You might have heard that the sky has fallen and the security apocalypse has happened because of two new attacks named Meltdown and Spectre. If you work in IT or any other area of large-scale computer infrastructure, you probably feel like it has, too, and are already looking forward to your 2018 vacation days.
Media outlets first heard rumors of this mother-of-all-exploits in late 2017, and recent reports were wildly speculative and finally forced companies like Microsoft, Amazon, and Google (whose Project Zero team discovered the whole thing) to respond with details. Those details have made for an interesting read if you’re interested in this sort of thing.
But for everyone else, no matter what phone or computer you use, a lot of what you’re reading or hearing might sound like it’s in a different language. That’s because it is, and unless you’re fluent in cyber-geek-security-techno-speak you might have to run it through a translator of some sort.
Good news! You found that translator, and here’s what you need to know about Meltdown and Spectre, and what you need to do about it.
Meltdown and Spectre are two different things, but since they were revealed at the same time and both deal with microprocessor architecture at the hardware level, they are being talked about together. The phone you’re using right now is almost certainly affected by the Spectre exploit, but nobody has found a way to use it — yet.
The processor inside your phone determines how vulnerable it is to these types of exploits, but it’s safer to assume that they all affect you if you’re unsure. And since they aren’t exploiting a bug and instead are using a process that’s supposed to happen, there’s no easy fix without a software update.
Look at the phone in your hands; it’s vulnerable to some of these attacks.
Computers (this includes phones and other tiny computers, too) rely on what’s called memory isolation for security between applications. Not the memory that is used to store data over the long term, but the memory used by hardware and software while everything is working in real time. Processes store data separately from other processes, so no other process knows where or when it gets written or read.
The apps and services running on your phone all want the processor to do some work and are constantly giving it a list of things they need to be computed. The processor doesn’t do these tasks in the order they are received — that would mean some parts of the CPU are idle and waiting for other parts to finish, so step two could be done after step one is finished. Instead, the processor can move ahead to step three or step four and do them ahead of time. This is called out-of-order-execution and all modern CPUs work this way.
Meltdown and Spectre aren’t exploiting a bug — they attack the way a processor computes data.
Because a CPU is faster than any software could be, it also does a bit of guessing. Speculative execution is when the CPU performs a calculation it wasn’t yet asked to do based on previous calculations it was asked to perform. Part of optimizing software for better CPU performance is following a few rules and instructions. This means most of the time there is a normal workflow that will be followed and a CPU can skip ahead to have data ready when software asks for it. And because they are so fast, if the data wasn’t needed after all, it gets tossed aside. This is still faster than waiting for the request to perform a calculation.
This speculative execution is what allows both Meltdown and Spectre to access data they would otherwise not be able to get at, though they do it in different ways.
Intel processors, Apple’s newer A series processors, and other ARM SoCs using the new A75 core (for now that’s just the Qualcomm Snapdragon 845) are vulnerable to the Meltdown exploit.
Meltdown leverages what’s called a “privilege escalation flaw” that gives an application access to kernel memory. This means any code that can get access to this area of memory — where the communication between the kernel and the CPU happens — essentially has access to everything it needs to execute any code on the system. When you can run any code, you have access to all data.
Spectre affects almost every modern processor, including the one on your phone.
Spectre doesn’t need to find a way to execute code on your computer because it can “trick” the processor into executing instructions for it, then granting access to the data from other applications. This means an exploit could see what other apps are doing and read the data they have stored. The way a CPU processes instructions out of order in branches are where Spectre attacks.
Both Meltdown and Spectre are able to expose data that should be sandboxed. They do this at the hardware level, so your operating system doesn’t make you immune — Apple, Google, Microsoft, and all sorts of open-source Unix and Linux operating systems are equally affected.
Because of a technique that is known as dynamic scheduling that allows data to be read as it’s computing instead of it needing to be stored first, there is plenty of sensitive information in RAM for an attack to read. If you’re interested in this sort of thing, the whitepapers published by the Graz University of Technology are fascinating reads. But you don’t need to read or understand them to protect yourself.
Yes. At least, you were. Basically, everyone was affected until companies started patching their software against these attacks.
The software that needs updating is in the operating system, so that means you need a patch from Apple, Google, or Microsoft. (If you use a computer that runs Linux and aren’t into infosec, you’ve got the patch already, too. Use your software updater to install it or ask a friend who is into infosec to walk you through updating your kernel). The awesome news is that Apple, Google, and Microsoft have patches either already deployed or on their way in the immediate future for supported versions.
Qualcomm Technologies, Inc. is aware of the security research on industry-wide processor vulnerabilities that have been reported. Providing technologies that support robust security and privacy is a priority for Qualcomm, and as such, we have been working with Arm and others to assess impact and develop mitigations for our customers. We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available.
In plain English, this means that unless you’re still using a very old phone, tablet, or computer, you should consider yourself vulnerable without an update to the operating system. Here’s what we know so far on that front:
For Android specifics, the Nexus 5X, Nexus 6P, Pixel, Pixel XL, Pixel 2, and Pixel 2 XL have been patched and you should see an update soon if you haven’t already received it. You can also manually update these devices if you like. The Android Open Source project (the code used to build the OS for every Android phone) has also been patched and third-party distributions like LineageOS can be updated.
How to manually update your Pixel or Nexus
Samsung, LG, Motorola, and other Android vendors (companies who make phones and tablets and TVs) will patch their products with the January 2018 update. Some, like the Note 8 or Galaxy S8, will see that before others, but Google has made the patch available for all devices. We expect to see more news from all partners to let us know what to expect and when.
If you have a product that’s vulnerable, it’s easy to get caught up in the hype, but you shouldn’t. Both Spectre and Meltdown don’t “just happen” and depend on you installing malware of some sort that leverages them. Following a few safe practices will keep you immune to either exploit on any computer hardware.
The good news is that the way these side channel exploits are patched is not going to bring the huge slowdowns that were hyped before any updates were released. That’s just how the web works, and if you read about how your phone or computer was going to be 30% slower after any fix was applied, it was because sensationalism sells. Users who are running updated software (and have been during testing) just aren’t seeing it.
The patch doesn’t have the performance impact some claimed it would bring, and that’s a great thing.
This all came about because these attacks measure precise time intervals and the initial patches change or disable the precision of some timing sources through software. Less precise means slower when you’re computing and the impact was exaggerated to be a lot bigger than it is. Even the slight performance decreases that are a result of the patches are being mitigated by other companies and we see NVIDIA updating the way their GPUs crunch numbers or Mozilla working on the way they calculate data to make it even faster. Your phone won’t be any slower on the January 2018 patch and neither will your computer unless it’s very old, at least not in any noticeable way.
Stop worrying about it and instead make sure to do everything you can to keep your data safe.
Security scares always have some sort of real impact. Nobody has seen any instances of Meltdown or Spectre being used in the wild, and because most devices that we use every day are updated or will be very soon, reports will probably stay this way. But this doesn’t mean they should be ignored.
Take security threats like this seriously but don’t fall for all the hype; be informed!
These side channel exploits had the potential to be that big, serious game-changing event people worry about when it comes to cybersecurity. Any exploit that affects hardware is serious, and when it attacks something done on purpose instead of a bug it becomes even more serious. Thankfully, researchers and developers were able to catch, contain, and patch Meltdown and Spectre before any widespread use happened.
What’s really important here is that you get the right information so you know what to do every time you hear about a new cyberthreat that wants all of your digital stuff. There’s usually a rational way to mitigate any serious effects once you dig past all the headlines.