Chips in computers and telephones appear to have been vulnerable for some time. Clever hackers can steal information via the controller of the semiconductors. Passwords or personal photos and videos – nothing is safe any longer. A feverish search for a practicable solution is ongoing.
Reports on the vulnerability of chips were published this week, although the problem has already been simmering on the web for over six months. There are, in fact, two vulnerabilities. Meltdown, as the data security community is calling the phenomenon, affects only chips from Intel. Spectre is a bug that is more complicated to exploit, but has a wider impact: not only Intel, but also AMD and ARM chips are vulnerable.
“The greatest and most acute threat at the moment comes from Meltdown,” says Bert Hubert, developer of software for websites (PowerDNS) and well-known in data security circles. “I have never experienced anything like this. Linux programmers are working day and night to find a solution. This is so huge and wide-ranging, unbelievable." Meltdown is more dangerous because it creates a simple back door to data on a computer. Or, as Hubert says: “Meltdown gives you a hatch through which you can get into a computer. Spectre is more a sort of crack, and even if you do get your hand through, you are still feeling around in the dark. With Meltdown, on the other hand, the light is on."
According to Hubert, there are a number of reasons why there suddenly appears to be such a big leak in chips. “Until 10 years ago, ‘timing attacks’ in which the speed of memories is used to leak something were still regarded as ‘too academic’. Too difficult to really employ. We now know better. Furthermore, Intel always had a very good reputation, so that no-one really worried about its products. And finally, society has given far more attention to the vulnerability of IT systems since the revelations about the NSA by Edward Snowden. So of course you discover more.”
How does Meltdown work?
In a blog, Hubert explains in simple terms how a possible attack on Intel chips would look. The attack uses the ‘cache’, the temporary memory of a central processing unit (CPU) that operates at super-high speed. In order to enable the CPU to work as fast as possible, it can (if supplied by Intel) look into the future. In so doing, it can also take a quick look at parts of the memory that really should not be accessible. If a line of program code requests, for example, a check of a hidden piece of memory, then the CPU checks very briefly via the cache whether that piece of memory is genuine. That mechanism makes computers faster, but can therefore also be used to make officially inaccessible information accessible. “The code required to exploit this weakness is complicated, but once it has been written, it can be used by anyone. That has now happened. In a test, Google has already achieved a Baud rate of 2000 bytes per second. You have then stolen a password from someone’s computer in no time.”
But the updates have a problem: they modify the way in which a processor requests and processes information. That can lead to computers and servers becoming slower, with enormous consequences. Hubert: “Imagine you have a server that keeps a website in the air and is running at 90 percent capacity. If it suddenly runs 20 percent slower, it can no longer handle the requests from all the website visitors and the whole website crashes. That can happen for a wide range of situations following the update patch.”
How did Meltdown arise?
Intel denies, by the way, that computers will become much slower in normal use. Whether the chip maker is a reliable source in this case is more than questionable, as Intel is of course primarily interested in saving its own skin. “At the moment, Intel is still producing chips that are vulnerable to Meltdown. They don’t want to recall all of them. Furthermore, they will have to modify the whole design of their chips in order to find a definitive solution to this problem. And even then there are already millions of computers in circulation that are vulnerable.”
— Michael Schwarz (@misc0110) 4 January 2018
Furthermore, Hubert believes that the updates for operating systems and browsers are no more than cosmetic. “Now that people know there is a vulnerability in the hardware, literally at the heart of the computer, there will be a host of attempts to overcome the protection offered by the software updates. Meltdown and Spectre make a completely new form of hacking possible.”
In the meantime, the brave men and women responsible for maintenance of the Linux software continue to beaver away. According to Hubert’s latest information, there is now to be a patch that resolves the vulnerability temporarily without computers becoming much slower. “But if you ask us again in an hour’s time, the situation could be totally different. That’s how fast things are changing at the moment.”
If you found this article interesting, subscribe for free to our weekly newsletter!
Image: Flickr, LungStruck
Vond je dit een interessant artikel, abonneer je dan gratis op onze wekelijkse nieuwsbrief.