NEWS

This cyber threat will exploit almost all PCs, smartphones, and tablets

Silicon Valley is abuzz about "Meltdown" and "Spectre" — new ways for hackers to attack Intel, AMD, and ARM processors that were first discovered by Google last year and publicly disclosed Jan. 3.


Meltdown and Spectre, which take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to "read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications," as Google puts it in a blog post.

The first thing you need to know: Pretty much every PC, laptop, tablet, and smartphone is affected by the security flaw, regardless of which company made the device or which operating system it runs. The vulnerability isn't easy to exploit — it requires a specific set of circumstances, including having malware already running on the device — but it's not just theoretical.

And the problem could affect much more than just personal devices. The flaw could be exploited on servers and in data centers and massive cloud-computing platforms such as Amazon Web Services, Microsoft Azure, or Google Cloud. In fact, given the right conditions, Meltdown or Spectre could be used by customers of those cloud services to actually steal data from one another.

Though fixes are already being rolled out for the vulnerability, they often will come with a price. Some devices, especially older PCs, could be slowed markedly by them.

Here's what Meltdown and Spectre are. And, just as important, here's what they're not.

Am I in immediate danger from this?

There's some good news: Intel and Google say they've never seen any attacks like Meltdown or Spectre actually being used in the wild. And companies including Intel, Amazon, Google, Apple, and Microsoft are rushing to issue fixes, with the first wave already out.

The most immediate consequence of all of this will come from those fixes. Some devices will see a performance dip of as much as 30% after the fixes are installed, according to some reports. Intel, however, disputed that figure, saying the amount by which computers will be slowed will depend on how they're being used.

The Meltdown attack primarily affects Intel processors, though ARM has said that its chips are vulnerable as well. You can guard against it with software updates, according to Google. Those are already starting to become available for Linux and Windows 10.

Brian Krzanich, Intel's Chief Executive Officer. (Photo from Wikimedia Commons)

Spectre, by contrast, appears to be much more dangerous. Google says it has been able to successfully execute Spectre attacks on processors from Intel, ARM, and AMD. And, according to the search giant, there's no single, simple fix.

It's harder to pull off a Spectre-based attack, which is why nobody is completely panicking. But the attack takes advantages of an integral part of how processors work, meaning it will take a new generation of hardware to stamp it out for good.

In fact, that's how Spectre got its name.

"As it is not easy to fix, it will haunt us for quite some time," the official Meltdown/Spectre FAQ says.

What are Meltdown and Spectre, anyway?

Despite how they've been discussed so far in the press, Meltdown and Spectre aren't really "bugs." Instead, they represent methods discovered by Google's Project Zero cybersecurity lab to take advantage of the normal ways that Intel, ARM, and AMD processors work.

To use a Star Wars analogy, Google inspected the Death Star plans and found an exploitable weakness in a small thermal exhaust port. In the same way two precisely placed proton torpedoes could blow up the Death Star, so, too, can Meltdown and Spectre take advantage of a very specific design quirk and get around (or "melt down," hence the name) processors' normal security precautions.

Let's just hope your processor doesn't end up looking like this. (Image from Star Wars)

In this case, the design feature in question is something called speculative execution, a processing technique that most Intel chips have used since 1995 and that is also common in ARM and AMD processors. With speculative execution, processors essentially guess what you're going to do next. If they guess right, then they're already ahead of the curve, and you have a snappier computing experience. If they guess wrong, they dump the data and start over.

What Project Zero found were two key ways to trick even secure, well-designed apps into leaking data from those returned processes. The exploits take advantage of a flaw in how the data is dumped that could allow them — with the right malware installed — to read data that should be secret.

This vulnerability is potentially particularly dangerous in cloud-computing systems, where users essentially rent time from massive supercomputing clusters. The servers in those clusters may be shared among multiple users, meaning customers running unpatched and unprepared systems could fall prey to data thieves sharing their processors.

What can I do about it?

To guard against the security flaw and the exploits, the first and best thing you can do is make sure you're up-to-date with your security patches. The major operating systems have already started issuing patches that will guard against the Meltdown and Spectre attacks. In fact, fixes have already begun to hit Linux, Android, Apple's MacOS, and Microsoft's Windows 10. So whether you have an Android phone or you're a developer using Linux in the cloud, it's time to update your operating system.

Microsoft told Business Insider it's working on rolling out mitigations for its Azure cloud platform. Google Cloud is urging customers to update their operating systems, too.

It's a good idea to stay current with your Windows updates. (Screenshot from Matt Weinberger)

It's just as important to make sure you stay up to date. While Spectre may not have an easy fix, Google says there are ways to guard against related exploits. Expect Microsoft, Apple, and Google to issue a series of updates to their operating systems as new Spectre-related attacks are discovered.

Additionally, because Meltdown and Spectre require malicious code to already be running on your system, let this be a reminder to practice good online safety behaviors. Don't download any software from a source you don't trust. And don't click on any links or files claiming you won $10 million in a contest you never entered.

Why could the fixes also slow down my device?

The Meltdown and Spectre attacks take advantage of how the "kernels," or cores, of operating systems interact with processors. Theoretically, the two are supposed to be separated to some degree to prevent exactly this kind of attack. Google's report, however, proves the existing precautions aren't enough.

Operating system developers are said to be adopting a new level of virtual isolation, basically making requests between the processor and the kernel take the long way around.

The problem is that enforcing this kind of separation requires at least a little extra processing power, which would no longer be available to the rest of the system.

Related: Why it's a big deal that Cyber Command is now a combatant command

As The New York Times notes, researchers are concerned that the fixes could slow down computers by as much as 20% to 30%. Microsoft is reported to believe that PCs with Intel processors older than the 2-year-old Skylake models could see significant slowdowns.

Intel disputes that the performance hits will be as dramatic as The Times suggests.

Some of the slowdowns, should they come to pass, could be mitigated by future software updates. Because the vulnerability was just made public, it's possible that workarounds and new techniques for circumventing the performance hit will come to light as more developers work on solving the problem.

What happens next?

Publicly, Intel is confident the Meltdown and Spectre bugs won't have a material impact on its stock price or market share, given that they're relatively hard to execute and have never been used (that we know of). AMD shares are soaring on word that the easier-to-pull-off Meltdown attack isn't known to work on its processors.

But as Google is so eager to remind us, Spectre looms large. Speculative execution has been a cornerstone of processor design for more than two decades. It will require a huge rethinking from the processor industry to guard against this kind of attack in the future. The threat of Spectre means the next generation of processors — from all the major chip designers — will be a lot different than they are today.

Google is urging customers of its Google Cloud supercomputing service, hosted from data centers like this, to update their operating systems. (Image via Google)

Even so, the threat of Spectre is likely to linger far into the future. Consumers are replacing their PCs less frequently, which means older PCs that are at risk of the Spectre attack could be used for years to come.

As for mobile, there has been a persistent problem with updating Android devices to the latest version of the operating system, so there are likely to be lots of unpatched smartphones and tablets in use for as far as the eye can see. Would-be Spectre attackers are therefore likely to have their choice of targets.

It's not the end of the world. But it just may be the end of an era for Intel, AMD, ARM, and the way processors are built.

History

Check out these amazing uncovered photos of the great Ernie Pyle

On April 18th, 1945, war correspondent Ernie Pyle was killed by enemy fire on Iejima* during the Battle of Okinawa. At the time of his death, Pyle, a Pulitzer Prize winning journalist, was well-known for his intimate and personal storytelling that highlighted the experiences of the "average" soldier. Pyle was able to tell the stories of enlisted men because he embedded himself in their day-to-day lives; he didn't just observe their work, he lived, traveled, ate, and shared foxholes with them.

In remembrance of Ernie Pyle, the Unwritten Record presents photographs and motion pictures that highlight his work as a roving war correspondent during WWII.

Keep reading... Show less
Articles

How R. Lee Ermey's Hollywood break is an inspiration to us all

While there have been many outstanding actors and celebrities who have raised their right hand, there has never been a veteran who could finger point his way to the top of Hollywood stardom quite like the late great Gunnery Sergeant R. Lee Ermey.

Keep reading... Show less
Entertainment

6 things you didn't know about 'Top Gun' (probably)

In 1986, Paramount Pictures released Top Gun, a story about a hotshot naval aviator, nicknamed "Maverick," who had some extreme daddy issues. When the film landed on the big screen, it was an instant blockbuster, pulling in millions of dollars worldwide.

Filled with adrenaline-packed scenes, Top Gun inspired audience members of all ages to get out there and try to be the next hotshot pilot. After more than 30 years, moviegoers who have memorized all the film's catchphrases probably think they know everything there is to know about this action-packed classic.

Keep reading... Show less
Humor

8 reasons why peacetime training is just advanced LARPing

Live-action roleplaying is popular among nerds the world over. But what they don't realize is that the military hosts their own LARPing events to prepare for war.

While training for real-life combat, it's important that the military runs simulations that get as close to the real thing as possible. But, when you start to really break it down, it becomes clear that the government is spending tons of money on opportunities for advanced LARPing — as they should be.

Keep reading... Show less
History

The sweeping legacy of First Lady Barbara Bush

Former First Lady Barbara Bush, wife of 41st President George H. W. Bush, passed away in Houston, Texas, on April 17, 2018. The mother of 6 and grandmother of 17 was 92.

Only two women in American history have both served as First Lady and raised a son who would become president. The first was Abigail Adams, First Lady to President John Adams and the mother of John Quincy Adams. The second was Mrs. Bush, whose son George W. Bush would serve two terms as Commander in Chief beginning just 8 years after his father left office.

Keep reading... Show less
Entertainment

7 reasons Jack Burton was the warfighter I always wanted to be

Before joining the service, I thought everyone in the military was somehow fighting and killing bad guys. I looked to movies and television to try to put myself into the mindset of who I wanted to be if I had to fight a real battle.

Clearly, I no idea what I was getting into. That's where the similarities between Jack Burton and myself end.

Keep reading... Show less

6 exercises that you should be doing on chest day

Gym-goers the world over have proclaimed that Mondays are International Chest Days. This is because the chest is considered one of the most important parts of the male physique. Why? It's simple. Having a well-trained chest tends to draw wandering eyes while you're at the beach, and who doesn't want that positive attention?

Keep reading... Show less

Win $10 million in DARPA's low earth orbit launch challenge

On April 19, 2018, DARPA announced the DARPA Launch Challenge, designed to promote rapid access to space within days, not years. Our nation's space architecture is currently built around a limited number of exquisite systems with development times of up to 10 years. With the launch challenge, DARPA plans to accelerate capabilities and further incentivize industry to deliver launch solutions that are both flexible and responsive.

"Current launch systems and payload development were created in an era when each space launch was a national event," said Todd Master, the DARPA Launch Challenge program manager for DARPA's Tactical Technology Office. "We want to demonstrate the ability to launch payloads to orbit on extremely short notice, with no prior knowledge of the payload, destination orbit, or launch site. The launch environment of tomorrow will more closely resemble that of airline operations—with frequent launches from a myriad of locations worldwide."

Keep reading... Show less