The Downfall of Computers: The Sad Tale of “Spectre” & “Meltdown” And What it Means for Computer Security
Those of you that follow me on Medium know that I preach a common-sense and logical approach to Cyber and Information Security that avoids promoting fear, shock or hyperbole. That’s because beating the “The World Is Falling Apart!” drum doesn’t actually help people respond responsibly. Today is no different, but I’m being honest when I tell you that the impact of what I have to share today is far-reaching and not only impacts your personal computing, but also the future of computer chip production and, therefore, all of computing itself. There are already tools and software patches you can use to help minimize the exploits and defend yourself, so you’re certainly not helpless.
So grab a cup of chamomile, take a deep breathe and let’s dig in…
What Happened This Time?
During the Summer of 2017, researchers from around the world discovered a design flaw in the computer chips that serve as the brains for our computers and mobile devices. That design flaw — seen in Intel, AMD and ARM licensed chips — allows for two security vulnerabilities to be run, called “Meltdown” and “Spectre”. Both sound ominous and for good reason: the flaws “could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks” according to the NY Times. So, uh, yeh: that’s not good.
Who and What Caused the Problem?
These exploits are based on chip engineering flaws, not on software flaws. Apple, Google, Abode, Microsoft, and other software companies didn’t write poor software or bad Operating Systems to cause these problems to occur. Rather, the chip manufacturers — Intel, AMD and ARM — designed and then engineered computer chips with flaws built into them. Once discovered, those flaws allow the Meltdown and Spectre exploits to be run. Worse, these chips have been sold with consumer computers, servers and mobile devices since 1995. so the impact is, potentially, both personal and global in scope.
Why Did This Happen?
Unless you happen to be a computer chip designer, the details of this flaw — outlined here by an engineer at Google — look like a foreign language and might make your eyes glaze over like a donut:
In lay terms, these two flaws exist because, historically, computer chips have been engineered to function as fast as possible, not as safe as possible. The reason for that is — I’m sorry to say — you and me, friends. For generations of computers, we consumers have demanded the fastest possible chips to help run the fastest possible computers. As a result, 100% safety sometimes took a backseat to speed and… here we are.
How Do the Exploits Work?
Despite being specific to Intel chips, the Meltdown exploit is considered the more aggressive of the two threats. It works by “melting down” the security that’s supposed to exist between every software application on your computer and the OS which runs that computer. The Meltdown exploit breaks the mechanism which keeps any application on your computer from having access to other data which are supposed to exist in protected system memory, such as passwords, security keys, credit card info, text of any kind, and other personal information. It is now understood that any and all of that supposedly protected information is now considered at risk. Here is what running the exploit looks like in real time for those of you who are visual learners. Please note: NONE of the data you see in plain text on the right side of the screen should ever be viewable.
Spectre — an exploit which runs on chips made by Intel, AMD and ARM — works a bit differently. Whereas Meltdown works between an application and the operating system, Spectre instead works between multiple applications. Every application running on your computer has some amount of protected memory stored as it runs. If, for example, you’re running both Dashlane and Adobe Photoshop, then it’s been assumed that each of those applications has its own protected chunk of memory being held securely. Now, it’s known that Spectre breaks this supposed barrier between applications, making it possible to grab application data being held in protected memory. If one of those applications manages, say, all of your usernames and passwords, then you can understand how threatening this security exploit can be. Nothing, not even having best-in-class or state-of-the-art software applications, will help. All applications are just as easily exploited because this problem isn’t software-based, it’s hardware-based. Flawed computer chips means flawed memory protection and flawed memory protection means flawed security risks to users like you and me.
Who is at Risk?
Therefore, it’s best to assume that you might be impacted and take the precautions/actions which I recommend later in this article.
How Bad is This, Really?
Billions of computers and devices are impacted. That’s billions with a “b”. The flawed computer chips in question have been around since 1995 and can be found on our most common devices: desktops, laptops, cloud servers, smart TVs, streaming boxes like tv, smartphones, smartwatches and tablets. So the problem exists on a scope and scale that’s near unprecedented.
Paul Kocher is a pretty smart fella: he moderates security panels at international conferences, is the chief scientist at Cryptography Research, and happens to be one of the researchers who discovered the Spectre exploit. According to him, Spectre is “going to live with us for decades.” Here’s the most damning he said in that same NY Times story:
“We’ve really screwed up. There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”
— Paul Kocher, Security Researcher who co-discovered the Spectre exploit.
What Can be Done?
First, the good news. Because the flaws were discovered last summer, researchers have been working for months behind the scenes to develop patches before announcing the exploits to the public this week, which is standard operating procedure. That means two reasonably good things: it’s highly unlikely that anyone knew about these flaws until this week and software patches to address the Meltdown exploit are now available:
- Apple: released fixes for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS didn’t require and fixing, they claim.
- Microsoft: released Meltdown patches for their Surface hardware lineup including, the Surface Pro, Book, Studio, and Laptop devices. They’ve posted additional information about patching Windows OS for end-users and servers.
- Ubuntu: aware of the problem and hope to release updates on January 9th.
- RedHat: clicking on the “Resolve” tab at this link will take you to all available patches.
- Other: An on-going and up-to-date list of additional vendors who are patching their software against Meltdown can be found at the bottom of this page.
If you own a device in question (and you do), make a backup of each device and then run these updates. For my guide on how to securely update your iOS device, click here. Yes, I’m serious: take the time to first backup each of your devices.
Now the bad news: the software patches that can be applied to fix the Meltdown flaw might slow your computer down, possibly by as much as 30% by some estimates. My take? The 30% estimates seem awfully high, but — even if true — I’d rather be slower by 30% but know that I’m safer. One counterpoint is Apple: they claim that that they are seeing “no measurable reduction” on the Meltdown patch and only about a 2.5% reduction with the Spectre fixes they hope to implement on the macOS and iOS updates to Safari.
Two or Multiple-Factor Authentication
I’ve written about multi-factor authentication before and it’s worth recommending yet again. In today’s world of hacks and exploits, having only usernames and passwords to gain entry to your online life isn’t nearly enough. Given that Meltdown and Spectre can easily expose those details, you’ll rest easier knowing that there’s another validation check in place before a malicious hacker can gain access to your digital kingdom.
For example, if my Facebook account credentials were stolen, I’d be mystified but not threatened: it would be near impossible for hackers to log into my account because it is also protected by a six-digit challenge code that changes every 30 seconds. I can easily look up those codes on my cell phone; a malicious hacker cannot. They’d need physical access to my phone within 30 seconds, something that’s not likely to happen.
Please: implement two-factor authentication immediately on all of your most precious accounts including, but not limited to: email accounts, social media accounts, internet hosting accounts, password managers, banking websites, and shared cloud storage solutions like AWS, Dropbox, Box and others.
- Visit the Two-Factor-Auth website to learn which of your online accounts offer this free and invaluable service.
- Read my piece on multi-factor authentication to learn the easiest and best ways best to implement this tech for yourself. #Authy
In September of 2017, I wrote about enabling a credit freeze on your personal accounts after the Equifax hack. It’s worth revisiting this tip again. If we assume that the Meltdown and Spectre exploits can expose our personal financial information — Social Security Number, address, bank account numbers, credit card account numbers, investment account numbers and more — to malicious hackers, what can we do to further protect ourselves?
It’s a question worth asking because anyone with our Social Security Number and legal name can attempt to access our credit information, if our accounts are not “frozen”. Implementing a credit freeze is, essentially, adding two-factor authentication to our financial accounts. If our credit files are frozen, even someone who has our name and Social Security number probably can’t obtain credit in our name. Yes, malicious hackers and those with unique access might still be able to cause us harm, but freezing our credit helps prevent many kinds of identity theft.
I encourage you to learn more about this inexpensive and worthwhile tool to help protect your financial identity.
Own the Entire Server(s)
This might sound a bit far-fetched, but is worth considering if you run a business of any size. Let’s assume that you’re smart and you’ve patched all of your physical and virtual servers to protect against the Meltdown exploit. Good for you, that’s great! Unfortunately, it doesn’t protect you against the Spectre exploit which allows for open applications on the same computer to raid protected memory. Cloud providers like AWS, Azure and Google sell server space to individuals and businesses that need a scalable solution. Well, rather than renting just enough space, pay the money required to ensure that the entire server(s) in question are dedicated to only you. This requires a shift in focus: rather than buying cloud space based on your software or network needs, buy it instead based on your security needs. If your company owns the entire server, then a malicious hacker can’t also rent space on that same device and leverage Spectre to try and grab your company’s proprietary data.
Do I sound crazy? Or crafty like a fox?
I look forward to hearing your thoughts and, until then…
… surf safe.