The Meltdown and Spectre Bug

January 24, 2018 2018 kicked off with security researchers finding two serious security flaws in chips used in personal computers and mobile devices. The two flaws or bugs, named “Meltdown” (computers) and “Spectre” (mobile devices), make data stored in individual devices vulnerable to attack by allowing hackers to access and steal passwords, encryption keys, or other sensitive information from the device’s memory.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

2018 kicked off with security researchers finding two serious security flaws in chips used in personal computers and mobile devices. The two flaws or bugs, named “Meltdown” (computers) and “Spectre” (mobile devices), make data stored in individual devices vulnerable to attack by allowing hackers to access and steal passwords, encryption keys, or other sensitive information from the device’s memory[1].

The Meltdown bug allows malicious programs to bypass security measures that would normally restrict access to a device’s memory, which can give hackers access to data or even access to the core functions of a device[2]. The Meltdown bug affects most Intel processors developed over the past 20 years[3]. The Spectre bug, on the other hand, allows malicious programs to steal data from the memory of other applications running on a machine[4]. The Spectre bug is a far more wide-ranging and troublesome flaw, as it not only impacts Intel chips, but also the AMD and ARM processors commonly used in mobile devices such as cellular phones[5].

A hacker may be able to exploit either Meltdown or Spectre by inserting code through a user’s web browser, among other methods[6]. If an attacker did get access to a user’s computer, they would get only small amounts of data from the processor. However, that data could eventually be pieced together to reveal passwords or encryption keys[7]. That means the incentive to use Meltdown or Spectre will most likely be for individuals prepared to plan and carryout a more complex cyber attack[8]. In other words, businesses are more likely to be the targets of one of these sophisticated and targeted attacks.

There do not appear to be any signs that attackers have used either bug to steal data yet[9]. But still, Microsoft, Google, Apple, and other tech companies have already begun providing software updates to address the Meltdown and Spectre bugs[10]. Unfortunately, these are software updates to patch a hardware problem, and the software fix has been shown to impact a device’s performance, slowing down some devices as much as 30 percent[11]. But these updates alone will not be enough to protect businesses from these or similar cyber attacks.

If your business has not performed a security posture assessment or if your business has not developed an incident response plan, the Lewis Brisbois’ Data Privacy & Cybersecurity Team can provide assistance. Our hotline is available 24/7: call 844.312.3961 or email breachresponse@lewisbrisbois.com.

Citations

[1] Sam Schechner & Stu Woo, Tech Giants Race to Address Chip Flaws With a Potentially Vast Impact, The Wall Street Journal (January 4, 2018), https://www.wsj.com/articles/tech-giants-race-to-address-widespread-chip-flaws-1515070427.

[2] Id.

[3] Andy Greenberg, A Critical Intel Flaw Breaks Basic Security For Most Computers, (January 3, 2018), https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/?mbid=BottomRelatedStories.

[4] Id.

[5] Id.

[6] Chris Baraniuk & Mark Ward, Meltdown and Spectre: How Chip Hacks Work, (January 4, 2018). http://www.bbc.com/news/technology-42564461.

[7] Id.

[8] Id.

[9] Supra, note 1.

[10] Id.

[11] Supra, note 3.