Major tech firms are rushing to patch critical bugs, dubbed ‘Spectre’ and ‘Meltdown’, found in their processors before they can be exploited.
Researchers from Google’s Project Zero team have revealed serious issues in a vast array of chips across multiple manufacturers. The flaws date back as far as 1995.
There are three known variants of the issue so far. Spectre, which covers two of them, was discovered in chips made by Intel, AMD and ARM, while Meltdown affects Intel products and a recent ARM processor.
“As soon as we learned of this new class of attack, our security and product development teams mobilized to defend Google’s systems and our users’ data. We have updated our systems and affected products to protect against this new type of attack,” Google announced. “We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.”
Read more: Satori malware code made public by hackers
Preventing Meltdown
As we lead ever more connected lives we are becoming more at risk of malicious attacks against our devices. Even hotels in the Austrian Alps have had their electronic doors hacked.
Many manufacturers have been blasé when it comes to IoT security but there is an urgent need to develop security alongside the new devices being introduced. We can be sure that cyber-criminals will be probing for new vulnerabilities and ‘grey hat’ hackers such as the creator of Brickerbot have proven the very real security risks faced by the Internet of Things.
Meltdown and Spectre allow the techniques used by processors to speed up their operation to be abused to obtain information about areas of memory not normally visible to an attacker, including encryption keys, passwords and other sensitive data.
A technical explanation of the vulnerabilities can be found in Project Zero’s report. Most devices, from smartphones and PCs, to servers and IoT devices are at risk from unprivileged code reading data it should not be able to access.
The Google researchers have offered possible solutions to the processor vendors, though the vendors themselves are ultimately best-placed to tackle the issues, given their exclusive knowledge of their own chip architectures.
Read more: Three plead guilty in US to developing Mirai botnet
Vendors scramble to patch the holes
AMD has issued a statement since the vulnerabilities emerged, emphasising the company’s commitment to information security but offered some assurances: “The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.” The company adds that “the described threat has not been seen in the public domain.”
Nonetheless, the company is planning to make software and operating system updates available that will resolve the issue with negligible performance impact.
ARM’s processors are used in countless smartphones and IoT devices and the Softbank-owned company has promised “all future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches” and, given that the exploits are dependant upon malware running locally, emphasises the need for users to practice good security hygiene.
With Intel also planning to realise security patches over the next few days, the flaws should soon be shored up. However, uncomfortable reports are emerging, claiming that Intel CEO Brian Krzanich was told of the flaws in June last year, subsequently selling a large portion of his stake in the company, while the issues were not yet public knowledge.
Regardless of whether the stock sale was related, Intel, AMD and ARM will all be eager to see Meltdown and Spectre put to bed so that they can turn their focus back to their product roadmaps for 2018 and beyond.
Read more: Andromeda IoT botnet dismantled by international cyber taskforce