Tiny Chips, Big Security Flaws
The central process unit (CPU) is essentially the “brains” of any computer. Whenever you run a program, type a command, or click a link, you’re sending instructions to the CPU. Project Zero, a team of security analysts assembled by Google in 2014, has revealed their discovery of two major security flaws in the design of CPUs and microprocessors found in the majority of computers, smartphones, and tablets released over the last 20 years.
The researchers dubbed the first hardware bug Spectre. It gives attackers a way to trick otherwise error-free programs into sharing information by breaking the isolation between various applications.
The researchers say Spectre affects almost every computing system (desktops, laptops, cloud servers, and smartphones) and has been verified on CPUs manufactured by Intel, AMD, and ARM.
The other bug, which the researchers named Meltdown, cracks the divide between user applications and an operating system (OS). By exploiting Meltdown, a hacker can use one program to access the memory of another program or a device’s OS. Meltdown affects desktop, laptop, and cloud computers. So far, Project Zero researchers have only verified it on Intel CPUs.
The Project Zero team first discovered these security flaws in June 2017, and the plan was for the tech community to disclose them to the public on January 9, 2018.
The purpose behind the secrecy was to give companies time to address the issues before news about them spread, but rumors and early reports pushed the reveal up to January 3, 2018.
According to the Project Zero team’s report, Spectre and Meltdown give hackers a way to steal a device’s entire memory contents. That means they have access to a user’s photo library, emails, instant messages, passwords, and more. To avoid the chaos that such breaches could cause, tech companies are rushing to address the vulnerabilities.
Right now, the best known fix for the Meltdown bug is Kaiser, a software patch devised by researchers at the Graz University of Technology in Austria to address a different issue. However, the patch might come with a catch: It reportedly causes systems to run up to 30 percent slower.
Spectre is proving to be even more formidable, and the only fix may be redesigning the processors. “As it is not easy to fix, it will haunt us for quite some time,” the researchers wrote in their report.
As the Internet of Things (IoT) continues to grow, hackers have a growing number of avenues by which to access our personal information, meaning securing that information will only become more and more vital.
So far, the Project Zero team says it hasn’t found conclusive proof that anyone has used Spectre or Meltdown to access vulnerable systems. But now that information about these flaws is widely known, that could change.
Linux, Android, Apple’s MacOS, and Microsoft’s Windows 10 have already pushed fixes to address these new security issues. So the best course of action is to ensure all of your devices are using the most up-to-date version of their operating system.