What Are the Implications of Meltdown and Spectre for IoT?
What Are the Implications of Meltdown and Spectre for IoT?
While experts seem to agree that Spectre and Meltdown don't pose much of a threat to personal computers, what about industrial grade IoT?
Join the DZone community and get the full member experience.Join For Free
Less than a week into 2018 and security researchers at the Project Zero team at Google were announcing the discovery of security vulnerabilities, Spectre and Meltdown. Several international research teams discovered the flaws over the last six months but it took a while for the news to go public. I spoke to Jason McNew, Founder and CEO of Stronghold Cybersecurity, and Kayne McGladrey, IEEE Member, director of information security services at Integral Partners to find out more.
A Brief Rundown of Meltdown and Spectre
The Meltdown bug is a hardware bug (in the form of a design flaw) that affects Intel processors going back several generations. It could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected. This means an attacker could gain access to kernel space memory potentially accessing passwords and encryption keys, etc. In the case of the virtualized environment, it is possible to cross the boundary of the virtual machine guest OS to another virtual machine’s address space, making data leakage in cloud environments even more problematic.
According to McNew:
"The bottom line is that if Intel processors (including cloud-based) run any of your operating systems or applications, you are potentially affected."
Like the Meltdown bug, the Spectre bug is a hardware bug in the form of a CPU design flaw. Unlike the Meltdown bug which only affects Intel processors, the Spectre bug impacts Intel, AMD, and some ARM (used in many smartphones and other mobile devices) processors. These three are by far the most common CPUs on the planet, running literally billions of devices. In a Spectre attack, the CPU is tricked into executing instructions that it normally would not, causing leaks in the victims’ memory address space.
As of 2018, almost every computer system is affected by Spectre, including desktops, laptops, and mobile devices. Specifically, Spectre has been shown to work on Intel, AMD, ARM-based, and IBM processors. It's anticipated to be a more serious long-term problem.
The Good and Bad News
McNew commented that "Notably, the Meltdown attack is a theoretical attack that was discovered by security researchers, who notified vendors and CERT so that the flaw could be addressed. As of this writing, there is no evidence that the bad guys have used a Meltdown attack against anyone, or even have tools to do so.”
However, the bad news is that since it is a hardware flaw, the Meltdown bug cannot really be fixed, but only mitigated, by software.
"Imagine that something made a small hole in your roof, letting light through – and you just replaced the roofing felt and the shingles over the hole. Your roof probably won’t leak, but the hole is still there. Also, like the KRACK bug, if state-backed security services were aware of the Meltdown bug (very possible), it is highly likely they would sit on it instead of informing the public," explained McNew.
“A Spectre attack can only be executed in a lab by a gaggle of PhDs. Trying to pull this attack off would be like trying to stack Jenga blocks to a height of 25 feet on a crooked table as a drinking game. Possible, but very difficult. Even if an attacker could execute this attack, it is highly unlikely they would get anything of value out of it."
Whilst several procedures to help protect home computers and related devices from the "Meltdown" and "Spectre" security vulnerabilities have been published, Spectre patches have been reported to significantly slow down performance, especially on older computers. Last week Intel CEO, Brian Krzanich, issues a statement detailing that:
"By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers."
AMD has provided PC manufacturers with a fix for the first Spectre version, which Microsoft has begun rolling out, and will provide its customers and partners for Ryzen and EPYC processors with a patch this week.
So, What Does it All Mean for IoT?
While the installed patch might not affect the average consumer, I was interested to know if it will affect processing speed in industrial/utility/smart city settings where latency can have logistical or safety consequences.
"The big tech companies are all saying that the performance hit will “negligible,” but some researchers have been claiming a 30% (or more) hit on performance, which is astounding. It is entirely possible that patching Meltdown and Spectre on older legacy and fragile systems will have a negative impact. How this will affect, for example, the FAA or an MRI machine remains to be seen."
Kayne McGladrey explained that there could be consequences for edge computing:
"The performance implications of the patches for these vulnerabilities are less likely to be visible in the individual endpoint sensors in IoT, industrial control systems, and smart cities. It is far more likely to begin to be noticeable at the edge of the network where some initial data processing is done.
"The challenge will be the performance degradation once patches are applied to the cloud-based servers that power these industrial control systems, smart cities, and IoT devices. It is quite likely that there's going to be a cost penalty associated with both private cloud and public cloud infrastructure that provides the back-end processing for these systems."
There have been reports from Rockwell Automation, Intel, and Microsoft that patches on industrial equipment are proving problematic. ICS-Cert has issued an alert to enhance the awareness of critical infrastructure asset owners/operators and reported that BB, Becton, Dickinson, and Company, Rockwell Automation, and Siemens reported that they support products that use affected CPUs and have issued customer notifications with recommendations for users.
What Impact Will These Discoveries Have on the Future of Testing and Development?
McNew suggests that there will be design changes to both the physical CPUs themselves and the instruction sets that run on them:
"The design lifecycle for CPUs is quite long, so now the manufacturers are sitting upon months or years of flawed work and designs that need to be dealt with. Are they still going to bring these flawed pipeline products to market? We don’t know. Modern CPUs are extremely complex, so Meltdown is not a huge surprise, and it is very possible that future flaws just like it (or worse) will be found."
McGladrey sees causal factors that have contributed to these vulnerabilities, particularly in the current quick-to-market ecosystem:
"Patching is a reactive strategy, and there are a couple of challenges that have led us to the current situation. One of those challenges is that the market has rewarded companies that develop and produce products rapidly, and the market has shown a willingness to accept post-release patching as an acceptable trade-off. As a result, developers and architects are rewarded by their employers for producing code and architecture very quickly with less thought given to cybersecurity.
"The other significant challenge is that the cybersecurity community is generally homogenous. We have a diversity problem when just 11% of women work in cybersecurity. This lack of diversity in backgrounds and life experiences has influenced the analytic methodologies that are used to evaluate potential security issues with products. This lack of diversity of thought has led to the unfortunate set of expectations that breaches are inevitable, and this situation will continue until the cybersecurity industry does a better job of including diverse voices and opinions in the global conversation about security."
Opinions expressed by DZone contributors are their own.