By now you’ve probably heard about Meltdown and Spectre, the latest vulnerabilities to hit the IT industry. Within the first few days of the new year, a team of experts revealed a set of key vulnerabilities that had been discovered in three major CPU chips. Vulnerabilities that could, if exploited, be used to gain access to private information stored in computers and in wider data networks. Naturally, people panicked. So here is everything you need to know about the Meltdown and Spectre vulnerabilities, and how to combat them.
What Are Hardware Vulnerabilities
The most common vulnerabilities we see in the IT world are software and application based, this could be anything from a loophole that was missed while coding to a weak point that can be pressured and broken. Software vulnerabilities are common, and in general they are patched before they are capitalised on, which is why so many applications require frequent updates.
Hardware vulnerabilities however, are an exploitable weakness in a system that is based in the hardware. In this case, that means things like CPU’s and other chips, allowing the hardware implementation to be vulnerable to a side-channel attack. A side-channel attack is where the attack targets the physical implementation of a computer system, as opposed to a weakness in the code or algorithm.
What’s In A Name?
One of the reasons that this vulnerability is slightly confusing people is because it’s not just one vulnerability. It’s two different vulnerabilities found by two different teams, that just happened to have been exposed at the same time, with each vulnerability affecting the CPU of a machine, but with different effects. That’s why they have been given two different names, which give hints about how they behave:
- Meltdown – In a normal setting, there are security boundaries throughout your computer, enforced by the hardware, that prevent things from going wrong. Fundamentally these provide isolation between user applications and the core operating system (kernel). Essentially, Meltdown can break the compatibility between the operating system and user applications – providing the opportunity for an attacker to access the contents of memory, consequently revealing the secrets of other user programs and the operating system. The vulnerability figuratively ‘melts’ the barriers out of existence. Meltdown can affect laptops, desktops and any internet server with an Intel chip inside.
- Spectre – Like Meltdown, Spectre interferes with the security boundaries created between different applications. This could allow attackers to trick error-free programmes that follow best practices into leaking all of their data. In fact, the safety checks of those best practices within the software actually increase the attack surface, making applications more susceptible, not less. As well as affecting laptops, desktops and servers, Spectre can also affect smartphones, tablets and any computer powered by Intel, ARM or AMD.
So What Does This Mean?
Well, the good news is that the UK National Cyber Security Centre (NCSC) has confirmed that there is no current evidence to suggest that the vulnerability is being exploited in the wild. But now that it’s been made public, it is likely that exploits will be developed imminently. Luckily, many companies have responded swiftly to these vulnerabilities. Microsoft, Apple and Linux have all issued security patches, and Google has also issued an extensive statement advising users of the steps they can take to protect themselves, which you can read here.
But like any vulnerability, it could leave you with weaknesses you don’t even know about yet. At Bridewell, we offer a wide range of consulting services to businesses all across the country who are concerned about their cyber defences.