Shortly after the new year, The Guardian publicly revealed two major new vulnerabilities, dubbed Meltdown and Spectre, that could affect our digital devices. These exploits, each independently discovered by multiple groups of researchers, could allow a hacker to retrieve data from your computer that may be linked to sensitive information, such as bank accounts.
What makes these particular exploits difficult to stop is that the processing techniques they take advantage of have been used in most computer processors made in the last three decades – from the most powerful supercomputers right down to your smartphone.
In this blog post, we’ll cover how these attacks work and what’s being done to stop them. Unfortunately, especially in the case of Spectre, we could be dealing with this for a while because fixing it properly may require entirely new computer processor designs. In the meantime, we’ll give you some practical advice for protecting yourself.
A Little Bit About Computer Design
In order to understand how these attacks came about, you’ll need to understand a little bit about how a computer works. Don’t worry – you won’t need a computer science degree.
The Need for Speed
As computer users, one of the things we expect now more than ever is speed. If our web browser or a Word document takes more than a few seconds to load, we start drumming our fingers on the desk.
For years, it was a given that the technology in our hands was going to get smaller and faster. Unfortunately, at some point we stopped being able to make computers much faster than 3 gigahertz (GHz).
If you remember back to your high school physics class, hertz is a unit of frequency. In this case, a 3 GHz processor completes 3 billion calculations per second. That sounds like a ton of speed, and it is. But we’re doing more and more with our computers – streaming Netflix while writing papers for school or putting the finishing touches on a video to upload to YouTube.
One way to get around this is to include multiple cores, which is essentially like having multiple processors. These processors also have multiple threads, which allows them to do different things while operating in parallel.
Processor manufacturers also decided to take advantage of a shortcut to gain an extra jump on what they thought the user was going to do next. This process is called speculative execution, and that’s what we’ll go over next.
There’s a maximum to the amount of speed we can get out of our computers at this point. However, one thing computers are good at that humans aren’t is doing many operations at once. This is called parallel processing. At some point, system designers realized they could take advantage of this ability to process in parallel to squeeze more speed out without making processors more powerful.
In order to understand how this works, let’s take ourselves out of the realm of computers for a moment. Let’s say that every day for lunch, I have a choice between pizza, a nutrition bar, and a peanut butter and jelly sandwich. Most days, I like speed and avoiding the mess, so I go with a nutrition bar. After a while, my roommate might simply decide to get the nutrition bar out of the cupboard and have it ready. If I want pizza one day, though, we would have to reverse course and start over.
The computer, on the other hand, can do multiple things at once. Let’s say the nutrition bar is Word and the pizza is Photoshop. If it knows I typically load Word, it might start making assumptions and load some of the program files into cached (frequently used) memory so that Word starts faster. If I end up starting Photoshop, the data for starting Word is thrown away. Moreover – and this is key – the user or anyone else who might be interested doesn’t see the data for Word unless it’s actually loaded.
This process is known as speculative execution, and as we noted earlier, it’s been around for quite a while. So what’s the problem?
Meltdown and Spectre Break Down the Walls
Ordinarily, the user doesn’t see the results of any operations until they actually tell the computer to execute a particular command. Any guessing done by the computer as to what you’re going to do next is contained in the cache and/or a low-level operating system function called the kernel that the user never has to worry about.
The details around this are a bit technical to get into here, but this may be the best written explanation I’ve seen for anyone who wants to go deeper.
Basically, attackers exploiting Meltdown are able to look inside your cache and take a look at processes you didn’t load before they’re deleted. This flaw affects all Intel and some ARM processors (ARM chips are typically found in your phones and tablets).
Spectre works by making your computer guess wrong about what you want to do next and is able to get a peek at your data that way. And this one is trouble because it takes advantage of the flaws in designs used in nearly every computer processing chip, meaning it impacts Windows, Mac and Linux users as well as smartphone users on iOS and Android. It affects Intel, AMD and ARM computer chips. If you’re reading this on anything but a Raspberry Pi or an Apple Watch, it’s safe to assume you’re affected.
What You Can Do About It
As we briefly alluded to above, the data taken in these attacks could be anything from innocuous items like recipes and game files to extremely sensitive data like usernames and passwords.
Although neither of these attacks are known to have been exploited for nefarious purposes yet (although since the attacks don’t leave traces, we might never know), it’s important to protect yourself. So what can you do? Unfortunately, this is where things get a little hairier than they already are.
The industry has known about this for a while, but the rollout of updates and protection around this hasn’t been smooth at all. Let’s break this down a bit.
Your Protection Status
As much as possible, both operating system developers and the manufacturers of our computers and phones try to make updating as automatic and painless as possible. To that end, it’s helpful to check and see if you’re already protected before taking any further action.
There’s an application called InSpectre from security researcher Steve Gibson that acts as a very small utility to determine if your computer is protected against Spectre and Meltdown.
While this only runs on Windows at the moment, it can be run on a Mac or Linux machine if you also use a compatibility program called WINE. The program won’t necessarily give you accurate details regarding Meltdown on Mac or Linux mitigations because those fixes are specific to the operating system, but it should help you with Spectre.
The program also lets you decide whether to turn protections on and off. We’ll talk in a minute about why you might decide to do that on a permanent or temporary basis.
Microsoft worked with Intel to push a fix to Meltdown that would block user programs from getting access to deeper levels of the operating system before the user needed it.
Unfortunately, one class of program that normally wants deep access to lower levels of the operating system is an antivirus. At one point, users were installing the update and having their computers restart to blue screens of death.
Reputable antivirus manufacturers have pretty much all updated at this point. However, because of the issues with the initial push, Microsoft is requiring a registry key showing that your antivirus program is compatible. Not all of them have actually set a registry key, though, so follow the guidance of your antivirus provider.
If you want to make sure you get the updates, Windows 7 users have the option of uninstalling their current antivirus and installing the free Microsoft Security Essentials.
If you have Windows 8 or 10, you don’t need to install anything because it comes with a built-in security solution called Defender.
On the Mac side, just make sure you check for updates. As long as you run them, you should be OK. On Linux, make sure you install the updates appropriate for your distribution (Ubuntu, Debian, etc.).
One thing to note is that because the potential attacks take advantage of shortcuts meant to speed the system up, any updates to fix or at least protect against Meltdown and Spectre will slow down your system. Whether you’ll notice or not depends on what you’re doing. If you spend your day writing blog posts in Word, you won’t notice as much as someone who’s doing a ton of video editing with a program that relies on more back-and-forth communication with the operating system.
In the case of Spectre, this can’t be fixed at the operating system level and requires a firmware or BIOS update. The firmware or BIOS sit underneath the operating system and handle the basic functions of the computer, like turning on and taking input and output functions.
The issue here is that the update Intel has been giving computer manufacturers to incorporate into their system code is causing unexpected system reboots. Because of this, computer manufacturers and Microsoft have rolled back Spectre updates they were pushing out until further testing can be done.
Buggy processes notwithstanding, both operating system developers and hardware manufacturers are working to fix these problems as quickly as possible. In any case, always make sure to run your operating system updates on your computers and phones.
Your computer manufacturer will also likely be pushing out updates for the actual chipsets as well. Go to your manufacturer’s website periodically. You can usually find a utility that will detect exactly what system you’re running and whether there are any updates available. You may also be able to sign up for email notifications of anything that’s new.
Good Security Practices
One of the things someone could potentially get in this hack are your usernames and passwords. Once they get those, they can do anything you can do with access to that particular account. The problem is compounded if you use the same password in multiple places.
These work very similarly. You basically make up one strong password that you can remember. After that, for every site you visit, you can create a strong, completely random password so that all of the passwords you have for sites are different. Both password managers cost a couple of dollars a month for website and mobile access. This way, if one site gets hacked, you just change that one password, and you don’t even have to remember what password you used for the hacked site or what the new one is because it’s in your vault.
You should also turn on two-factor authentication for all accounts that support it. The way this works is that after you sign in with your username or password, you get a push notification or code on your phone. You have to respond to the notification or enter the code in order to sign in. It’s an extra step, but it definitely makes unauthorized access harder.
Finally, just keep an eye on your credit card statements. If you see any weird charges, that could be your first signal of identity theft and unauthorized access to your accounts. Dispute the charges and get a new card immediately.
This is only the latest potential breach point to come to light, but hopefully these tips have helped you take action to protect yourself. Stay safe out there!
If so, subscribe now for tips on home, money, and life delivered straight to your inbox.