Two newly discovered critical security vulnerabilities are very likely affecting your laptop and phone, security researchers revealed on Wednesday. The good news is that patches are coming to protect your devices. The bad news is that because the vulnerabilities are in the hardware architecture of the chips that power them, patched devices may run slower.
The flaws’ exploits, dubbed Meltdown and Spectre, are similar but have important differences. Meltdown breaks down the barriers between software and the operating system; Spectre breaks down barriers between software programs. Meltdown lets malicious software access the memory of other software, and the operating system; Spectre “tricks” an otherwise-safe program into leaking sensitive data. Windows, Mac, Linux, iOS, and Android are all affected by the bugs.
But both exploits attack the computer’s in-use memory, and gets it to share information that it normally wouldn’t. Malicious software could then access that data, which could include passwords, documents, banking details, and even other users in a cloud-computing environment.
The exploits’ processes are “like going to a library with a restricted collection of books you can’t access without permission. You ask the librarian for a restricted book, plus another random book on the same subject. The librarian gets both books, but then refuses to give you either book when she sees your card doesn’t have the proper permissions to access the restricted collection,” explains Joe FitzPatrick, trainer and researcher at Hardware Security Resources and a former Intel security engineer. “So you ask for every other book in the library, one by one, until the librarian gives you the second book they’re holding. You now know the subject of the restricted book, and you can repeat this to learn the full subject matter of the restricted collection.”
Meltdown and Spectre also affect slightly different kinds of devices. Meltdown affects almost every Intel processor made since 1995 (except for pre-2013 Intel Itanium and Intel Atom.) It’s not clear yet whether Meltdown affects ARM or AMD processors. The researchers behind Spectre say it works on Intel, AMD, and ARM chips—basically all major computer chips in use today. And one of the few remedies available is for the affected software and hardware makers to release security patches.
Besides prompting a deluge of updates, Meltdown and Spectre aren’t expected to have an immediate impact on consumers. But for chip designers, they might represent a rude wake-up call that speed and energy efficiency aren’t everything.
The U.S. Computer Emergency Readiness Team recommends only two solutions: apply security patches, and replace the impacted hardware. Software updates—some of which have already been released, and some of which will be pushed to users in the coming weeks—will also mitigate their impact on consumers.
Professional organizations, especially those that rely on virtual machines and cloud-computing services such as those provided by Amazon Web Services, will have to be more cautious about how they proceed.
“This is the start of a new bug class. We’re all going to be wrestling with this for the next year.”—Dan Kaminsky, security researcher
While the flaws could affect computer systems for years or even decades, there’s no need to replace your devices with an abacus and typewriter, says Moritz Lipp, one of the security researchers who discovered and documented the vulnerabilities that Meltdown and Spectre exploit.
“Don’t panic too much,” he says. “It’s still unknown if this has been exploited in the wild. And Amazon has already patched [its] servers.”
Lipp also says predictions that Meltdown and Spectre patches might slow computer performance as much as 30 percent are overblown.
“When we tested our implementation, a proof-of-concept code that still had some bugs, on a modern CPU, the performance hit was on average under 1 percent,” Lipp says. “For cloud providers, it depends on what hardware they use. Benchmarks will tell.”
Originally, researchers had coordinated with hardware and software vendors to announce Meltdown and Spectre this coming Tuesday, January 9. However, news of the exploits began to leak at the end of last month, and Google and other stakeholders in the research decided to publish the news early.
Three teams of researchers working independently of one another discovered and documented the vulnerability that Meltdown exploits. Those teams were Daniel Gruss, Moritz Lipp, Stefan Mangard, and Michael Schwarz at Graz University of Technology in Austria; Google employee Jann Horn of Project Zero; and Werner Haas and Thomas Prescher of German security company Cyberus Technology. Some experts speculate that if three teams can independently find such an atypical vulnerability, less ethical hackers or governments could already be exploiting it.
Spectre was more of a collaborative effort. Lipp and Horn worked with leading cryptographer Paul Kocher and assistant Daniel Genkin of the University of Pennsylvania and University of Maryland; Mike Hamburg of technology licensing company Rambus; and Yuval Yarom of the University of Adelaide and Australian robotics company Data61.
What you need to do
Google advises Nexus and Pixel phone owners to install the January 2018 security update, which contains the relevant security patches. Other Android devices, including high-end models from Samsung, HTC, and LG, have yet to receive security patches.
“This is going to be another dent in the armor that hardware is harder to hack,” says FitzPatrick, adding that older Android and Internet of Things devices may never receive security updates for Meltdown and Spectre. “This should change how chip manufacturers go after performance improvements.”
The research that led to Meltdown and Spectre, says security researcher Dan Kaminsky, known for finding a critical flaw with the Domain Name System, is going to drive new security research into computer processors.
“This is the first [hardware] bug that I know of where there’s no easy fix. It’s clear we’ve been asking more of these chip designs than they were ever intended to give,” he says. “This is the start of a new bug class. We’re all going to be wrestling with this for the next year.”