Meltdown and Spectre: Chip hacks and their risk to your cyber-security
In early January it was revealed that there were vulnerabilities in a design technique used in chips from Intel, Arm and others, present in most CPUs created since 1995. These vulnerabilities have been named Meltdown and Spectre, and CNET revealed that Arm Holdings CEO Simon Segars has warned: "there are probably other things out there like it that have been deemed safe for years".
How do they work?
The NCSC page dedicated to these attacks defines Meltdown and Spectre as 'two related, side-channel attacks against modern CPU microprocessors that can result in unprivileged code reading data it should not be able to.' These threats take advantage of the fact that processors execute instructions speculatively to speed up operations. Spectre makes programs perform unnecessary operations to leak confidential data, and Meltdown observes information at the core part of a computer's operating system as it moves data between different sorts of memory on the chip and elsewhere on the device.
How can a hacker access this data?
To access your sensitive data, a hacker would have to put code onto your machine. This would allow them to gain fragments of data which they could piece together to determine passwords and encryption keys for example. The fragmented results of this attack make it more complex for the hacker and therefore less useful, this is proved by the fact that there have (as yet) been no known attacks in the wild that have taken advantage of these vulnerabilities.
How can you protect your devices?
Lots of manufacturers have released patches and updates to protect against these vulnerabilities; an up to date list can be found on Forbes so you can check if you are running the latest update on your device. You may notice that amongst this list there are few updates relating to Spectre, this is because there is no concrete fix for this vulnerability. Spectre is much harder to exploit because its weakness lies in a process that is fundamental to most devices. The only sure way to eliminate risk is to buy a new microprocessor, but as this attack has left millions of machines affected all over the world, this is not the most realistic option. There are some updates as detailed on the Forbes list to reduce the risk, but work is still being done to discover how to eliminate it completely.
If you are at all concerned about this threat's impact on your devices, please get in touch and we can give you some practical ways to help. Also, keep an eye on the news as updates and being released every day and research is being done to prevent Spectre completely.