Intel

Tag: Intel

Spectre and Meltdown: “The cure may be worse than the disease”

There are two new serious security vulnerabilities out in the wild that affect everyone reading this article. You can read the background on Spectre (affects almost all semiconductors made by Intel, AMD, and others) and Meltdown (Intel, Qualcomm, and one type of ARM chip) but the big question for industrial users is how it will impact operations.

The short answer is: No one knows for sure. In theory, Meltdown allows “deep access” to kernel operations, which could affect everything from gateways to cloud servers. Spectre could afflict “all modern processors capable of keeping many instructions in flight” including smartphones. So far, no attacks have been observed in the wild, but we all know how that story goes. It’s only a matter of time before the baddies exploit the vulnerabilities.

In the meantime, industrial vendors have started to issue advisories and patches, especially for Meltdown (Spectre requires a complete redesign of the chip’s architecture, and fixes are apparently limited). Security Week has a rundown of statements and advisories from Rockwell, Siemens, Schneider Electric, ABB, and BD. Other patches and advisories include:

One of the biggest concerns about the fixes is the performance hit, widely reported to be 30% based on benchmarks. Industrial security expert and PPR regular Joe Weiss summed up the problem for industrial users:       

“We have a lot of older systems and a lot of these older systems are very resource constrained. When you’re talking about possibly a 30 percent hit on performance, that can actually shut down many of our older legacy control systems. The cure could be much worse than the disease.”    

Endpoint: Meltdown and Spectre are serious security vulnerabilities whose impact will be felt for many years to come. Reduced performance can take some older systems offline, a prospect that may force some users to upgrade their own systems. Infrastructure vendors know this, and will surely play up the FUD element to boost sales and maintenance contracts.

MELTDOWN-SPECTRE: THE MESS CONTINUES

The fallout from the Meltdown and Spectre CPU bugs rolls on. There’s a lot of reading on this topic, but here are some of the bullets you need to know:

  • According to one experienced tester, the Meltdown patches “introduce the largest kernel performance regressions I’ve ever seen.”
  • The early patches might be causing more harm than good … and it’s not just the performance hit. As noted by Security Week, “Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently.” Major software vendors including Microsoft stopped the patches due to instability.
  • Attacks can be exploited by JavaScript in a Web browser … and proof-of-concepts are already floating around in the wild, according to ZDNet.
  • Intel is coming out with a new set of patches that supposedly avoid the reboots and other problems noted earlier. But considering Intel’s history of attempting to spin its way out of this PR mess and releasing half-baked fixes, I would take the news with a grain of salt.
  • Long-term, the entire world has a big security problem on its hand that won’t be fixed until silicon platforms are rearchitected AND older systems are patched or replaced. This could take years.

If you’re trying to play catch-up with these flaws, the best to start is on this page created by security researchers, which includes links to advisories and patches put out by major vendors.