Meltdown and Spectre

In today’s digital age, convenience and security don’t always go hand in hand. In most cases there will be a trade-off that we might be forced to choose. As the title suggests, Meltdown and Spectre are two security vulnerabilities that have been recently unveiled by security experts. What If I told you that the device you are using to read this article is probably affected? Sounds bad right? But unfortunately that is the harsh reality. You see, unlike other security vulnerabilities that is being discovered, these two in particular, are making their presence felt worldwide.

For the past few days, this has been talk of the town and rightly so, since this is not anything to laugh at or think it is some kind of fake rumors. The threat is real. Let’s see what they are about.

What are these?

The terms “Meltdown” and “Spectre” as mentioned above, refer to a security vulnerability. These security flaws can be exploited by hackers. That can lead to some devastating results. Generally, these kind of flaw needs to be patched up by the companies related to the products that have been affected.

Why are they serious?

New threats in the digital space are continuously being discovered. New types of viruses are being deployed by hackers. These kind of threats are mostly mitigated by updating the anti-virus or taking some other countermeasures. But Meltdown and Spectre pose a serious risk because the flaw that are responsible for these are found in the single most important component of a system. The CPU. These security threats are present due to design flaw in the CPU architecture. Let’s discuss in detail about these two.

Meltdown

The Meltdown is an exploit that affects Intel CPU’s. That means already majority of the system in the world are affected. Another point to be noted is that this exploit affects all Intel CPU’s (Except Atom and Itanium before 2013) that dates back to almost 1995. So that means, Intel CPU’s manufactured for the past two decades have this issue. Also, Intel is the leading CPU manufacturer in PC space, so the exploit is more widespread.

This flaw leverages Intel’s Speculative Execution Implementation. The basic idea is that some very important information like banking details and other personal information are stored in the kernel memory (Also known as Core memory) of a system. Information stored here should not be accessed by an application on any circumstances. But the exploit allows a hacker to run a application that can read and dump this information in memory. This should never be allowed as part of security enforced at hardware level. According to researchers, Meltdown “basically melts security boundaries which are normally enforced by the hardware”. Since the flaw at the hardware level, the impact is widespread.

Updated news also suggest that ARM chips are also affected by this exploit.

Spectre

This is another vulnerability that was found. Though the actual intended action is same (leak information from kernel memory), it does differ in some ways. You see, this vulnerability can actually allow a hacker to trick a error free application to leak its secret, thereby risking that information to be stolen by hacker. Simply put, an application that has access to information in system memory that is only intended for its purpose, can effectively leak out information from the same memory thinking that it was a valid request.

As put by researchers, “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre”.

This particular one is dangerous since unlike meltdown, spectre affects almost all CPU’s. That means Intel, AMD, ARM based chips (Used in smartphones and tablets) are all affected, automatically making it a widespread issue.

What is the fix?

Meltdown

For this one, patches needs to be sent from the appropriate companies. The security patches needs to be applied in Firmware level(CPU level), OS level (For Microsoft and other OS) and finally at browser level(Chrome, Firefox, etc.). The patches are relatively effective at mitigating the risk from this exploit. Various companies are rushing out with patches.

Spectre

This one is tricky. For exploiting this vulnerability, the hacker needs direct access of the system. So remote attacks won’t work. Though the exploiting is difficult, the fixing of this is also equally difficult which makes this one particularly dangerous. There is even a chance that in order to fix this exploit, the only way is to significantly redesign the CPU. That means all our current systems are vulnerable.

Price to pay

The security patches come with a price to pay. In this case, it is in terms of system performance. It is suggested that, performance can dip by almost 30% in some scenarios. Older hardware may struggle even more due to this.

A recent report shows that after updating the iPhone 6 with the patch sent by Apple, the performance has fallen down by almost 40%. Now that’s a significant hit in performance.

Even worse affected are the huge web servers maintained by companies like Amazon, Google and others. The sheer volume of data stored makes it even worse. The small dip in I/O performance of all these systems add up.

Best bet for now

The only thing we can do right now is to hope that these companies promptly send these security updates and wait for them to take effect.

We can also follow some steps from our side. Namely,

• Don’t open suspicious links in random websites.
• Download apps only from their respective app stores (Eg. Play store, App store for iOS) and don’t download from third party websites unless they are trusted.
• Keep all your systems updated with latest security patches
• Follow safe computing methods

So this was an article that I thought would enlighten people about these latest threats in the computing world. So follow safe computing practices. See you all in the next article. Until then, this is Aswin from TechieDrone signing off.

❤️ Sharing is caring ❤️