Most of the computing devices in use today have two security vulnerabilities in their chips. Learn how this situation evolved, why you should be concerned, and what you can do to protect your business’s devices.
“I need it now” is a common mindset, especially when it comes to computing devices. People want apps to respond immediately, web pages to load quickly, and messages to be delivered instantly.
To meet this need for speed, manufacturers have been designing computer chips that use advanced technologies to optimize chip performance. However, it appears that this high performance has come at a high cost to security. In January 2018, researchers revealed that they found two security vulnerabilities in most of the chips being used in computing devices today.
The vulnerabilities — dubbed Meltdown and Spectre— are not trivial. Hackers could exploit them to steal data from apps installed on a device. Even worse, they could access more sensitive data such as encryption keys and passwords.
To date, there has not been any documented cases of hackers exploiting Meltdown or Spectre. However, the serious nature of the threats and the chips’ widespread use has prompted an alert by the U.S. Computer Emergency Readiness Team (US-CERT), a division within the U.S. Department of Homeland Security. Perhaps more telling is that, despite there being no known attacks, chipmakers have been working with each other and with other companies such as Microsoft and Apple to fix the security holes.
There is a long list of Intel, AMD, and ARM chips that have been confirmed to have the Meltdown and Spectre vulnerabilities. This means that most types of computing devices are susceptible, such as smartphones, tablets, desktop computers, and servers. Similarly, most operating systems are affected, including:
All the affected chips have one thing in common — they use a technology known as speculative execution. To optimize the speed of computer processes, the affected chips speculate what data the computing device will need to perform the next task. During this process, data — including sensitive information such as passwords — is temporarily made available outside of the central processing unit (CPU). Hackers could potentially access the exposed data by exploiting the Meltdown and Spectre vulnerabilities.
While speculative execution is at the heart of both vulnerabilities, Meltdown and Spectre are found in different areas of the chip. Meltdown exists in the chip’s software. If exploited, hackers could access higher-privileged parts of a device’s memory. Spectre exists in the chip’s architecture. Hackers could take advantage of this weakness to steal data from the memory of any app running on the device. Researchers found that they could exploit both Meltdown and Spectre by running a malicious JavaScript file in devices’ web browsers.
The best way to protect your business’s devices from Meltdown- and Spectre-based attacks is updating them. Chipmakers and other affected manufacturers (e.g., Microsoft, Apple) were notified about these vulnerabilities in mid-2017 to give them time to create the necessary patches before information about the weaknesses was officially released. As a result, many patches are already available.
You will need to make sure that the hardware and software of each device is updated. This includes firmware, operating system, and web browser patches, some of which might need to be manually installed. If you have Windows computers that are running third-party antivirus programs, those apps might need to be updated before any of the other patches can be applied.
There are two important points to keep in mind regarding these updates:
Another way you can help protect your business is to provide employee training. To exploit the Meltdown and Spectre vulnerabilities, malicious code needs to be installed on a device. Cybercriminals often use phishing emails for this purpose. Thus, it is important to let employees know about the dangers of clicking links and opening attachments in emails.
Even if you had this discussion with your staff already, it would be a good time for a refresher. In the meeting, you can warn them about the possibility of getting phishing emails urging them to install a Meltdown and Spectre patch on their computers. If they fall for this ruse, they will likely be installing malware.
There is a good chance that every computing device in your business has the Meltdown and Spectre vulnerabilities designed into their chips. Since exploitation of these weakness could lead to highly sensitive data being stolen, it is important to update your devices. We can help you determine the updates needed based on the devices’ chip types and take care of any patches that need to be manually installed.