Chip Flaws Leave Connected Systems Vulnerable
Two computer chip flaws could leave a number of connected systems, including those of credit unions, vulnerable to security concerns. DHS warned, only chip replacement completely fixes the problems.
A team of researchers at Google's Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security firms including Cyberus and Rambus, recently released details of the flaws, which they call Meltdown and Spectre.
The Department of Homeland Security issued guidance on the software flaws last week, remarking that while software patches could improve performance, the only real fix was to replace the flawed chips.
The flaws exist in processors designed to perform "speculative execution," where they calculate functions needed and swiftly access various areas of memory. The system should protect and isolate that data. But researchers revealed in some cases, the security flaw allows exposure of the information while processors queue up the data.
While both Meltdown and Spectre are newly discovered, they are long-time-existing security flaws in computer processor chips. “The problem is that when the engineers designed these chips, there were no IoT types of devices, no ‘smart’ phones or even widespread internet connectivity,” Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said.
“Each credit union, and all other types of financial businesses, and all computer users in general, need to ensure that they download the most recent computing device operating systems (OS) patches and apply them as soon as possible,” Herold recommended. Then, they need to set up their computing devices to automatically download OS security patches as soon as the manufacturer makes them available.
Herold described the vulnerabilities:
• Meltdown: This is within Intel and Apple processors. It uses the long-existing privilege escalation flaw within the processors that allows kernel memory access from the environment within which users run their applications and other types of programs. “This generally means that any confidential data that a computer is protecting (even in the kernel) is available to any user able to execute any type of code on the system.” Including those who have paths to the devices from a local network, wireless network, the internet, peer-to-peer (P2P) access, etc.
• Spectre: This vulnerability exists within Intel, Apple, ARM, and AMD (the manufacturer claims a “near zero” possibility). “This can be exploited by malicious actors (cybercrooks, hackers, etc.) by having the processors execute instructions they should not have been able to if the flaw did not exist.” It can also give them access to sensitive and confidential information (e.g., IDs/passwords, credit card numbers, SSNs, etc.) in the memory space for applications running on those devices.
The chips’ designers did not consider an Internet of Things world where devices were always-connected-to-network types of connections “it was not even imagined that someone outside of a facility, such as within a credit union or bank building, could get into such devices directly,” Herold explained. The engineers saw, and assumed, that networks had firewalls, and required authentication to even get onto a network with the endpoints (PCs, laptops, networked printers/copiers/fax machines, smart watches, wearables, and all other types of IoT devices, etc.). “The processors that are generally the computing power of these devices were not built with strong security controls in mind.”
“It was only recently, when security researchers decided to look at the current security issues related to these comparatively long-ago-designed processors, that these existing security vulnerabilities were discovered,” Herold noted.
Herold listed a few important points about the current processer chips significant security flaws:
- They impact basically all types of computing devices. Desktop computers, laptops, tablets, smartphones, recent models of copy machines (last 10-15 years), printers, fax machines, IoT devices, etc.
- Patches exist for both types of vulnerabilities; some already released, others coming soon.
Herold warned, cybercrooks and hackers will surely set up phishing ploys, and distributing bots to get access to all these areas where such valuable data is located. “And certainly CUs will be a favorite target because of the value of the data they possess within all their computing devices.”