Spectre and Meltdown: BYOD (burn your own device)


Well, not quite burn them, but ‘throw them away and buy a new one’ is about the extent of the advice we’ve had so far. If you hadn’t heard, last week, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15 to 20 years, now affectionately dubbed Spectre and Meltdown.

These vulnerabilities operate by manipulating different ways processors optimise performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.

The vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices. This has become apparent in recent years with home routers, digital video recorders, and webcams.

The fundamentals of these software vulnerabilities are also a major issue, a patch can’t simply fix the problem, these vulnerabilities are deep rooted in how a microprocessor actually operates.

Because of this, Spectre and Meltdown are catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they have shown researchers where to look, more is coming – and what they’ll find will be worse than either Spectre or Meltdown.

There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

But don’t panic too much, for the average Joe this is just another attack and the same common-sense rules apply. Watch for phishing attacks, don’t click on weird e-mail attachments, don’t visit dodgy websites, patch your systems immediately, and generally be careful on the Internet.

Dr Richard Ford, chief scientist at Forcepoint, comments, “The events of the last few days only underscore how vulnerable our critical data is to attackers. While these vulnerabilities are worrisome, these exploits are just two of the raft of threats we have to deal with each and every day.”

“If you’re a security professional, trying to chase every single new threat is like trying to chase your own tail. We urge defenders to keep a careful eye on the overall threat environment yet increase their focus on who and what has access to the data that is most sensitive. This user – and data -centric approach to security has never been more important.”