Spectre and meltdown explained

30 January 2018

What does it mean?

In January details emerged of a new security risk. Known as Meltdown and Spectre, the two vulnerabilities, if exploited, would enable hackers to steal data from processors used in computers, mobile devices and cloud computing.

Unlike most vulnerabilities, Meltdown and Spectre are related to hardware (and not software). More specifically, they affect some of the biggest selling microchips sold over the past two decades, including those from Intel, Qualcomm and some manufactured by AMD and Arm.

Essentially, the two vulnerabilities target the computer’s operating system and could give hackers access to data held by the processor’s own memory as part of its working routine. Meltdown ‘melts’ security barriers to give access to the system memory while Spectre (named after speculative execution) forces programmes to perform unnecessary operations and release otherwise confidential data.

Potentially, hackers could develop malicious code to exploit the vulnerabilities and steal data. However, according to the UK’s National Cyber Security Centre (NCSC) there is no evidence of any malicious exploitation and patches are being produced for the major platforms.

The existence of the vulnerabilities was revealed by white hat hackers, cyber security researchers that have since been working with affected chip manufacturers on remedies. Yet the vulnerabilities are complex, affecting the fundamental workings of processors, and are not easy to fix.

The likes of Intel alone cannot fix the problem, so chip manufacturers, software developers and device manufacturers (including HP, Microsoft, Apple, Google and Amazon) will have to work together on solutions. As a result, patches are being released by multiple parties, creating some confusion about how to resolve the problem.

Patches released in mid-January are not a panacea, and the problem is expected to be around for some time. Spectre, in particular, is hard to fix and it may be impossible to defend against it entirely in the long term.

There have been concerns for the performance of Spectre and Meltdown vulnerability patches – in some cases performance has been cut by 30%. Meltdown and Spectre vulnerabilities exist because chipmakers may sometimes put performance above security. As a result, the fixes (which are software workarounds) may slow down some operations.

Online gaming company Epic Games, for example, reported performance issues with its cloud services after it installed patches for Meltdown. Other companies have reported reboot problems with older processors after applying the updates.

Unusually for vulnerability, especially one that has not been exploited, Meltdown and Spectre are expected to lead to lawsuits. Intel, for example, already faces a number of class-action lawsuits in the US that cite the vulnerabilities.

Why does it matter?

To date, much of the focus of hackers and cyber security defence has been on software vulnerabilities – for example, hackers using malware to exploit flaws in software and apps. But attention is now turning to the potential to exploit flaws in hardware.

In 2015, researchers uncovered Rowhammer, a bug that enables remote access to a computer’s physical memory chips. More recently a team of researchers used the concept to escalate privileges on laptops – as yet, no solution has been found for this threat.

Researchers, and potentially hackers, could also reverse engineer hardware to discover flaws, while theoretically bugs could be deliberately designed or introduced into a device during manufacturing.

Hardware hacking and cyber security is still in its infancy. But the issue is likely to grow in importance in coming years, with the Internet of Things and growing numbers of embedded devices in all walks of life, from critical infrastructure through to cars and consumer goods.

Download Cyber Newsletter

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com