Last year was horrific for cybersecurity issues, with highlights (or lowlights) such as WannaCry, Petya/NotPetya and Shadow Brokers.
We are not a week into 2018, and we could have one of the costliest cybersecurity of the years already.
Tech firms, primarily Intel, have announced a vulnerability in their chips named Spectre and Meltdown.
Meltdown affects Intel processors and works by breaking through the barrier that prevents applications from accessing arbitrary locations in kernel memory. Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data, or malicious software from being able to see and modify it at will. Meltdown makes this fundamental process fundamentally unreliable.
Spectre affects chips from all three leading companies, Intel, AMD and ARM. This broadens its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it.
It is believed that neither of these exploits has currently been used maliciously, and cybersecurity experts have know about them for months, but most signed NDAs to limit the damage. The problem is that it fundamentally affects everyone, with chips dated back to 2011 being found vulnerable, and possibly all the way back to 1995.
Because Meltdown and Spectre are flaws in the architecture level, it doesn’t matter whether a computer or device is running Windows, OS X, Android, or something else — all software platforms are equally vulnerable.
Unfortunately, these vulnerabilities can’t actually be directly fixed, as they are essentially hard-wired into the chips themselves. In the case of Meltdown, there has to be a sort of software layer around the kernel within the chip, known as “kernel page table isolation.” The issue with this, is adding more layers of code slows things down, and it is believed specific processes could be slowed by 5% – 30%.
At the moment there is no known fix for Spectre yet, however it is harder to carry out than Meltdown, so there is that.
Unfortunately, the long-term impact of this vulnerabilities is quite severe for OS and Chips makers; there are going to have to be changes to how chips work and the underlying code within your chosen OS.
The actual vulnerabilities themselves shouldn’t be a massive concern for home users as the vulnerabilities haven’t been exploited yet. It is believed that the attacks would need to be carried out locally in most cases, with remote attacks being hard to do. The main impact for the general public is the performance impact on all of their electronics that have a modern processor, which includes PCs, Laptops, Phones, TVs, all the way through to baby monitors.