It wasn’t quite how tech companies wanted to ring in the new year: Computer security researchers revealed massive security flaws that potentially affect the vast majority of personal computers and smartphones ever built.
Two security flaws, dubbed Meltdown and Spectre by researchers, theoretically allow processor exploits to steal passwords and other sensitive user data from almost any device made in the past 20 years, according to the New York Times.
Security researchers, including Jann Horn at Google and academics at Graz University of Technology, discovered the flaws. They had already disclosed the flaws last year to the big tech companies like Microsoft and Apple, and had planned to reveal them publicly.
Instead, leaks of the revelations forced tech companies’ hands, and they scrambled to push out updates. In their haste, they introduced errors that caused some computers to shut down unexpectedly, and now are left waiting for real protection.
Near the end of January, Microsoft finally pulled back updates fixing the exploits because of these problems. This came about a week after the processor maker Intel, which developed the update patches, recommended the reversal.
Intel was also informed of the potential exploits before the leaks, and it may be worth noting that the company’s CEO, Brian Krzanich, sold $24 million in company stock and options in late November, according to Business Insider.
There is no evidence yet that hackers have taken advantage of the security flaws. But once flaws are made public, your devices become ready targets, and it’s only a matter of time before hackers find ways to access sensitive data like your passwords, online bank accounts, and email — if you’ve left your devices unprotected.
Exploits are unfortunately common these days, as security researchers engage in an arms race with hackers and even nations to build walls around our increasingly connected world of devices.
Meltdown and Spectre are beyond the norm, however, because they allow exploits at the hardware level, the silicon in your machine. That makes fixing the problem much more challenging, as the exploits allow access to the most basic part of your computer.
How do Meltdown and Spectre work?
Processors are one of the building blocks of digital devices. They allow your device to “think,” by performing a staggering number of tiny calculations per second.
Modern devices work in “parallel,” allowing processors to perform different calculations for different applications at the same time. They can also store small bits of information. They can even perform “speculative executions,” guessing the most likely actions you might perform so they can be processed faster.
This processor complexity is exactly what can be exploited, allowing access to the “kernel,” the highest-level control system of your computer.
The vulnerabilities allow an attacker to compromise the privileged memory of a processor by exploiting the way processes run in parallel. They also allow an attacker to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information.
Meltdown seems to affect only Intel processors, but the company has a near monopoly on processors for personal computers and servers. Spectre, however, is a more general flaw and may affect even more devices, though experts say the flaw is more difficult to exploit.
According to the security researchers who discovered the exploits, the data at risk “might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
The increasing connectivity of consumer products — say, a smart fridge or juicer — makes these exploits especially dangerous.
According to the Times, hackers could simply rent space on an unpatched cloud service and easily access customer data:
That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.
The biggest cloud service companies, like Google and Amazon, say they’ve fixed their systems issues. But cloud services are an increasing part of many online and offline businesses, which may not act so quickly.
How do I protect myself?
Fixes are in the works for Meltdown, and some have already rolled out, only to cause more problems. Intel is releasing firmware updates this month for processors made in the last five years.
All of those updates simply require checking you have updated to the latest version of your device operating system. However, if you have experienced shutdown or other problems with your computer, you might need to manually download a rollback of the update. This will leave your device vulnerable, however.
Fixes for Spectre may require hardware changes, which could take years to roll out as people buy new devices. Intel has announced the next generation of its processor chips will protect against Spectre.
While you wait for fixes, the best thing you can do is to enable two-factor authentication, which uses login codes from your phone or email. Enable this on as many sensitive accounts as possible, create long passwords, and don’t reuse them. Also consider a password manager, which can create passwords for you (but make sure the manager itself is secure).
This is just sound advice in general. Whether or not these specific flaws are taken advantage of by hackers, future ones certainly will be.
And software fixes for Meltdown may not be perfect: Patches for Meltdown could slow down computers in some cases. Andres Freund, a software developer, told the New York Times he had confirmed significant slowdown in testing on Linux machines. But some other experts say that that big declines will most likely only apply to servers and cloud services.
Intel has released “best-case” scenarios for the Windows and processor updates, showing up to a 7 percent decline for some tasks, and often much less. But the company said Windows users using an older version of the operating system, instead of Windows 10, could see a bigger performance gap.
The bottom line: Don’t put off updating your devices because of fears of slowing them down. But if you are still using Windows 7 or 8, now is finally the time to switch to Windows 10.
Do I really have to care about this?
You are probably resigned by now to the malicious code panic cycle: A flaw is discovered or exploited, the sensitive personal data of millions is/is not compromised, and we all push a few buttons to get the fix — and pray hackers ignore our helplessness.
While the threat of these newly discovered flaws is still hypothetical, little technical knowhow may be needed to exploit Meltdown, in particular. All it could take is an annoying banner ad to compromise your device.
So to be clear: You absolutely need to push those buttons, despite the mess hasty updates created. Unfortunately, the, ahem, specter of hardware-level security flaws may not be lifted anytime soon.
