Chips in computers and telephones appear to have been vulnerable for some time. Clever hackers can steal information via the controller of the semiconductors. Passwords or personal photos and videos – nothing is safe any longer. A feverish search for a practicable solution is ongoing.
Reports on the vulnerability of chips were published this week, although the problem has already been simmering on the web for over six months. There are, in fact, two vulnerabilities. Meltdown, as the data security community is calling the phenomenon, affects only chips from Intel. Spectre is a bug that is more complicated to exploit, but has a wider impact: not only Intel, but also AMD and ARM chips are vulnerable.
“The greatest and most acute threat at the moment comes from Meltdown,” says Bert Hubert, developer of software for websites (PowerDNS) and well-known in data security circles. “I have never experienced anything like this. Linux programmers are working day and night to find a solution. This is so huge and wide-ranging, unbelievable." Meltdown is more dangerous because it creates a simple back door to data on a computer. Or, as Hubert says: “Meltdown gives you a hatch through which you can get into a computer. Spectre is more a sort of crack, and even if you do get your hand through, you are still feeling around in the dark. With Meltdown, on the other hand, the light is on."
According to Hubert, there are a number of reasons why there suddenly appears to be such a big leak in chips. “Until 10 years ago, ‘timing attacks’ in which the speed of memories is used to leak something were still regarded as ‘too academic’. Too difficult to really employ. We now know better. Furthermore, Intel always had a very good reputation, so that no-one really worried about its products. And finally, society has given far more attention to the vulnerability of IT systems since the revelations about the NSA by Edward Snowden. So of course you discover more.”
How does Meltdown work?
In a blog, Hubert explains in simple terms how a possible attack on Intel chips would look. The attack uses the ‘cache’, the temporary memory of a central processing unit (CPU) that operates at super-high speed. In order to enable the CPU to work as fast as possible, it can (if supplied by Intel) look into the future. In so doing, it can also take a quick look at parts of the memory that really should not be accessible. If a line of program code requests, for example, a check of a hidden piece of memory, then the CPU checks very briefly via the cache whether that piece of memory is genuine. That mechanism makes computers faster, but can therefore also be used to make officially inaccessible information accessible. “The code required to exploit this weakness is complicated, but once it has been written, it can be used by anyone. That has now happened. In a test, Google has already achieved a Baud rate of 2000 bytes per second. You have then stolen a password from someone’s computer in no time.”
As soon as Meltdown had become public, chip maker Intel went onto the defensive. According to the company, the vulnerability was described in the manual, for example, and the solution to the problem was already available. This last statement is true, at least technically: browsers ensure that JavaScript can no longer execute large programs, and it’s precisely these that are necessary to break into a computer via a website using Meltdown. And practically all the operating systems (Windows, Linux, OS X, etc.) have updates ready to counter the effects of Meltdown.
But the updates have a problem: they modify the way in which a processor requests and processes information. That can lead to computers and servers becoming slower, with enormous consequences. Hubert: “Imagine you have a server that keeps a website in the air and is running at 90 percent capacity. If it suddenly runs 20 percent slower, it can no longer handle the requests from all the website visitors and the whole website crashes. That can happen for a wide range of situations following the update patch.”
How did Meltdown arise?
The bug in Intel chips has existed since 1995, at least according to IT website The Register. “At that time, very few people saw it as a bug. The only thing you could do with it was to hack a computer. Cool, but not very dangerous,” says Hubert. No-one could imagine at that time that the sharing of a computer would become commonplace. Networks, the cloud, the visiting of websites – all phenomena with which others have access to (a portion of) the personal computers. “Added to this was the fact that JavaScript, originally an amusing add-on for websites, gained increasing functionality over time. Nowadays even complete programs can run on JavaScript. And then the attacking of vulnerable chips suddenly becomes easier.” In short: a series of developments now appears to be reaching an apotheosis that suddenly makes a huge proportion of computers, smartphones and tablets on earth vulnerable. And by the way, Meltdown has been known for over six months when a researcher published a blog reporting that he had almost succeeded in getting inside a system via the hardware. Since that moment, the parties involved have been working on a solution, with Google as the major driving force behind the work.
Intel denies, by the way, that computers will become much slower in normal use. Whether the chip maker is a reliable source in this case is more than questionable, as Intel is of course primarily interested in saving its own skin. “At the moment, Intel is still producing chips that are vulnerable to Meltdown. They don’t want to recall all of them. Furthermore, they will have to modify the whole design of their chips in order to find a definitive solution to this problem. And even then there are already millions of computers in circulation that are vulnerable.”
Using #Meltdown to steal passwords in real time#intelbug#kaiser#kpti /cc@mlqxyz@lavados@StefanMangard@yuvalyaromhttps://t.co/gX4CxfL1Axpic.twitter.com/JbEvQSQraP
— Michael Schwarz (@misc0110) 4 January 2018
Furthermore, Hubert believes that the updates for operating systems and browsers are no more than cosmetic. “Now that people know there is a vulnerability in the hardware, literally at the heart of the computer, there will be a host of attempts to overcome the protection offered by the software updates. Meltdown and Spectre make a completely new form of hacking possible.”
In the meantime, the brave men and women responsible for maintenance of the Linux software continue to beaver away. According to Hubert’s latest information, there is now to be a patch that resolves the vulnerability temporarily without computers becoming much slower. “But if you ask us again in an hour’s time, the situation could be totally different. That’s how fast things are changing at the moment.”
If you found this article interesting, subscribe for free to our weekly newsletter!
Image: Flickr, LungStruck
Nieuwsbrief
Vond je dit een interessant artikel, abonneer je dan gratis op onze wekelijkse nieuwsbrief.