The company decided to massively implement this idea in all their new processors, making a real difference towards their competitiveness.

Happy years went by until one day,  in June 2017, some researchers in Google’s Project Zero, Cyberus Technology, University of Graz and others, found out that an application, without having express permission, could get information from another application or even from the main operating system. And they achieved that by exploiting that same idea used by that company when making their processors faster. The company then faced a really serious problem: they either had to leave an insecure processor or obtained a slower one. And the problem gets bigger because three of the “top 5” are the manufacturers affected by this problem.

Later, in January 2018, this discovery was made public, revealing the names of Meltdown and Spectre and letting people know that almost all the processors manufactured since 1995 are vulnerable.

What does all of this mean?

When people think about processors, the first thing that comes to their minds is a personal computer, but processors are everywhere. There are processors in your mobile device (phone, tablet, etc.), in your car, in airplanes and also in the management systems of the nuclear power stations in your country; and all of them could be affected.

The magnitude of the problem is so big that we do not even know how big it really is. Most manufacturers are still testing their processors to know which ones are affected, and just a bunch of them have publicly listed them.

Processor manufacturers for consumer products, such as Intel, AMD, Apple, Qualcomm, etc. have made statements about these vulnerabilities in their products. But sometimes it is difficult to know if your device includes one of the vulnerable processors or even who is the manufacturer of that processor (who knows what processor is inside your Internet provider’s router at home?)

Other companies whose products are based on ARM architecture or use their own ones, such as IBM, NXP or Marvell, are known to have vulnerable products too, and their focus is on industrial, aeronautics and other non-consumer sectors.

And what about the “new” IoT world?  Well, the devices affected by Meltdown and Spectre should be less in this case, mostly because many of these devices have “low power” processors inside. But this does not mean that there are not affected products (there are many IoT Gateway devices using Intel Atom processors that are vulnerable).

Should I go to my panic room and wait for the WWIII?

This is not the first vulnerability that affects billions of processors and will not be the last one. For example, last November (2017) Intel had a big problem with their IME (Intel Management Engine) which resulted in a potential takeover of the computer (extract data, disable devices, etc) even without switching on the computer.

Additionally, there are only two detected ways to exploit this vulnerability: one is by executing a very specific malware, and the other one is by using a browser to navigate web pages with a specific JavaScript code. In both cases, user intervention is needed, so if you have your antivirus/antimalware updated and do not browse unknown or dangerous web pages, you should be safe. The same is applicable to the non-consumer sector: apply the patches, be careful with phishing (the easiest way to make you open a webpage with a malicious Javascript code) and follow the usual security rules.

Vulnerabilities that affect billions of devices are not common, but we have suffered them earlier and will do so in the future; the only way to face them is to try to minimize the damages, and all the sectors involved must do their part. Manufacturers and operating system vendors are publishing the patches; users and IT teams should be applying them, and all individuals and companies involved should take security seriously and be alert to identify the real threats that could be found in the wild.

………………………………

Article written by Luis Cuervo, Security Manager at Barbara IoT.