Just when you thought it was impossible to use a connected device without getting hacked, 2018 arrives with the discovery of an entirely new class of network vulnerability built into the processors of virtually every computing device in active consumer and business use.
Two distinct hardware flaws — dubbed “Meltdown” and “Spectre” — were recently disclosed by white hat researchers. They did this responsibly. The hackers first notified the culpable parties, notably Intel and Microsoft, thereby giving the tech giants time to prepare and test patches, and make the workarounds ready for wide distribution. So far, there have been no publicly disclosed attacks leveraging either Meltdown or Spectre.
That’s the extent of the good news. The full scope of the bad news, at the moment, is unknowable. While the threat at this point is theoretical, it would be foolish to downplay the notion that motivated threat actors have very likely begun to probe for ways to take advantage.
EVER-EXPANDING ATTACKABLE SURFACE
Cloud-based data centers that use Intel chips, according to Reuters, have begun looking into the possibility of building new infrastructure with chips supplied by rivals to avoid the vulnerabilities, while others appear to be pushing for Intel to offer big discounts.
Who can blame them? No one knew anything about Meltdown and Spectre when the ball dropped in a frigid Times Square to usher in 2018. Now the race is on to protect systems before threat actors figure out how to exploit them. It’s vital for organizations to address this in a timely manner.
Much like Heartbleed and Shellshock — the open-source software flaws disclosed in 2014 — Meltdown and Spectre represent a heretofore overlooked class of systemic vulnerabilities. This time the vulnerability is baked into the hardware. As corporate networks were being thrown together in the first decade of this century, technology vendors unknowingly distributed these flaws far and wide. At the time, the potential security implications were unthinkable.
“The problem was created because chip manufacturers found clever ways to improve chip performance, while inadvertently leaving backdoors to the inner sanctum — where processing takes place on the chips,” Satya Gupta told me. He’s the founder and chief technology officer of Virsec Systems, a supplier of application security systems.
Consider that Meltdown and Spectre are present, not just in data centers, but also on just about every type of computing device in consumer and business use, including billions of smartphones. At least theoretically, it provides malicious hackers with yet another access point to burrow deep into corporate networks and wreak havoc. Meltdown and Spectre expand an already vast attackable surface.
While patches are available, patching often is costly and disruptive. Comprehensive mitigation of something as complex as Meltdown and Spectre is likely to take years, and may never be fully accounted for. Right on cue, things are getting off to a lugubrious start. Microsoft this week acknowledged that the patches available for Windows servers could significantly impact server performance. How do you think that will fly with corporations competing in a data-driven marketplace?
“Even though chip performance has grown exponentially over the past 20 years, it’s never acceptable to force customers to take significant steps backwards in performance,” observes Gupta.
Meanwhile, cybercriminals have to be exploring these new paths. In the cyber underground, there is no lack of motivation to innovate. Exploiting fresh vulnerabilities that lead to root access of devices and systems is the holy grail of hackers with malicious intent. If organizations don’t make mitigation of this exposure a high priority, a run of opportunistic attacks likely will follow.
Meltdown and Spectre are sure to energize the best and brightest threat actors, be they profit-minded criminals or cyberwarfare operatives. The rising trepidation of Intel’s cloud solution customers may be well founded. It’s easy to imagine elite hackers developing and testing chip-level attacks to crack into cloud computing data centers where the most sensitive information is often stored by clients and consumers alike.
This should be a wake-up call for the many organizations that have yet to embrace well-established vulnerability patching best practices and assertively address this new exposure. But it probably won’t be.
After all, Meltdown and Spectre have not yet been exploited in the wild, at least as far as we know. Sadly, a high-profile organization probably needs to be compromised before the solution to these chip vulnerabilities becomes as urgent a matter as it already should be.
Adam Levin is chairman and founder of CyberScout. This article originally appeared on his AdamLevin.com, a top 100 infosec blog.