What do you know about the two major computer chip flaws, Meltdown and Spectre? Well, NCN has news for you… If you store any personal information on a computer, smartphone or web service your data is at risk of two massive security exploits.
Spectre and Meltdown: An Overview
In our consumerist pursuit of needing everything at the touch of a button, where waiting for something to load really isn’t a viable option, many computer processor manufacturers such as intel designed and implemented a solution known as ‘speculative execution’. This feature enables a computer to make necessary calculations before the user needs them. But what is the problem with that? Well the solution is somewhat flawed and now has the potential to be exploited, revealing sensitive data. Adding to matters, and only making them appear worse, these computer chips with this installed feature have been around since 1995.
Cutting Through The Noise
So, what makes these security exploits especially sinister aside from their James Bondian’ derived names? Well, both affect a device at hardware level – the processors inside your device. To be clear, these flaws do not exist because of a bug in software computer design, but rather, as a result of a feature that has been installed in devices for the last 22 years.
Consumers expect their devices to get faster and faster year-on-year. In order to satisfy this insatiable need for speed, chip manufacturers created speculative execution to predict what a user will want to do next. That allows the chip to perform all the necessary calculations before it’s actually needed. Processors are capable of billions of calculations per second, but by lining up the next task ahead of time, it should ensure that the user sees no delay.
The problem with predictions, is that they’re not always right. That’s the key focus of spectre and meltdown. These two bugs take advantage of the calculations that have been made but simply thrown away because they’re not needed.
Putting It Into Context
A scenario would be much like this… Imagine if your favourite coffee shop prepared three coffees before you even stepped foot in the door. That means you’re simply able to enter the shop, pick up the coffee, and leave again. That eliminated the unnecessary hassle of having to queue, right? Well, essentially that’s speculative execution.
The problem with that, is the coffee shop has prepared three coffees, yet you only want one. Those unused pre-made orders get thrown away. All those ‘orders’ they’re simply sitting there in the trash and aren’t protected, so anyone can come and filter through everything that’s been thrown away.
The Nitty Gritty
Meltdown and Spectre take advantage of this unprotected trash. The two bugs use malicious code to trick the device into speculatively loading information in most cases it wouldn’t usually have access to. While they wouldn’t immediately be able to see that information, as soon as your device sees that you don’t need it, it’ll simply throw it in the trash. It’s here where the malware can gain brief snippets of data, which could be anything from your name, address, or even credit card information. Basically anything that you’ve chosen to store on your device.
Since this is a usual function of your device’s processor, neither you or an anti-virus system will detect that a hacker is snooping in the background, be that on a computer, smartphone, tablet or even in the cloud.
Spectre allows a malicious programme or code to trick other applications, using a shared processor, into sharing sensitive information that would otherwise be kept secure and separate from the programmes.
Meltdown works slightly differently, however. Instead of tricking one application into revealing sensitive information to another, it exploits the relationship between the applications and the computer’s memory.
Ultimately though, the results are the same – compromised data.
Is There A Magic Solution?
Whilst software companies are rolling out patches to guard against these industry-breaking security exploits, the protection does come at a cost and wait for it… In some cases, these patches can make a device operate slower, arguably defeating the whole object of speculative execution in the first place. Speaking of Spectre in particular, some software patches may be able to mitigate attacks, but what really is required is new hardware to completely fix the problem. With no quick fix, devices could remain vulnerable to Spectre attacks for decades to come – so software patches really are the only solution for the now.
In summary, it was our voracious need for speed that got us here and with that need always comes a price. That, on this occasion, is security.