Last week Las Vegas hosted the International Consumer Electronics Show. Although a technology conference focused on the biggest and brightest tech for consumers, security took center stage this year.
Namely, manufacturers attempted to answer some questions about the Meltdown and Spectre vulnerabilities. Though the vulnerabilities were discovered mid- last year, the processor weakness that affects over 90% of current CPUs only hit mainstream attention a few days ago.
So what are Meltdown and Spectre, and how do these not so new vulnerabilities affect security?
Meltdown and Spectre
Meltdown and Spectre are two vulnerabilities that rely on the same function within a processor: speculative execution. Speculative execution came about in the 1990’s as manufacturers pushed to create faster processors.
Speculative execution is what it sounds like. The processor, attempting faster speeds, accesses data it thinks will be required or requested next. The processor performs preliminary tasks, making the data readily available if speculated correctly.
Think of doing research for a report your boss will likely request in a few days.
Meltdown and Spectre access data via low security programs that should not have access. Spectre utilizes a web browser to access another program, tricking your cache into releasing passwords and private information. Meltdown accesses the data center on the processor directly.
Not only are these vulnerabilities on private computers, but they are weaknesses in any device that utilizes processors such as mobile phones. Also nearly every data center and cloud service in the world are vulnerable due to speculative execution. Pretty much any Intel chip manufactured in the last 20 years, as well as Arm and AMD chips, are at risk.
Security fixes in the works
While manufacturers have known about the vulnerability for about half a year, fixes are not readily available. Mostly because the vulnerabilities attack the processing chip directly.
Intel had rolled out a fix for the vulnerabilities, only to contact certain clients informing them to hold off on the patch. According to Intel, the patch was causing higher system reboots. Apple and Microsoft have both stated they are working on patches as well, and Spectre requires anti-virus companies to adapt to the patches.
Essentially, both vulnerabilities are requiring an all-hands-on-deck type of activity. Unfortunately, it doesn’t appear the companies are working together, nor do they understand how to fix this issue.
The largest issue with any patch that has been created is reduced processing speed in the CPU. Although Microsoft has stated those with Windows 10 should see very little impact, only 27% of CPUs currently operate on Windows 10. Older CPUs can see a drastic processing speed change, with some patches estimating up to 30% variance.
After all, repair needs to occur at hardware level and interferes with the exact process designed to speed up the chip.
Some have gone even as far as to say true correction of this vulnerability requires a hardware change, and a patch will not correct the issue. However, Google, Amazon, and Apple have announced their servers are now secure and no customer data was at risk.
Most manufacturers plan to have corrections rolled out to the consumer by the end of January.
What this means, really
Though consumers have only recently learned of the vulnerabilities, the discovery and consequent repair of Meltdown and Spectre have security firms evaluating standard operating procedures. The vulnerabilities went twenty years before discovery. However, in the space of 6 months, several different and unconnected research teams found the vulnerability.
While many are focusing on the discovery timing and what that means for cybersecurity, security firms are taking a lesson. Namely, following the paths of other companies is not the best approach to security. Rather, security requires testing and prodding areas where most don’t think to look.
Processors were considered ground zero of protection, meaning nothing should be able to reach them. Until someone took a closer look at speculative execution and exactly what the machine was doing. While the data exposed on most CPUs is information that can be found via malware and phishing schemes, the length of time these vulnerabilities existed is astounding.
It has hardware and software manufacturers, as well as security firms, taking notice and adjusting perceptions of security.