Meltdown and Spectre - Every computer/phone at risk

[ISamson]

Australian Cyber Security Centre:
https://www.acsc.gov.au/news/update-on-processor-vulnerabilities-spectre-meltdown.html

 

[Tom.G]

See also this thread. It has a link to a clever fix devised by Google.
https://www.physicsforums.com/threads/google-fix-for-meltdown-specter-small-impact-good-fix.936778/

 

[anorlunda]

Bruce Schneier is a prominent computer security expert. Here are some excerpts from his blog post on this topic. But I recommend that you read the whole thing (1083 words)

"Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable...Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There...aren't mechanisms to push patches onto the devices.
...
The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong.
...
The final reason is...These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
...
It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it.
...
Spectre and Meltdown ...only affect the confidentiality of data.
...
For the average user, this is just another attack method amongst many...It's a much bigger problem for cloud vendors...

Of particular significance is where he said, "...only affect the confidentiality of data." That means that these attacks can't crash computers or cause them to stop working. That is a critical point.

 

[enorbet]

While these newly found hardware level vulnerabilities are indeed serious it is also important to keep perspective on how they affect us or can affect us, first as individuals and secondly "in the wild" using the services of others. One fact remains that has always been true and that is the first line of security is restricted access. The greatest compromise of security is physical access. If someone can sit at your keyboard it's nearly impossible to be secure against a determined and knowledgeable attack. The only slightly reduced risk is if the person at the keys can be induced to enable an attack by usually nefarious means like getting that person to allow or even introduce malicious code by clickbait or thumbdrive.

Remote access is substantially easier to secure, or at least potentially so on your personal PC, but much more vulnerable on some of our embedded devices and, of course in the cloud where restricted access is often anathema to doing business. This is partly why credit card farmers don't and haven't ever targeted individual PCs but rather that of banks. Why go after one account when one can harvest many thousands with only a little more work?

That last bit should be a clue as to where the greatest vulnerabilities lie and why we shouldn't be freaking out just because one more, or three more, vulnerabilities have been discovered. Granted that Intel's inclusion of the now expanded functions of the ME, which has access to drives and wifi even when owners view their PCs as essentially powered "Off" and Win10's ability, by individual user's granted access, to read even encrypted disks and farm data which can be and is sent via insecure wifi, have seriously "upped the ante", still it is the Cloud and Internet Enterprise that has millions, even billions, at stake and are the somewhat "low hanging fruit". Individually, limited physical access, a properly configured 2-way firewall and a predilection to avoid clickbait renders even these new vulnerabilities to minimal risk. Don't over react. We can afford to wait and see at least for now.

 

[nikkkom]

While these newly found hardware level vulnerabilities are indeed serious it is also important to keep perspective on how they affect us or can affect us, first as individuals and secondly "in the wild" using the services of others. One fact remains that has always been true and that is the first line of security is restricted access. The greatest compromise of security is physical access. If someone can sit at your keyboard it's nearly impossible to be secure against a determined and knowledgeable attack. The only slightly reduced risk is if the person at the keys can be induced to enable an attack by usually nefarious means like getting that person to allow or even introduce malicious code by clickbait or thumbdrive.

Remote access is substantially easier to secure...

Well, the problem is, javascript or flash code running in your browser is in this terminology a _local_ attack.

Remote attack is someone out there on the net sending some packets at you, or looking at your packets flying past him.

 

[enorbet]

Well, the problem is, javascript or flash code running in your browser is in this terminology a _local_ attack.

Remote attack is someone out there on the net sending some packets at you, or looking at your packets flying past him.

Yes that can be defined as a local attack since it requires one either activating the code or allowing that code to activate by default. The former is usually in the form of some clickbait but also includes opening pages, including email, of unknown sources. It is, after all, possible to embed code in things like jpeg files. The latter is only common among those who do not use addons like NoScript or setup Java and Flash to always ask before running. This is also one of many good reasons to always use bi-directional firewalls since so much of malware requires some "phone home" action. This, so far, isn't the case with Meltdown and Spectre, unless it is delivered as an attachment, whether open, disguised, or hidden, with a self-propagating element included. This will likely occur since being able to view otherwise hidden and privileged data is useless unless some means to view or exploit it are included.

What constitutes secure behavior is still much the same as always and hopefully common knowledge to everyone here on Physics Forums. If not, such information is easily found and implemented.

 

[nikkkom]

The latter is only common among those who do not use addons like NoScript or setup Java and Flash to always ask before running.

That's probably "only" 99.99% of all browser users.

 

[enorbet]

That's probably "only" 99.99% of all browser users.

While that may be regrettably so, anyone who knows anything about PC security considers such practice for anyone concerned about Meltdown and Spectre to be akin to worrying about their lack of motion sensor triggered lighting while leaving on vacation with their front and back doors not only unlocked but wide open. ;)