There’s a dangerous, fundamental flaw built into pretty much every computer on the planet — a flaw that could allow attackers to access even the most secure information on your computer. That flaw has existed for more than two decades. And we’re just finding out about it now.
These vulnerabilities are actually two separate exploits, one called Meltdown and the other called Spectre. They’re both major headaches that take advantage of computing concepts so basic it’s going to require processors to be redesigned, and you’re likely going to hear a lot more about them over the next few weeks — and possibly over the next few years. Here’s what you need to know.
Am I affected by this?
Almost assuredly yes. The chips affected are used in just about every device out there, from laptops to phones to tablets to your TV set. The flaw dates back to, at least, nearly every Intel chip made since 1995, as well as many AMD and ARM chips. Between all that, I’d be willing to to bet my next paycheck you’ve got something in your house, pocket, or office that’s affected.
So what are these vulnerabilities?
Both exploits are aimed at the “kernel,” an essentially invisible part of your device’s operating system that is perhaps the most vital software component on your computer (or phone or tablet). It’s the go-between for all of your applications and basic parts of your computer: the processor, the memory, and the device itself (think your keyboard and touchpad on a laptop, or the power button on your phone).
The kernel does a lot of stuff that we won’t get into here, but one of the most basic and primary functions is keeping the data in one program from being read by another. You don’t necessarily want Spotify to have access to your email client — and when you do want to use your email client to send a Spotify song to a friend, it’s the kernel that takes over and passes that information along.
Both the Meltdown and Spectre exploits can be used by malicious users to get at sensitive data stored in the memory of other running programs — everything from passwords and credit card information to emails and photographs. And unlike traditional malware which operates like an application, kernel exploits can’t be seen by antivirus software or in system logs. We know that these vulnerabilities exist, but so far there’s no way to know if anyone has actually used them. It’s legitimately scary stuff.
So, wait, how do these exploits work?
One of the foundations of modern processing is something called “speculative execution.” This means that a computer will do some work before it’s needed, on the chance that you’ll need it in the near future. If you do end up needing that work, it’s already done and prevents a delay. If not, oh well — the benefit of having the work preloaded outweighs the times when it’s not needed, especially because modern processors are smart enough to learn over time what you’re likely to do, and keep a cache of all those possible outcomes in their memory.
Imagine buying a coffee at the corner store. You’re pretty sure it’s gonna cost a $1.25 so you fish out a single dollar bill and a quarter while your order is being rung up so the clerk doesn’t have to make change, therefore speeding the whole process up. If it turns out the price of coffee has changed, or there’s some sales tax you forgot to factor in, you pull out some more dollar bills or a different set of coins — no harm, no foul.
Now imagine you’re Parvati, the Hindu goddess with many arms and many hands, but still shopping at the corner store. (Even Hindu goddesses of fertility need to shop somewhere). You’re also extremely busy and constantly running late, so you try to speed things up whenever possible. When you enter the store, you could hold a dollar and a quarter in one hand, a single dollar in another, exactly 89 cents in another hand, two singles in another hand, and so on, and then also have your credit card out in case the place for some reason doesn’t accept cash.
When it’s your turn to pay, you’ve got all these different bundles of bills and coins and your credit card clutched in your many different fists. If you weren’t in such a hurry, you could present just the one hand with the correct amount of money to the clerk. But you’ve gotta hurry, so you thrust everything forward. The clerk takes the correct amount of money from you. But if the clerk is a bad actor in all of this, they could also easily jot down your credit card number while taking that $1.25 from you. You leave with a coffee, and the clerk has your credit card number.
Overall, your life is much much better because you have a ton of hands that allow you to do many things much faster. But now you live in a world where someone can, if they so choose, take a peek at everything you’re carrying around — and the only way to stop that from happening is to slow down.
So Meltdown and Spectre allow people to see my credit card information?
Yep! Or really anything you enter into your computer’s memory — which is to say, anything you do on your computer. Passwords, credit card numbers, Social Security numbers, you name it. Neither Meltdown nor Spectre allow a bad actor to change anything on your computer; someone can’t infect your computer with malware or install a keylogger. But they can glean enough information that they could later use to install malware on your computer, or just grab personal information that you’d probably rather not have out in the wild.
Meltdown is a very scary name.
It really is! It’s called that because it basically melts down the built-in security between programs on your computer, and it affects essentially every Intel chip made since 1995 (which means about 90 percent of all devices). Here’s someone using the Meltdown exploit in real-time to grab a password:
But while Meltdown is the more aggressive threat, patches have been released for Windows, Mac, and Linux machines already, as well as patches for Firefox and Internet Explorer, and more are on the way. Make sure to update your machine, and you should be protected.
That said, the patch is going to hurt — estimates are that it will slow down computers from 5 to 30 percent. Whether this will actually affect you depends on what you use your computer (or smartphone or tablet or any other processing device) to do.
Things like cloud computing will get hit heavily, while something like rendering a video file not so much. Researchers are still figuring out what exactly will get hit, but there’s little doubt that fixing Meltdown will cause some sort of slowdown for anyone affected.
So is Spectre not as big a deal?
Spectre isn’t nearly as aggressive as Meltdown. If Meltdown allows you to crack open someone’s diary and read it at will, Spectre is more akin to something that lets you flip open a random page in someone’s diary and read one word at a time, and then flip to another random page and read one more word. It’s not at all impossible to still get some very sensitive information, but it takes longer and requires more persistence.
But Spectre will ultimately end up being the bigger issue. While Meltdown can be patched via a software update and only affected Intel chips and possibly ARM chips, Spectre affects Intel, AMD, and ARM chips, and can’t be completely fixed via a software patch. You can patch against known exploits for Spectre, but those can only be done on a case-by-case basis. This means the only way to completely fix the problem is a hardware update — that is to say, replacing the processor itself. For consumers who tend to cycle through devices somewhat regularly this is a hassle but will go away over time, but large, slow-moving organizations (which tend to be the big juicy targets for hacks like this) take a lot longer to cycle through their hardware. The effects of Spectre could be felt for decades.
So basically every computer in the world is broken for the foreseeable future?
To quote Reverend Lovejoy: Short answer, “yes” with an “if.” Long answer, “no” with a “but.”
We’re likely looking at a world where there are pre- and post-Spectre processors. The lead time for new processors is measured in years, so there aren’t going to be quick fixes. There will be continuous software patches as new Spectre vulnerabilities are found in the meantime.
But the root of the problem for both Meltdown and Spectre is one of unforeseen consequences. Guessing what your computer is going to need to do next is a tremendously clever and relatively cheap way to speed up processors, and once it was discovered, Intel pushed aggressively to see how far they could go with it. (This is why Meltdown has hit Intel so hard.)
Designing processors and computers is an extremely difficult and extremely expensive proposition, and the market incentive for manufacturers is always going to be speed, not security. Even after Spectre disappears from the landscape, it’s a near certainty that some other vulnerability will show up on the scene.
Who first discovered these exploits?
Google’s Project Zero, led by Jann Horn, has done the most thorough documentation of both Meltdown and Spectre, but researchers including Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher, and Werner Haas all worked on the problem.
If this has been an issue since 1995, why is it only coming out now?
Really good question! Short answer: This is a crazy and complex problem, and it’s really only because companies like Google and academic researchers have the time and resources to specifically search for bugs like this that we even know about Meltdown and Spectre. Usually exploits are discovered when someone catches a piece of malware out in the wild and studies it under a microscope — but there hasn’t been a case of Meltdown or Spectre being used in the wild that we know of, and even if it has been, it’s unlikely we’d even know about it. There’s also the fact that that there’s very little financial incentive for anyone to figure this out — this is going to cost a lot of people a lot of money.
So what can I do?
As an average user, just follow the same basic best practices you should have been doing for years now. Update your OS when you’re asked to and don’t download weird stuff.
Meltdown and especially Spectre are going to be a tremendous pain in the ass for people who work in specific technical industries and fields — everyone at Intel is in for a crappy 2018. The rest of us just have to wait for everything else to sort itself out.
What if I want to know more?
The best place to start is one of the places that first documented the vulnerability: Google’s Project Zero. For a more down-to-earth explanation, SpectreAttack.com is a good digest of the information out there.