Silicon Valley is abuzz about ‘Meltdown’ and ‘Spectre’ – new ways for hackers to attack Intel, AMD, and ARM processors that were first discovered by Google last year, and publicly disclosed Wednesday.
Meltdown and Spectre, which take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to “read sensitive information in [a] system’s memory, such as passwords, encryption keys, or sensitive information open in applications,” as Google puts it in an official FAQ.
The first thing you need to know: Pretty much every PC, laptop, tablet, and smartphone is affected by the security flaw, regardless of which company made the device or what operating system it runs.
The vulnerability isn’t easy to exploit – it requires a specific set of circumstances, including having malware already running on the device – but it’s not just theoretical.
And the problem could affect much more than just personal devices. The flaw potentially could be exploited on servers and in data centres and massive cloud computing platforms such as Amazon Web Services, Microsoft Azure, or Google Cloud.
In fact, given the right conditions, Meltdown or Spectre could be used by customers of those cloud services to actually steal data from one another.
Although fixes are already being rolled out for the vulnerability, they often will come with a price. Some devices, especially older PCs, could be slowed markedly by them.
Here’s what Meltdown and Spectre are. And, just as importantly, here’s what they’re not.
Am I in immediate danger from this?
There’s some good news: Intel and Google say that they have never seen any attacks like Meltdown or Spectre actually being used in the wild. And companies including Intel, Amazon, Google, Apple, and Microsoft are rushing to issue fixes, with the first wave already out.
The most immediate consequence of all of this will come from those fixes. Some devices will see a performance dip of as much as 30 percent after the fixes are installed, according to some reports. Intel, however, disputed that figure, saying the amount by which computers will be slowed will depend on how they’re being used.
The Meltdown attack only seems to work on Intel processors. You can guard against it with software updates, according to Google. Those are already starting to become available for Linux and Windows 10.
Spectre, by contrast, appears to be much more dangerous. Google says it’s been able to successfully execute Spectre attacks on processors from Intel, ARM, and AMD. And, according to the search giant, there’s no single, simple fix.
It’s harder to pull off a Spectre-based attack, which is why nobody’s completely panicking. But the attack takes advantages of an integral part of how processors work, meaning it will take a new generation of hardware to stamp it out for good.
In fact, that’s how Spectre got its name.
“As it is not easy to fix, it will haunt us for quite some time,” says the official Meltdown/Spectre FAQ.
What are Meltdown and Spectre, anyway?
Despite how they have been discussed so far in the press, Meltdown and Spectre aren’t really “bugs”. Instead, they represent methods discovered by Google’s Project Zero cybersecurity lab to take advantage of the normal ways that Intel, ARM, and AMD processors work.
To use a Star Wars analogy, Google inspected the Death Star plans and found an exploitable weakness in a small thermal exhaust port.
In the same way that two precisely-placed proton torpedoes could blow up the Death Star, so too can Meltdown and Spectre take advantage of a very specific design quirk and get around (or “melt down”, hence the name) processors’ normal security precautions.
In this case, the design feature in question is something called speculative execution, which is a processing technique most Intel chips have used since 1995, and one that’s common in ARM and AMD processors, too.
With speculative execution, processors essentially guess what you’re going to do next. If they guess right, then they’re already ahead of the curve, and you have a snappier computing experience. If they guess wrong, they dump the data and start over.
What Project Zero found were two key ways to trick even secure, well-designed apps into leaking data from those returned processes. The exploits take advantage of a flaw in how the data is dumped that could allow them – with the right malware installed – to read data that should be secret.
This vulnerability is potentially particularly dangerous in cloud computing systems, where users essentially rent time from massive supercomputing clusters. The servers in those clusters may be shared among multiple users, meaning customers running unpatched and unprepared systems could fall prey to data thieves sharing their processors.
What can I do about it?
To guard against the security flaw and the exploits, the first and best thing you can do is make sure you’re up to date with your security patches. The major operating systems have already started issuing patches that will guard against the Meltdown and Spectre attacks.
In fact, fixes have already begun to hit Linux, Android, Apple’s MacOS, and Microsoft’s Windows 10. So whether you have an Android phone, or you’re a developer using Linux in the cloud, it’s time to update your operating system.
Meanwhile, Microsoft told Business Insider it’s working on rolling out mitigations for its Azure cloud platform. Google Cloud is urging customers to update their operating systems, too.
It’s just as important to make sure you stay up-to-date. While Spectre may not have an easy fix, Google says that there are ways to guard against related exploits. Expect Microsoft, Apple, and Google to issue a series of updates to their operating systems as new Spectre-related attacks are discovered.
Additionally, because Meltdown and Spectre require malicious code to already be running on your system, let this be a reminder to practice good online safety behaviours.
Don’t download any software from a source you don’t explicitly trust. And don’t click on any links or files claiming you won $US10 million in a contest you never entered.
Why could the fixes also slow down my device?
The Meltdown and Spectre attacks take advantage of how the “kernels”, or cores, of operating systems interact with processors. Theoretically, the two are supposed to be separated to some degree to prevent exactly this kind of attack. However, Google’s report proves the current precautions aren’t enough.
Operating system developers are said to be adopting a new level of virtual isolation, basically making requests between the processor and the kernel take the long way around.
The problem is that enforcing this kind of separation requires at least a little extra processing power, which would no longer be available to the rest of the system.
As The New York Times notes, researchers are concerned that the fixes could slow down computers by as much as 20 percent to 30 percent. Microsoft is reported to believe that PCs with Intel processors older than the two-year-old “Skylake” models could see significant slowdowns.
Intel disputes that the performance hits will be as dramatic as The Times suggests.
Some of the slowdowns, should they come to pass, could be mitigated by future software updates. Because the vulnerability was just made public, it’s possible that workarounds and new techniques for circumventing the performance hit will come to light as more developers work on solving the problem.
What happens next?
Publicly, Intel is confident the Meltdown and Spectre bugs won’t have a material impact on its stock price or market share, given that they’re relatively hard to execute and have never been used (that we know of).
Meanwhile, AMD shares are soaring on word that the easier-to-pull-off Meltdown attack isn’t known to work on its processors.
However, as Google is so eager to remind us, Spectre looms large. Speculative execution has been a cornerstone of processor design for more than two decades. It will require a huge rethinking from the entire processor industry to guard against this kind of attack in the future.
The threat of Spectre means the next generation of processors – from all the major chip designers – are going to be a lot different than they are today.
Even so, the threat of Spectre is likely to linger with us far into the future. Consumers are replacing their PCs less frequently, which means older PCs that are at risk of the Spectre attack could be in use for years to come.
Meanwhile, there’s been a persistent problem with updating Android devices to the latest version of the operating system, so there’s likely to be lots of unpatched smartphones and tablets in use for as far as the eye can see. So would-be Spectre attackers are likely going to have their choice of targets.
It’s not the end of the world. But it might just be the end of an era for Intel, AMD, ARM, and the way processors are built.