Most of the computing devices in use today have two security vulnerabilities in their chips. Learn how this situation evolved, why you should be concerned, and what you can do to protect your business’s devices.
“I need it now” is a common mindset, especially when it comes to computing devices. People want apps to respond immediately, web pages to load quickly, and messages to be delivered instantly.
To meet this need for speed, manufacturers have been designing computer chips that use advanced technologies to optimize chip performance. However, it appears that this high performance has come at a high cost to security. In January 2018, researchers revealed that they found two security vulnerabilities in most of the chips being used in computing devices today.
The vulnerabilities — dubbed Meltdown and Spectre— are not trivial. Hackers could exploit them to steal data from apps installed on a device. Even worse, they could access more sensitive data such as encryption keys and passwords.
To date, there have not been any documented cases of hackers exploiting Meltdown or Spectre. However, the serious nature of the threats and the chips’ widespread use has prompted an alert by the U.S. Computer Emergency Readiness Team (US-CERT), a division within the U.S. Department of Homeland Security. Perhaps more telling is that, despite there being no known attacks, chipmakers have been working with each other and with other companies such as Microsoft and Apple to fix the security holes.
Affected Chips, Devices, and Operating Systems
There is a long list of Intel, AMD, and ARM chips that have been confirmed to have the Meltdown and Spectre vulnerabilities. This means that most types of computing devices are susceptible, such as smartphones, tablets, desktop computers, and servers. Similarly, most operating systems are affected, including:
All the affected chips have one thing in common — they use a technology known as speculative execution. To optimize the speed of computer processes, the affected chips speculate what data the computing device will need to perform the next task. During this process, data — including sensitive information such as passwords — is temporarily made available outside of the central processing unit (CPU). Hackers could potentially access the exposed data by exploiting the Meltdown and Spectre vulnerabilities.
How to Protect Your Business’s Devices
The best way to protect your business’s devices from Meltdown- and Spectre-based attacks is updating them. Chipmakers and other affected manufacturers (e.g., Microsoft, Apple) were notified about these vulnerabilities in mid-2017 to give them time to create the necessary patches before information about the weaknesses was officially released. As a result, many patches are already available.
You will need to make sure that the hardware and software of each device is updated. This includes firmware, operating system, and web browser patches, some of which might need to be manually installed. If you have Windows computers that are running third-party antivirus programs, those apps might need to be updated before any of the other patches can be applied.
There are two important points to keep in mind regarding these updates:
- The patches will likely do a good job at mitigating the Meltdown threat because it is a software-based weakness. However, some analysts are not as confident that the Spectre patches will work well because that vulnerability exists in the chip’s architecture. They fear that a chip redesign might necessary to eliminate the problem. Only time will tell if the Spectre patches will work.
- The updates will likely slow down your devices’ processing speed. The extent of the slowdown will depend on many factors, such as a device’s operating system, the size of the workloads being run, and the chip’s model and age. In general, devices with higher workloads, older chips, and older operating systems will see greater hits in performance.
Another way you can help protect your business is to provide employee training. To exploit the Meltdown and Spectre vulnerabilities, the malicious code needs to be installed on a device. Cybercriminals often use phishing emails for this purpose. Thus, it is important to let employees know about the dangers of clicking links and opening attachments in emails.
Even if you had this discussion with your staff already, it would be a good time for a refresher. In the meeting, you can warn them about the possibility of getting phishing emails urging them to install a Meltdown and Spectre patch on their computers. If they fall for this ruse, they will likely be installing malware.
The Stakes Are High
There is a good chance that every computing device in your business has the Meltdown and Spectre vulnerabilities designed into their chips. Since exploitation of this weakness could lead to highly sensitive data being stolen, it is important to update your devices. We can help you determine the updates needed based on the devices’ chip types and take care of any patches that need to be manually installed.