Meltdown and Spectre – play down or panic?
Users have long since accepted that software errors can be exploited for digital attacks. In fact, these have become so frequent that only highly critical incidents make the news. Hardware is mostly a different story and not often considered as a security threat. But now the Meltdown and Spectre security flaws can only be described as disastrous. Andreas Stiller from heise IT security news describes the two vulnerabilities with which data from protected internal memory areas can be read by many processors as a catastrophic security incident. Under certain circumstances, the CPU security flaws allow passwords or other confidential information to be read and forwarded to an attacker via a network connection. More than a dozen possible attacks have already been outlined publicly. It can be assumed that stakeholders who are interested in clandestine exploits may also have a few more ideas on the subject which are not in the public domain.
The worst aspect of a vulnerability that affects CPUs is that there is nothing a user can do about it. Defective software can be uninstalled or not used and users can always disconnect from the Internet or switch off Wi-Fi. There is no safety net for a flawed processor. The only thing that helps is to pull the plug and pray that Intel, AMD and ARM will solve the problem very soon. The situation is far from reassuring. At least at the moment it looks as if the communication between security researchers who discovered the exploit and the processor and operating system manufacturers has worked, even if Intel did not contribute much to clarification in its initial statement.Well-known manufacturers and developers have been working feverishly for a few weeks now and the first patches, have already been delivered for Windows and Android. Difficulties with some system configurations have already been reported which is probably to be expected but it still doesn’t help the situation. The next few weeks will show to what extent the patches will also affect system performance. The feature in which the vulnerabilities have been discovered has a significant influence on processor performance in certain applications. Patches which have been released so far only address the Meltdown vulnerability, Spectre potentially requires an update to the processor microcode. As of yet, it is too early for absolute clarity on the situation. However, there is a good summary of the vulnerabilities and manufacturers’ recommendations here.
There are two options which normal users can now take. The first is to panic and drop all security measures because they don’t matter any more – which might be tempting. Users are absolutely powerless to respond to such vulnerabilities which render all precautionary measures taken absolutely useless. Spectre and Meltdown also demonstrate further that even for professionally developed technology there is no such concept as absolute security, regardless of whether the processor is in a PC, mobile device or embedded in a car.The second response of keeping calm and carrying on is probably more sensible. Even in the case of embedded engine controls, preventative measures can be taken to control the risk. For Spectre and Meltdown, the sheer mass of affected users, makes targeted attacks unlikely and the reasonably fast reaction of the manufacturers also helps. Nevertheless, a bad feeling remains, especially considering the rapid development of Internet of Things (IoT) devices. Similar processors are included in every fingernail-sized RFID chip and it is almost a certainty that manufacturers will not develop patches for these devices so quickly and comprehensively, without even thinking about whether patches will be distributed across all devices. Perhaps it is time to suggest that not every device needs to be connected to the internet just because we can.