Meltdown and Spectre are wake-up calls for the tech industry
But it could be worse.
It's not hyperbole to say that Meltdown and Spectre CPU vulnerabilities are a disaster. They affect pretty much every processor used over the past two decades and practically every device. In the right hands, they could reveal things like passwords and other secure information. While many companies have rushed to patch against Meltdown, which specifically affects Intel chips and lets hackers access the memory of apps being used by an operating system, Spectre is more stubborn. It won't be fully resolved until chip makers move to new architectures -- a process that could take years.
While these are some of the most critical exploits the computing world has seen, their existence has made it clear that, in extreme cases like this, technology companies have to work together. That's not exactly news to the collaboration-focused security research community, which initially discovered the vulnerabilities and alerted affected companies. But now, even major competitors are being forced to tackle this issue together to avoid a potential computing apocalypse.
"The chip companies and the OS vendors are doing a pretty good job of handling this," Jack Gold, president of the strategic consulting firm J. Gold Associates, told Engadget. "The fact that Intel, AMD and ARM were all working in unison on this, which they never really do, bodes well for the industry as everyone tries to mitigate this potential threat."
Both exploits rely on the use of "speculative execution" in modern chip architecture, which is one way manufacturers speed up performance. The technique lets processors perform some potential work ahead of time, giving them the leg up in case that's something you need them to do. They could be used to access memory locations, which we previously thought were protected, and get any potentially secure information that they hold.
Notably, though, they don't let hackers access information on storage devices like hard drives. And, as Gold notes in a report, it might also be tough for them to access the on-memory data in the first place, since "it requires understanding the relationship between data locations which are highly variable and actual data content, and requires a good amount of processing/decoding." Basically, while these exploits are potentially serious, it's currently tough for someone to use them easily.
By next week, Intel says it'll have patched 90 percent of its affected CPUs released within the past five years. ARM has released patches for several of its chips affected by Spectre, and AMD says there is "near zero risk" to its products at the moment. Microsoft, Google, Apple and the Linux community have also released patches to protect against Meltdown. There could be a potential performance hit for Intel users, but the company says it will be "highly workload dependent" and not noticeable to typical users. Researchers, meanwhile, speculate the patches could reduce CPU speeds by up to 20 to 30 percent, something that could severely cut into your rendering time or game performance.
Paul Kocher, an independent researcher who worked with the teams at Google Project Zero and Rambus, which initially found the exploits, told the New York Times that Spectre is an example of how the technology industry is emphasizing speed over security. But Gold rejects that assertion:
"It was an issue of designing an architecture into the chips that no one foresaw could be exploited effectively," he said. "Both the chip and OS took pains to try and make the kernel memory protected and secure, but in this case, others found a way around that. The fact that there are no known cases of this exploit in the wild means that for many years, this was assumed to be a secure implementation. Don't forget that Intel and others have been using this same basic architecture for decades, and it's just now coming to light that there may be a problem. It means that this is a pretty hard, esoteric vulnerability to discover."
As long as you update your personal devices, you likely won't have to worry about these exploits much. The situation is tougher for cloud computing providers like Google, Amazon and Microsoft, since a hacker could conceivably use Meltdown to access information from other clients on a shared server. Google says it's already deployed two techniques against the exploit on its servers, and so far it's seen a "negligible" performance impact. Microsoft has patched its Azure servers, though some users in Western Europe are now reporting issues with their virtual machines. And Amazon Web Services was also quick to secure its systems, but some of its customers are also reporting slowdowns.
True to its name, Spectre will haunt the technology world for years. Cloud providers, in particular, will have to remain vigilant against potential attacks. At this point, almost every consumer service relies on the cloud in some form -- it's simply too expensive and inconvenient to manage your own server hardware. Instead of rushing to deliver the fastest chips possible, the next race for Intel, AMD and ARM is to come up with new architecture that will bust Spectre for good.
