Computer Chip Design Flaw Reveals Major Security Issues for Billions of Users

Chances are if you have purchased a computer in the past fifteen (15) years, your computer is most likely affected by two major design flaws that could seriously impact the internal security of your computer system, down to its core.

Modern day computers engage in ‘speculative execution,’—a function that allows for a computer chip to guess what information the computer needs to perform its next function. As the chip guesses, that sensitive information is easier to access at that particular moment in time. This allows a computer’s processes to run faster and more efficiently.

This design flaw in computer chips exploits that function and allows an attacker to essentially view the inside of the computer’s most sacred system, or brain—known as its ‘kernel memory’. This is memory dedicated to the most essential core components of an operating system and how it interacts with the computer’s hardware.

“It’s like giving an attacker x-ray vision into a safe and they can see what’s inside” —Bryce Boland, FireEye Cybersecurity Expert

‘Spectre’ and ‘Meltdown’ Trickle Down to Billions of Devices

One of the flaws, dubbed ‘Spectre,’ allows attackers to convince or trick the processor into starting the ‘speculative execution’ process. This in turn allows the attacker(s) to read coded and confidential data the computer chip makes available while at the same time, attempting to guess what function the computer will carry out next. Specifically, this affects almost all desktops, laptops, smartphones, and cloud servers. Reports have already confirmed that Spectre affects Intel, AMD, and ARM processors. The flaw was discovered independently by Google’s Project Zero and independent researcher, Paul Kocher.

The other flaw, ‘Meltdown,’ allows attackers to access the coded and confidential information through a computers operating system (OS)—Microsoft Windows, Apple Sierra, and Linux. This also affects devices connected to cloud servers. Meltdown was independently discovered by three groups—researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Project Zero.

What Are Experts Saying?

Rumors indicating that Spectre and Meltdown are limited to strictly to Intel processors have been proven to be unfounded. In actuality, the issue is so widespread because those chips used in manufacturing Microsoft, Apple, Amazon, and Google devices, all share a similar design structure. Reports are indicating that almost every device manufactured in the past fifteen years is vulnerable.

• Software Engineering Institute, a U.S.-government funded body that researches cyber-security problems responded to the issue stating that fully resolving these vulnerabilities requires replacing the affected and/or vulnerable hardware entirely. This can be expensive and difficult.For more information from the SEI, read their latest statement here.
• U.S. Computer Emergency Readiness Team has recommended that users read the statements and advice offered online by software vendors like Microsoft, Apple, Google, and Mozilla.
• U.K.'s National Cyber Security Center even advised agencies and organizations to install patches and updates as soon as they become available.

What Is Currently Being Done to Resolve?

So, what are vendors like Microsoft, Apple, Google, and Amazon doing?

Windows Users—

On Wednesday, Microsoft announced it released a security update in hopes of mitigating the two bugs. For those users running on Windows 10, the update should automatically download and install. However, it may be smart to still go into your PC’s settings.

To make sure your system is protected, go to Settings > Update & security to check and see if the security fix is waiting in your update queue. If not, click on Update history or View installed update history to see if it was already installed. Depending on when you last updated Windows 10, the hotfix might have one of a variety of different names, but you're looking for Security Update for Windows (KB4056892) if you have the Fall Creators Update already installed.

Android Users — On January 5th, Google will release a new security update will will attempt to mitigate the flaw on its Android-based smartphones. This is only the beginning to future updates Android will release. On Google-branded devices like the Nexus and/or Pixel, the phone should automatically download the update and the user need only install. Still, it can’t hurt to go into your settings and check for updates.

Mac Users—

Apple released a statement Thursday informing consumers that it has already rolled out updates as early as December 6th for these flaws. These updates are available for iMacs, MacBooks, and Mac Mini, as well as the latest software, Mac OS High Sierra 10.13.2. For assistance in downloading the update, tap the Apple menu button in the upper-left hand corner of your screen and select About this Mac to see if you've got the latest version. If not, you may want to open the App Store application, click on the Update tab and update your operating system.

• iPhone Users — For those consumers with an iPhone or iPad, Apple has suggested they install the latest iOS version 11.2 on their device. While this software update already has some fixes and mitigations, it plans on releasing future updates containing more protections as the software is tightened. To check whether you are running iOS 11.2, go to Settings > General > About and look for Version to verify you're on 11.2 or later. If not, you can probably go to Settings > General > Software Update to download the latest version.

Google Chrome Users—Google announced Thursday that on January 23, it will make a new version of Google Chrome available, which will include fixes in helping to mitigate the device from attacks. For those users who will be awake at night haunted by the potential attack on their device(s), Google has released a “beta” feature called ‘Site Isolation’, which allows the user to ‘opt in’ and allow their device to update, in a sense.

To turn on Site Isolation on Windows, Mac, Linux, Chrome OS or Android:

• Type or copy-paste chrome://flags/#enable-site-per-process into the URL field at the top of your Chrome web browser, then hit the Enter key.
• Look for Strict Site Isolation, then tap or click the box labeled Enable.
• If your work is saved, hit Relaunch Now. Otherwise, save your work, then quit and relaunch Chrome.

For Chrome on iOS (iPhone, iPad), Google says Apple will deliver any necessary fixes in its upcoming update.

Smart Devices/Home Assistants

• Apple TV—Apple has announced it has already released fixes into its current update for Apple TV users. To be sure your Apple TV has received the most recent update with the latest fix, go to Settings > System > Software Updates and pick Update Software.
• Apple Watch—Apple indicated the Apple Watch is NOT affected by Spectre or Meltdown.
• Google Home —Google has announced that its consumer products, specifically, its automated home assistant, has NOT been affected by the bugs.

Cyber-security expert, Bryce Boland, told CBS Wednesday, that this isn’t a simple fix—it’s going to take multiple patches, multiple updates, and the potential replacement of computer hardware. This can be a very expensive process. In today’s market where computer systems have been designed to be faster and more efficient, it has also brought to light, this design vulnerability that wasn’t as easily exploitable with older systems and processors.

With technology, there is always a dark side and a light side. A yin and a yang.

____________________________________________________________________________________________

Andrew Rossow is a Tech Contributor for The Huff Post and a practicing Internet Attorney Cyberspace in Dayton, Ohio. Rossow is also an Advisory Panelist with The CyberSmile Foundation and a Legislation Committee Member with Ohio Attorney General Mike DeWine’s “CyberOhio Initiative.”

To stay updated on Rossow’s publications, please follow his #CYBERBYTE on Twitter at @RossowEsq and his official FB page at @drossowlaw.