We’ve witnessed firsthand the overconfidence of security professionals. Even with the growing number of compromises and data breaches, security professionals assume they cannot be victims. When we’ve asked the question, “What if there’s something we don’t fully understand?” we’ve often been laughed at and responded with, “Security is covered.”
Unfortunately for consumers, Meltdown and Spectre prove our point – they have been weaknesses for many years and security professionals did not know about these. In the time that people trusted their data to professionals, these compromises have existed. In other words, what people didn’t know actually potentially caused harm. No one is absolutely sure if either of these were ever discovered by someone seeking to compromise systems. While we’ve seen compelling evidence on either side that this has or has not been used, we believe the main point is that no security professional knows everything. This must be assumed in any design.
Meltdown and Spectre involve speculative execution and shared memory. In a brief summary, processors have been able to speculate about which information it may need before requested. This information is stored in the CPU cached memory. Hackers can then compromise shared memory or get the device to load private information. These issues occurred because of hardware-near functionality and the execution methods involved. The worst news of all of this? These have been allowed for years, as chips produced my manufacturers were vulnerable to these. This means that users and companies have been using machines that have been compromised for years.
Spectre allows for a broad range of attacks, while Meltdown’s attack range is limited, but still potent.
These compromises affect more than just computer devices from systems running Windows to Linux to Apple. These also affect mobile devices and cloud infrastructure. AMD and Intel have both stated that they are working to correct these vulnerabilities in future development. For current equipment, security patches are being released and everyone has been advised to install the latest updates.
To state this is one of the most dangerous compromises in tech history is an understatement. Not only have these existed for years without anyone catching them (and we’re not sure if advanced hackers did), consumers and businesses have been implementing solutions while a compromise lurked in all of their systems. This also raises concerns about the open source community as well – people assume that other people are investigating problems, but do they have any evidence of this? These compromises show the danger of the security community’s diffusion of responsibility in regards to open source tools – “everyone else is looking at the problem.”
About five years ago, several of our team issued warnings about security and development. One of our concerns at the time cautioned developers on design and complexity. Developers build without understanding entire systems and they add complexity without considerations of systemic weakness. At the time, these went largely ignored. Meltdown and Spectre both show that ignorance carries significant costs. In addition, a lack of reflection about design prior to implementation may result in major costs later.