NEWS

This cyber threat will exploit almost all PCs, smartphones, and tablets

Silicon Valley is abuzz about "Meltdown" and "Spectre" — new ways for hackers to attack Intel, AMD, and ARM processors that were first discovered by Google last year and publicly disclosed Jan. 3.


Meltdown and Spectre, which take advantage of the same basic security vulnerability in those chips, could hypothetically be used by malicious actors to "read sensitive information in the system's memory such as passwords, encryption keys, or sensitive information open in applications," as Google puts it in a blog post.

The first thing you need to know: Pretty much every PC, laptop, tablet, and smartphone is affected by the security flaw, regardless of which company made the device or which operating system it runs. The vulnerability isn't easy to exploit — it requires a specific set of circumstances, including having malware already running on the device — but it's not just theoretical.

And the problem could affect much more than just personal devices. The flaw could be exploited on servers and in data centers and massive cloud-computing platforms such as Amazon Web Services, Microsoft Azure, or Google Cloud. In fact, given the right conditions, Meltdown or Spectre could be used by customers of those cloud services to actually steal data from one another.

Though fixes are already being rolled out for the vulnerability, they often will come with a price. Some devices, especially older PCs, could be slowed markedly by them.

Here's what Meltdown and Spectre are. And, just as important, here's what they're not.

Am I in immediate danger from this?

There's some good news: Intel and Google say they've never seen any attacks like Meltdown or Spectre actually being used in the wild. And companies including Intel, Amazon, Google, Apple, and Microsoft are rushing to issue fixes, with the first wave already out.

The most immediate consequence of all of this will come from those fixes. Some devices will see a performance dip of as much as 30% after the fixes are installed, according to some reports. Intel, however, disputed that figure, saying the amount by which computers will be slowed will depend on how they're being used.

The Meltdown attack primarily affects Intel processors, though ARM has said that its chips are vulnerable as well. You can guard against it with software updates, according to Google. Those are already starting to become available for Linux and Windows 10.

Brian Krzanich, Intel's Chief Executive Officer. (Photo from Wikimedia Commons)

Spectre, by contrast, appears to be much more dangerous. Google says it has been able to successfully execute Spectre attacks on processors from Intel, ARM, and AMD. And, according to the search giant, there's no single, simple fix.

It's harder to pull off a Spectre-based attack, which is why nobody is completely panicking. But the attack takes advantages of an integral part of how processors work, meaning it will take a new generation of hardware to stamp it out for good.

In fact, that's how Spectre got its name.

"As it is not easy to fix, it will haunt us for quite some time," the official Meltdown/Spectre FAQ says.

What are Meltdown and Spectre, anyway?

Despite how they've been discussed so far in the press, Meltdown and Spectre aren't really "bugs." Instead, they represent methods discovered by Google's Project Zero cybersecurity lab to take advantage of the normal ways that Intel, ARM, and AMD processors work.

To use a Star Wars analogy, Google inspected the Death Star plans and found an exploitable weakness in a small thermal exhaust port. In the same way two precisely placed proton torpedoes could blow up the Death Star, so, too, can Meltdown and Spectre take advantage of a very specific design quirk and get around (or "melt down," hence the name) processors' normal security precautions.

Let's just hope your processor doesn't end up looking like this. (Image from Star Wars)

In this case, the design feature in question is something called speculative execution, a processing technique that most Intel chips have used since 1995 and that is also common in ARM and AMD processors. With speculative execution, processors essentially guess what you're going to do next. If they guess right, then they're already ahead of the curve, and you have a snappier computing experience. If they guess wrong, they dump the data and start over.

What Project Zero found were two key ways to trick even secure, well-designed apps into leaking data from those returned processes. The exploits take advantage of a flaw in how the data is dumped that could allow them — with the right malware installed — to read data that should be secret.

This vulnerability is potentially particularly dangerous in cloud-computing systems, where users essentially rent time from massive supercomputing clusters. The servers in those clusters may be shared among multiple users, meaning customers running unpatched and unprepared systems could fall prey to data thieves sharing their processors.

What can I do about it?

To guard against the security flaw and the exploits, the first and best thing you can do is make sure you're up-to-date with your security patches. The major operating systems have already started issuing patches that will guard against the Meltdown and Spectre attacks. In fact, fixes have already begun to hit Linux, Android, Apple's MacOS, and Microsoft's Windows 10. So whether you have an Android phone or you're a developer using Linux in the cloud, it's time to update your operating system.

Microsoft told Business Insider it's working on rolling out mitigations for its Azure cloud platform. Google Cloud is urging customers to update their operating systems, too.

It's a good idea to stay current with your Windows updates. (Screenshot from Matt Weinberger)

It's just as important to make sure you stay up to date. While Spectre may not have an easy fix, Google says there are ways to guard against related exploits. Expect Microsoft, Apple, and Google to issue a series of updates to their operating systems as new Spectre-related attacks are discovered.

Additionally, because Meltdown and Spectre require malicious code to already be running on your system, let this be a reminder to practice good online safety behaviors. Don't download any software from a source you don't trust. And don't click on any links or files claiming you won $10 million in a contest you never entered.

Why could the fixes also slow down my device?

The Meltdown and Spectre attacks take advantage of how the "kernels," or cores, of operating systems interact with processors. Theoretically, the two are supposed to be separated to some degree to prevent exactly this kind of attack. Google's report, however, proves the existing precautions aren't enough.

Operating system developers are said to be adopting a new level of virtual isolation, basically making requests between the processor and the kernel take the long way around.

The problem is that enforcing this kind of separation requires at least a little extra processing power, which would no longer be available to the rest of the system.

Related: Why it's a big deal that Cyber Command is now a combatant command

As The New York Times notes, researchers are concerned that the fixes could slow down computers by as much as 20% to 30%. Microsoft is reported to believe that PCs with Intel processors older than the 2-year-old Skylake models could see significant slowdowns.

Intel disputes that the performance hits will be as dramatic as The Times suggests.

Some of the slowdowns, should they come to pass, could be mitigated by future software updates. Because the vulnerability was just made public, it's possible that workarounds and new techniques for circumventing the performance hit will come to light as more developers work on solving the problem.

What happens next?

Publicly, Intel is confident the Meltdown and Spectre bugs won't have a material impact on its stock price or market share, given that they're relatively hard to execute and have never been used (that we know of). AMD shares are soaring on word that the easier-to-pull-off Meltdown attack isn't known to work on its processors.

But as Google is so eager to remind us, Spectre looms large. Speculative execution has been a cornerstone of processor design for more than two decades. It will require a huge rethinking from the processor industry to guard against this kind of attack in the future. The threat of Spectre means the next generation of processors — from all the major chip designers — will be a lot different than they are today.

Google is urging customers of its Google Cloud supercomputing service, hosted from data centers like this, to update their operating systems. (Image via Google)

Even so, the threat of Spectre is likely to linger far into the future. Consumers are replacing their PCs less frequently, which means older PCs that are at risk of the Spectre attack could be used for years to come.

As for mobile, there has been a persistent problem with updating Android devices to the latest version of the operating system, so there are likely to be lots of unpatched smartphones and tablets in use for as far as the eye can see. Would-be Spectre attackers are therefore likely to have their choice of targets.

It's not the end of the world. But it just may be the end of an era for Intel, AMD, ARM, and the way processors are built.

History

9 times the world stepped back from the brink of nuclear war

The atomic bombings of Hiroshima and Nagasaki in August of 1945 marked the end of the World War II, and the beginning of the age of nuclear weapons.

During the Cold War, the policy of mutually assured destruction between the US and the Soviet Union — appropriately referred to as "MAD" — meant that if one nation used nuclear weapons on another, then an equal response would have been doled out as soon as possible.

Keep reading... Show less
Articles

How R. Lee Ermey's Hollywood break is an inspiration to us all

While there have been many outstanding actors and celebrities who have raised their right hand, there has never been a veteran who could finger point his way to the top of Hollywood stardom quite like the late great Gunnery Sergeant R. Lee Ermey.

Keep reading... Show less

Kim Jong Un never leaves home without his own toilet

The leaders of North Korea and South Korea are scheduled to meet face-to-face for the first time on April 27, 2018, in the border village of Panmunjom in the demilitarized zone.

It will be the first leadership summit between the countries in more than a decade. It's a first for a North Korean leader to agree to visit South Korea since the Korean War in the 1950s. And the South Korean government, led by President Moon Jae-in, has pledged to create an environment conducive to diplomacy.

Keep reading... Show less
Entertainment

Here's how much Captain America would make in back-pay

The U.S. Army has always loved its fictional, star-spangled avenger and brother-in-arms, Captain America. Since he served in the Army, he received the benefits of being a Soldier. Logically, this would entitle him to back pay for the 66 years he spent frozen in ice.

Keep reading... Show less
Military Life

5 reasons 'mandatory service' is a terrible idea

You'll meet people, both on social media and in real life, who argue that a solution to a widespread lack of discipline is to start drafting citizens right out of high school to serve in the military in some capacity. Whether you think there really is a discipline problem today or not, the truth remains the same — a draft outside of a wartime is unnecessary and extremely toxic.

Keep reading... Show less

Why Japan is bothered by the Korean Unification Flag

Ahead of the historic meeting between the leaders of North and South Korea on April 27, 2018, political emblems depicting unity have been rolled out across South Korea.

One of these is an outline of the full Korean Peninsula, like on the Korean unification flag seen prominently at the Olympics. Inside Peace House, where Kim Jong Un and Moon Jae-In will meet, chairs have been engraved with the same outline and a miniature version of the flag will be placed on a dessert later in the day.

But not everyone views the symbols favorably.

Keep reading... Show less
GEAR & TECH

This Meteor kills enemy aircraft from beyond visual range

When you think of a meteor, your mind likely points to the object that wiped out the dinosaurs some 65 million years ago. Well, if we're being technical, that was actually a meteorite, but the details aren't important. The fact is, that giant, extinction-bringing boulder came from seemingly nowhere and took out the dinosaurs — who had no idea what hit them.

The British have developed a new, beyond-visual-range, radar-guided, air-to-air missile, appropriately named Meteor. It, too, is a bolt that comes from out of the blue to wipe something out of existence. It may be much smaller than the meteor that wiped out the dinosaurs, but for the aircraft it targets, well, it's just as final.

Keep reading... Show less

How the Chernobyl Disaster happened 32 years ago

Ukraine is marking the 32nd anniversary of the Chernobyl nuclear disaster on April 26, 2018, with a memorial service and a series of events in remembrance of the world's worst-ever civilian nuclear accident.

In neighboring Belarus, an opposition-organized event will also be held to commemorate the disaster.

Keep reading... Show less