In early January, it was revealed that nearly every computer chip made in the past 20 years contains fundamental security flaws called Spectre and Meltdown. Both bugs use a side-channel analysis attack, where malicious code can let attackers see information stored in a computer’s central processing unit (CPU).
This is a big deal! Virtually everyone is impacted by these security vulnerabilities. And to make matters worse, if you have been the victim of a Meltdown or Spectre attack, you probably wouldn’t be able to detect it.
Cybercriminals could steal sensitive data such as passwords, personal photos, emails, instant messages, banking information and business-critical documents. The bugs have been found in processors designed by Intel, AMD and ARM, and affect everything from smartphones, PCs, tablets and TVs to cloud computing. It’s still unknown if Meltdown and Spectre have been abused in the wild.
So how did this happen? In the early 1990s, in an effort to improve computer processing speed, computer chip engineers started using a process called “speculative execution,” where computers try to guess what users will likely do next.
“It’s something like a salesperson who sees a man pick out a pair of slacks in a store and so grabs a belt and a jacket that match because they might be what he looks for next,” USA TODAY explains. Chipmakers prioritized speed and performance, but at the expense of security.
“In the computer, it could be that you go to the banking section of your password management program. The speculative execution function then pulls all your banking passwords into the protected memory portion of the CPU because it’s making a good guess you’ll ask for that next. Meltdown allows full access to the protected memory space, so it’s potentially more dangerous,” USA TODAY writes.
Researcher Daniel Gruss of Graz University of Technology said Meltdown is “probably one of the worst CPU bugs ever found.” Intel has been the most heavily affected, and has issued updates for most of the CPUs that have been introduced in the past five years. Intel CEO Brian Krzanich recently wrote an open letter pledging to be more transparent about CPU, security, and performance.
While patches are available, WIRED reports that many of these fixes are slowing down servers and causing other problems: “Millions of Windows PCs and servers around the world, even those that are just a few of years old, could get noticeably more sluggish — as much as 20 percent slower in some cases. Intel also published benchmark and user data… which similarly shows deeper losses for older generations of silicon.”
Meltdown and Spectre were independently discovered and reported by Google’s Project Zero team and several researchers from different countries and universities. The two major bugs were found among the researchers concurrently.