The Meltdown and Spectre Vulnerability - Act Now!
Given you are browsing Steemit, it would be fair to assume you have a decent understanding of computer bugs and the dangers they cause. In the modern technological environment we live in, bugs leak our passwords and steal our sensitive data. To combat this, we deploy countermeasures such as virus scanners, firewalls, and software best-practice, which aim to keep us safe in this hyper-connected world.
Unfortunately, Meltdown and Spectre are not your bog-standard software bug or virus - Meltdown and Spectre are hardware bugs. They exploit critical vulnerabilities in modern processors, including all Intel, AMD and ARM computer chips. This means you are almost certainly affected.
Meltdown and Spectre allows programs to steal data from your machine that is currently being processed or used by another application - including your Steemit password. While under normal circumstances programs are not permitted to read data from other programs, exploiting Meltdown and Spectre allows a malicious program to circumvent this limitation. The result is a potent attack vector that can pull your passwords stored in a password manager or browser, or any other files being accessed, including your cryptocurrency wallet keys.
What is Meltdown?
The Meltdown bug enables an attack vector that circumvents the fundamental isolation between your Operating System (OS) and any program running on your machine. As a result, ANY program running on your machine can use the bug to access the memory of the OS.
This means that until your operating system is patched, it is impossible to work with ANY sensitive information without risking it being leaked to a third party. To highlight the severity of the situation, Bitcoin Core contributor Jonas Schnelli said:
"a browser plugin or even a website may access your private keys"
Don't take this lightly.
Meltdown was discovered and reported independently by 3 teams of researchers. These were from Google Project Zero, Cyberus Technology and Graz University of Technology. You can read the academic article detailing Meltdown here.
What is Spectre?
Spectre is a lot like Meltdown, but breaks the barriers between individual programs as opposed to between a program and the OS. It is far harder to mitigate than Meltdown, as it actually benefits from the increased attack surface generated by safety checks meant to maintain this barrier. Further, there is no known way to patch this as of yet, with the only solution appearing to be new hardware.
Spectre was discovered and reported independently by 2 people. These were Jann Horn from Google Project Zero and Paul Kocher. You can read the academic article detailing Spectre here.
What Should You Do?
For general computer users, the best that you can do right now is patch your OS. Patches have been released already against Meltdown for Linux, Windows and OS X in the form of KAISER, which is a kernel modification to not have the kernel mapped in the user space. Unfortunately, the KAISER patch brings with it an estimated 30% degradation in processor speeds. Furthermore, Spectre is much harder to mitigate, and work on potentially patching this is ongoing. This may prove impossible, which could lead to an insane world-wide CPU recall that we do not have the manufacturing capability to handle.
For crypto users - this is a good time to invest in a hardware wallet. The two most commonly used cryptocurrency hardware wallets, Trezor and Ledger, have both stated explicitly that their products are not vulnerable to either Meltdown or Spectre. Pavol Rusnak, CTO of Satoshi Labs, the manufacturer of Trezor said:
" @TREZOR is not vulnerable to recent Meltdown and Spectre hardware attacks, because it has processor not affected by these. Also our firmware is always signed, so the device never runs untrusted code. Using a hardware wallet is now more important than ever.”
To revisit the scale of this attack vector, I will close with a comment by Nicole Perlroth - NYT Cybersecurity Analyst:
“Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon or Google or Microsoft cloud server and steals data from other customers renting space on that same cloud server.”
Act now.
Content Credit:
Meltdown & Spectre, Techcrunch
I bought a new laptop ~12 months ago and new desktop ~6 months ago - are these systems likely to be vulnerable or too new?
The security hole exists in all CPUs from the last 2 decades, so your machines will both be affected.
For now, the KAISER patch will address Meltdown, at the cost of a 30% performance drop. It looks like the Spectre vulnerability is not going to able to be 100% patched, and will require revisions to the actual hardware. No such revised hardware exists yet.
So if my copies of Windows are already up to date - I'm already patched with KAISER and experiencing the performance drop?
Correct - depending on what patch you are running (the public releases do not have the patches yet for most hardware). There is still testing ongoing (primarily by Linux core devs), but it looks like 30% is the performance degradation cap. Some CPU tasks take a smaller hit.
A permanent fix (circumventing KAISER) will have to be integrated into the next generation of hardware.
There are some great NYT security analysts covering the story, that you may be interested in following on Twitter.
@dutch I really appreciate you help spreading awareness. There's lot of confusion and panic around this issue which isn't really necessary atm.
I'm not saying you do but there's a lot of FUD about this as well.
So far there are no known exploits and it would require quite some skills to actually use it. Let alone from a website's javascript. Theoretically it might be technically possible but would require a huge effort to actually steal a password that way. Javascript is an interpreted language and without control over the interpreter etc I think it's practically impossible. I do expect malware to surface but this isn't the casual OS hole.
Second the 30% is a maximum under certain circumstances of test on *nix (don't recall which one) and I'm not sure if it was with firmware update or not. If I recall correctly it mentioned between 5 and max 30%. Kaisar is also *nix only and not Windows. You can off course expect memory intensive applications to get hit, but not every application is memory intensive and certainly not all the time.
Spectre's impact can be lowered by firmware changes which Intel already released. Spectre is also present on ARM so and thus smartphones and tablets (depending on the chip) are affected. So if you want to be on the safe side of everything you'll need to update your firmware as well. Good luck average PC user...
Techspot actually released an update on their test with Meltdown update and Spectre firmware patch and it seems the impact is not as bad for normal PC usage.
Yeah, browsers (plugins/scripts) are always a big security problem (maybe the big?) . In my opinion as users the first thing to do it's to limit the use of plugins and use a solid and updated browser: as you said, scripts are interpreted, and browser manufactors are able to fix/limit the interpreter (for example firefox now have somehow patched the issue hiding the leak by disabling timers and the SharedArrayBuffer ).
Well this is definitely a cause for worry. To think that there bugs that are too difficult to detect and patch. Fortunately it was discovered or people will still be ignorant of the issue. Also this makes you wonder if there are more advanced bugs that we still didn't detect yet. Thanks for sharing this information with us. Have a nice day.
Given that this vulnerability has existed for some 2 decades now, I bet it has been used already by the NSA or similar. Like you say, good someone outed it.
@dutch
This is a great article detailing what the bugs can do. However, I'm not too sure I understand how a user's computer can be infected. Could you please clarify me on this?
The user's computer is not so much infected, as there is a hole in the hardware's security. This hole has always been there, but was only recently discovered by several research teams. A malicious entity could exploit that hole to steal your data.
How can someone's computer get infected? Maybe a malicious software we download off the internet or does the machine need to be compromised physically by the hacker?
Well, that's the thing - all machines are compromised physically. All it takes now is some software to use the hole. It could come from something as simple as a web page.
Oh Ok. I understand now. Thank you very much for taking your time to clarify me :)
@dutch amazing post
technology is everything.
how do you think about the price of sbd and steem in early 2018 this?
What does that has to do with anything of this article?
As said in the article, "TREZOR is not vulnerable to recent Meltdown and Spectre hardware attacks". And blockchains are not vulnerable too. So cripto ecology it's better and more solid than Intel and AMD hardware! So the price of cripto (and sbd and steem) must rise! :)
So we lived and survived both bugs for 20 years and now it is a problem? Only new hardware is solution, hmmmmm... I don’t know...it looks like hardware companies like it! Buy, buy, buy... in other words companies are saying to criminals “we will show you where to hit, it will be profitable for both parties”
When no one knew the hole (20 years! lol - it seems unbelievable, but in security issues it's possible), everyone was quite safe. But not 100% safe, still probably >99.9% safe.
But today that the exploit is on public domain, everyone know it and can try to figure out how to exploit, this can excalate quick.
PS: by the way, when an exploit is possible, it's better not to ignore, but speak to all the community and try the best to fix it. :)
It was several teams of researchers (from institutes that are not affiliated with the manufacturers) that exposed the bugs though.
hi
Follow the follow-up
thanks your post! have a nice day