With the new year just beginning, the computer security industry is already facing two massive threats. Both are critical design flaws in a micro-processing chip design — the “brain” of an electronic device — which allow attackers to access information that is being processed on the computer.
The first one, dubbed “Meltdown,” is a design flaw specific to Intel chips. Meltdown, while isolated to Intel chips, is the easier of the two design flaws to exploit, and can therefore be used by any attacker wanting to cause some trouble.
With Meltdown, all a hacker has to do is rent space on a service like the cloud, just like business computers do, and then steal passwords and other sensitive information.
A patch is already being worked on to fix this issue — dubbed “KAISER” — but it is estimated to slow performance speeds on devices up to 30 percent. Benchmark tests suggest that most computer users will only see a minimal impact on performance speeds, though.
The second design flaw, “Spectre,” exists as a flaw in the basic approach to processing chip design. Since a chip acts as a PC’s, laptop’s, mobile device’s or cloud server’s “brain,” in recent years designers have been focusing on improving the speed of these devices.
Basically, the question of speed versus security led chip designers to improve the performance speed of electronic devices and Cloud servers, but allowed for sloppy designs from a security standpoint.
Spectre, while harder to exploit (due to more sophisticated code needed), affects most electronic devices now on market. If a device was built in the last decade, it is likely subject to being exploited.
So, what’s the big deal?
While technology companies like Google have already updated to defend against Meltdown, other companies are currently rushing to implement patches and updates.
Spectre, on the other hand, is not so simple to fix. It is unlikely that companies will recall the affected chips, due to the manufacturing and economic impacts such a recall would have. The most-likely solution is for customers to do their own risk assessments, and for patches and updates to be implemented from operating system vendors and hardware vendors.
This also means that customers need to wait for new, secure chips to hit the market, and as of now it is unclear when that will be.
As college students, these security risks are a frightening facet of living in the information and technology age.
Many assignments are either saved onto a laptop or other mobile device, or saved onto Canvas and the cloud.
With these design flaws and security issues, any of these places can be attacked and have their data stolen.
Additionally, attackers are able to gain access to passwords and other secure information.
SPU CIS helpdesk Chief Information Officer Micah Schaafsma has sent the following general statement regarding these issues:
“[Meltdown and Spectre] are hardware bugs that allow programs to steal data that is currently being processed on a computer. This could include passwords, encryption keys, emails, or other sensitive information. These flaws affect nearly all computing devices made since 1997.”
Schaafsma also states that “Patches for most common devices and software are already available,” and reminds students that although these vulnerabilities are bad, the most important thing you can do to protect yourself from these bugs is to have your device automatically install security updates.
The implications of these attacks reach beyond the college institution, though.
Power grids, government servers and computers, online banking accounts and currency are subject to exploitation and theft. Schaafsma believes that individuals are less likely to be exploited, while attackers are more likely to target “companies or critical infrastructure systems.”
While the desire for faster performance speeds in a fast-paced society is understandable, opening up our economy, our security, our careers and our education to a figurative and literal “factory data reset” is not.
Chip designers must now update their designs in order to make it safer, even if that means slowing down the processing speed.
Considering the extent to which these designs can be exploited, it should be evident that Meltdown and Spectre are not the end of the world.
Economies have not crashed. Businesses have not been wiped out overnight. Governments have not shut down.
In short, there is still hope that designers will learn from these mistakes and that we can move past these flaws with minimal issues.
Perhaps all this can be a learning experience, albeit a scary one, in the lesson of “safety first” and both speed and security can be increasingly valued in this age of technology.