The Spectre/Meltdown crisis
SECURITY ISSUES HAVE PLAGUED COMPUTING DEVICES IN THE PAST, BUT NOT ON THIS SCALE. TECHLIFE UNRAVELS THE SPECTRE AND MELTDOWN SECURITY THREATS AND WHAT YOU NEED KNOW.
EVERYONE KNOWS SECURITY issues in computing are as much a way of life as the sun coming up in the morning. Nevertheless, the advent of automatically-installed operating system (OS) updates has rendered many of these security flaws mostly harmless. However, the recent discovery of new ‘catastrophic’ security threats has unleashed corporate panic regarding the security of everything from phones to laptops and PCs, even cloud computing. So this month, we’re delving into the new Meltdown and Spectre threats to understand what they are, how they affect you, why you shouldn’t panic just yet and, importantly, what you can — and can’t — do to fix them.
WHAT ARE SPECTRE AND MELTDOWN?
These are three variants of a new security exploit recently found in many computer processor chips. It’s ‘three’ because Spectre is actually two threats (often labelled ‘Variant 1’ and ‘Variant 2’) discovered independently by Google’s Project Zero and a group of collaborating universities and organisations, including the University of Adelaide and CSIRO-offshoot Data61. Meltdown is the third threat, known as ‘Variant 3’, and was discovered independently by researchers at Project Zero, Germany’s Cyberus Technology and Austria’s Graz University of Technology.
To explain what causes these threats, we need to go back briefly to 1995 and look at how computer chips were designed to speed up the processing of computer code. Back then, a computer chip commonly executed computer code a single step or ‘instruction’ at a time, like following a recipe. However, a technique called ‘speculative execution’, capable of speeding up code in a roundabout way, was developed.
Not familiar with computer coding? No worries, here’s an analogy — imagine you’re driving down the road in your autonomous car to your local shopping centre (go with me for a bit on this). To get there, you have to turn off or ‘branch’ from the current road to reach the centre’s location, but there are multiple turn-offs that could take you there. Each turn-off requires the car process a different set of instructions and, to save time (and speed up instructionprocessing), the car tries to predict which turn-off you’ll choose and processes those instructions for that turn-off ahead of time. 95% of the time, the car predicts correctly, but if you decide on another route instead, the work done to process the instructions for the wrong turn-off has to be tossed and the instructions for your chosen path processed instead. In computer coding, this process is called ‘speculative execution’. It aims to predict and execute code branches ahead of time to speed up overall code processing. Intel began using this technique in chips back in 1995, but by a quirk of fate, it was only relatively recently that separate research groups independently discovered a number of methods for using speculative execution to leak data, such as passwords.
In normal operation, speculative execution runs known code, however, under certain situations, affected processors can be tricked into providing a hole, or ‘side channel’, through which hackers could tap into data. Of the two major vulnerabilities, Meltdown is said to be the more likely used in an attack, but on the upside, is also easier to fix.
Meltdown taps speculative execution to read the small but high-speed memory inside a processor called ‘cache memory’. However, chipmaker Intel says Meltdown can be initially patched with just an operating system update to stop this cache memory leak and will be fixed in future generations of Intel chips.
Spectre Variant 1, known as ‘Bounds Check Bypass’, can be fixed the same way — through an operating system software patch. However, Spectre Variant 2 is the problem child because it can’t be fixed by an OS patch alone. It’s officially known as ‘Branch Target Injection’ and, according to the researchers who discovered it, Spectre enables one program to trick another to look up specific memory locations for data and potentially give up secrets, like your passwords and security keys. In practice, Spectre is harder to exploit, but it’s also more difficult to fix.
What’s scary is that speculative execution has been used in many processors since 1995, yet detecting Spectre and Meltdown attacks is difficult as they don’t leave known footprints.
THE FALLOUT
Since news of the issues broke in January, there’s been plenty of corporate finger-pointing. As of late February, there were over 30 lawsuits filed against Intel, plus actions against rival chipmaker AMD and Apple. If nothing else, these chip flaws will cast a legal shadow across the computing world for some time.
WHICH DEVICES ARE AFFECTED?
At least for PCs and laptops, software issues are easy to patch. However, what’s unprecedented about these vulnerabilities is the scale of the hardware affected. Starting with Meltdown, except for its high-end Itanium processors and the early Atom chips found in netbooks, almost all Intel chips made since 1995 are potentially vulnerable. Some ARM-based phone chips are also reported to be susceptible to Meltdown.
Spectre, on the other hand, affects almost every desktop, laptop, tablet and smartphone — it’s even said to affect cloud computing. The scale of this is potentially enormous.
WHICH PHONES ARE AFFECTED?
Looking at mobile devices, chips found in phones, tablets and other gear based on many of ARM’s popular ‘Cortex-A’ series of ‘System on a Chip’ (SoC) processors are affected. These include, at last count, Cortex-A8, Cortex-A9, Cortex-A12, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 series. In simple terms, it covers many devices going right back to 2010, including the original Samsung Galaxy S phone. What makes this more complex is that you may not know which Cortex-A series tech your devices use — ARM doesn’t make chips, it designs them and licenses the tech to other manufacturers, such as Apple and Qualcomm, to turn into chips. If you have an Android device, the simplest way to find out which CPU technology your device uses is to install the ‘CPU-Z’ app from Google Play ( tinyurl.com/n4npl4k) and read the answer from the app’s ‘SOC’ page.
However, there is some good news — if your mobile device runs the very popular Cortex-A53 CPU design only, you’re in the clear. Devices with this CPU design, which include, among others, the Motorola Moto G5 series and the popular Raspberry Pi 3 computer, are not affected by Meltdown or Spectre because they don’t use speculative execution.
PCS AND LAPTOPS AFFECTED
Unfortunately, the scale of this threat means that rather than attempt to list all of the desktop PCs and laptops potentially affected, it’s just easier for you to assume you’ve got a problem and should take steps to rectify it. If you’ve bought a big-brand computer, go to the manufacturer’s website and start trawling for their Spectre/Meltdown information. Better still, head to meltdownattack.
com, the site developed by the Graz University of Technology, scroll to the bottom of the page and you’ll find a list of major PC and laptop manufacturers, along with news and updates.
WHAT YOU CAN DO
The first step is to not panic — at the time of
writing no confirmed attack using either vulnerability was reported, although, as the Graz researchers have said, they can’t know for sure because of the way the exploits work. Many tech brands will also happily inform you that exploiting Spectre is difficult to do. Nevertheless, things can also change quickly, so it’s not something to be complacent about, either. Here’s what we suggest you do.
Start by keeping an eye out for OS security updates for your device and install them as they become available. You’ll also need to ensure your anti-virus software is up to date, and be on the lookout for any software updates for your favourite applications, particularly your web browser, as it can be used in an attack.
Microsoft has OS updates for Windows 10, Windows 8.1 and Windows 7 available now, but if you’re still using Windows Vista or XP, be warned — Microsoft will not be issuing fixes for these older operating systems, citing system instability and application compatibility issues that would result from the changes required.
However, operating system and application updates will only fix Meltdown and Spectre Variant 1 — the more complex issue will be updating the hardware microcode, or ‘firmware’, for Variant 2 and this is already proving a tricky task. Chip giant Intel released emergency fixes for its latest chips in the first week of January, but then pulled them two weeks later after learning users were experiencing unexpected rebooting and system performance degradation. Since then, Intel has been releasing new microcode updates in batches, fixing more recent chips first. So far, the Intel chip families codenamed Skylake (Core iX-6000), Kaby Lake (Core iX-7000) and the brand-new Coffee Lake (Core iX-8000) received firmware updates in mid-February, with older Broadwell (Core iX-5000) and Haswell (Core iX-4000) chips getting theirs at the beginning of March. New updates for even older Ivy Bridge (Core iX-3000) and Sandy Bridge (Core iX-2000) chips were still in beta at time of writing, but possibly have been
[ WWW.TECHLIFE.NET ]
released by the time you read this. If you’re still rocking an Intel-based system older than Sandy Bridge, we probably wouldn’t hold out much hope of an update.
By contrast, AMD says its chips are not vulnerable to Meltdown. That said, it does appear AMD CPUs are affected by Spectre and, like Intel chips, will require both software and firmware patches to fix.
Given the initial firmware missteps, we suggest a ‘watch and wait’ approach — watch for any firmware updates for your system and, only if you feel confident, wait a day or two just to see if any major issues develop with them first. If not, then install them. If you can’t wait, or new specific attack threats are revealed in the meantime, you might want to install the updates regardless. Installing these updates comes at a cost — Microsoft says if you’re running Windows 10 on a Skylake/Core iX-6000 series or newer Intel chip, you should barely notice the dip in system performance. On pre-Skylake systems, though, the performance decreases will likely be more noticeable. What’s more, the speed reductions are said to be workload-dependent — some apps won’t change, others will cop a more significant dent. Not what we’d call an ‘ideal solution’.
UPDATES FOR MOBILE DEVICES
If you own an Apple iPhone or iPad, your device is very likely affected by both Meltdown and Spectre. In response, Apple has released software fixes, but you need iOS 11.2 to overcome Meltdown threats and iOS 11.2.2 for Spectre. Devices not able to update to these releases appear to be out of luck. Still, the updates cover everything since and including 2013’s iPhone 5S, iPad Mini 2 and iPad Air.
The situation for Android-powered devices, however, is more complex. Google released fixes to cover Meltdown and Spectre in its January 2018 security patch, but as Android users will know, Google can release security updates, but it’s up to device makers to push out ‘over-the-air’, or OTA, updates to users to fix those issues. Summarising the reports we’ve seen so far, we think that if a device does not already have an official firmware upgrade path to at least Android 7.0/Nougat, it’s unlikely it’ll receive an Android Meltdown or Spectre security update from the device manufacturer. If that’s your boat, the very least you should do is update your web browser to the latest Google Chrome 64, which Google says has been patched to reduce the effects of Spectre and Meltdown. However, that still leaves the rest of the device — in that situation, we’d refrain from doing any mobile banking or other personal data-heavy activities on that device. Nevertheless, fire up your Android device, open Settings, select ‘About phone’ and tap ‘System Updates’. If you’re offered any, install them.
BE INTERNET-SMART
Despite all of this, the good news is — no offence — you are still likely the biggest worry from a security viewpoint. Spectre and Meltdown can’t attack out of thin air. At the very least, they require you to either install dodgy apps or visit dodgy websites for malicious software code to find its way onto your device. So unless you know the origins of the website or software, stick to Google Play or Apple’s App Store for your apps and steer clear of dodgy websites.
WATCH THIS SPACE
Unfortunately, there’s no happy ending to this story. Some reports suggest it could take months before complete fixes are available, let alone delivered to your device. Security vulnerabilities on this scale are unprecedented and coordinating resolutions between multiple hardware and software vendors could become a drawn-out affair. While it’s important to remember that no known attacks have been launched using Spectre and Meltdown at time of writing, the situation could evolve rapidly. That’s why you’ll need to keep an eye on this unfolding drama over 2018.