In January 2018, researchers announced a series of major security vulnerabilities, named Spectre and Meltdown, in the microprocessors (central processing unit-CPU), made by Intel, AMD and ARM that are used in all computer systems since the past 15-20 years. Using these vulnerabilities, anyone can steal user data from such systems or devices. While some security experts advise throwing away such microprocessors and buying a new one, there is no guarantee that a new microprocessor will be foolproof. In fact, in the ever changing concepts and practices of security, everything and anything can possibly be hacked.
Many people believe that a microprocessor of chip cannot be hacked or manipulated. An example is the electronic voting machine (EVM). Many security experts have been pointing out that such machines can be manipulated. However, the government and election authorities continue with their stand that ‘all is well’ and that EVMs cannot be manipulated in any way or by any means.
Any device that uses a software code or program to carry out stipulated tasks can be made to perform other permit-able tasks as well. For example, if you have a toy car that is programmed to move in forward direction only, by changing the code in the microprocessor, it can be made to move in reverse, or in any other, direction. The vulnerability of Spectre and Meltdown is nothing but a set of specific instructions that can be re-arranged to perform different tasks. All microprocessors come with their own set of instructions that help them to improve performance or carry out pre-designed tasks. An unprivileged, local attacker could exploit these vulnerabilities by executing arbitrary code and performing side-channel attacks on a targeted system. Successful exploitation of these vulnerabilities could allow the attacker to gain access to sensitive information, including accessing virtual memory and CPU cache contents.
While these flaws were known and have been circulating among all major information technology (IT) companies, the exposé by the researchers has made everyone scrambling for answers. According to noted security expert, Bruce Schneier, microprocessor designers have been building insecure hardware for 20 years, but what is surprising is that it took 20 years to discover it. ‘In their rush to make computers faster, they were not thinking about security. They did not have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors,’ he says.
Since all major chip-users like PC-makers and mobile manufacturers have the capability and capacity in terms of money and manpower, they will definitely provide the required patches for the chips. However, we need to worry more about other devices, like webcams, digital recorders and routers used mainly in homes. The reason is that these devices are designed and produced with much less engineering expertise for keeping the costs and margins at a lower level. So, these manufacturers may not have any security team that can provide the patch for the chips used in these devices. In addition, there is hardly any mechanism available to push security patches in such devices.
The vulnerabilities in chips or CPUs are not normal. So, you cannot say ‘I have updated firmware or patched my system or device and I will not face any issue or attack’. Patching a system or updating firmware can only make sure that you are protected from the current threat. But the danger will not go away so easily. Vulnerabilities of Spectre and Meltdown will continue to remain there for hackers to exploit.
Spectre and Meltdown only affect confidentiality of data. However, new (discovered) vulnerabilities can allow attackers to delete or manipulate data across chips. Some of it may make chips that are controlling our cars or home security devices or webcam or medical devices very dangerous for users. Unfortunately, several trends from IT industry are converging in a way that would make patching security vulnerabilities or updating firmware harder to implement.
So what is the solution? You need to contact the CPU vendor and check if they have made any patches for the vulnerabilities. If it is available, then download and apply it as soon as you can.
