Spectre and Meltdown: Will we be haunted by vulnerabilities in modern devices for decades to come?
2018 began with the alarming news that nearly every computer chip manufactured in the last 20 years contains basic security flaws. These flaws have been collectively named Spectre and Meltdown, and were discovered by security analysts at Google.
In contrast to malware and viruses, which affect the software, these vulnerabilities are inbuilt into the hardware. The scale of the risk is unprecedented, as the flaws are not unique to one type of chipmaker or device. Instead, billions of devices, from desktop PCs to tablets and smartphones, are vulnerable.
What’s the threat?
If exploited, these vulnerabilities could allow hackers access to information that was previously considered to be entirely protected. While programs are not usually permitted to read data from other programs, a malicious program could exploit the Meltdown and Spectre vulnerabilities to get hold of data stored in the memory of other running programs. This could include sensitive information, such as log-in details and credit card information.
These flaws are complex and hard to exploit. Currently, there is no evidence to suggest the vulnerabilities are being exploited by hackers, however now these flaws are publicly known, it is only a matter of time before they are.
What can we do?
Meltdown is the easier vulnerability to patch, and so far, Microsoft, Apple, Android, and Linux have released patches to address this issue. Some users, particularly those using older devices, have noticed a performance reduction in terms of processing speeds. For those using more modern devices, the reduction is less noticeable. In spite of the possibility of slightly reduced performance, it is crucial to ensure you have installed the latest patch and are running the latest software, or else you and your data will remain vulnerable.
Spectre is more difficult to address because it cannot be fixed at the operating system level. The ideal situation would be that we all replace our CPUs with new versions that aren’t flawed. Unfortunately, with more than a billion CPUs in the world, this is not a feasible solution. Instead, manufacturers of motherboards and PCs are most likely going to need to issue firmware and BIOS updates. This is going to take some time to do and will take even longer to roll out, because it requires individual fixes, from individual companies, for individual devices. If this doesn’t happen, we can only be fully free of the Spectre vulnerability when we cease using all affected hardware. This could take decades.
If exploited, Spectre and Meltdown could be one of the biggest digital security threats we have ever seen. This is an issue businesses and organisations will need to follow very closely as it continues to develop. If your company stores or processes sensitive information, it is essential that you keep up to date with the latest updates. These vulnerabilities will almost certainly continue to be problematic months – and even years – from now.
If you’re concerned about whether your organisation could be affected by these vulnerabilities, contact us on 0844 586 0040 or email [email protected], and we’ll be happy to advise you.