You may have heard something about these two security flaws, Spectre and Meltdown and you know they have to do with your computer’s processor. But explaining Spectre and Meltdown is simple, and patches are already out for most platforms. Here’s everything you need top know about Spectre and Meltdown, extremely dangerous security threats that hit nearly every single computing device. You’ll also learn how they work, how you can easily protect yourself from these hacks, and what’s going to happen in the future.
What is Meltdown?
There are a few metaphors I’ve read about this, and I’ve been in software development long enough to know what these are doing. Here’s a variation of one of my favorites for explaining Meltdown:
Let’s say you’re trying to get a person’s safety security box number from a bank. This particular bank has a security guard. You go up to them, ask for a security box using your name, and, if your credentials don’t match, they don’t tell you the number. However, next to the security guard is a helpful bank teller. This teller has a fantastic memory, and they’re really good at their job. When a person comes in asking for a box number, they already have it written down on a slip of paper behind their desk. Then, once the guard confirms your identity, they give you the slip of paper with the number.
So what do you, the hacker, do? You go in with a friend, who walks up to the efficient teller. You walk up to the security guard and request Joe Schmoe’s security box. The teller already has poor Joe’s number written down. The guard kicks you out, but not before your friend had a chance to peek over the teller’s desk and see what they wrote down on the slip of paper.
Explaining #Meltdown to non-technical spouse.
“You know how we finish each other’s…”
“No, sentences. But you guessed ‘sandwiches’ and it was in your mind for an instant. And it was a password. And someone stole it while it was there, fleeting.”
“Oh, that IS bad.”
— Scott Hanselman (@shanselman) January 5, 2018
This tweet explains predictive computing security flaws like Meltdown and Spectre very well. I’ve included two tweet threads going into more detail below.
This particular metaphor falls apart because, well, the box is still locked. But let’s say the only thing you needed to get in to the box was the number. That number is like your password. Modern processors predict what your next actions might be and will do it ahead of time, so the result is there when you request it. These predictions have access to parts of the memory that you do not. Often, these results are simply thrown out if they’re not needed. Other times they greatly improve the performance of your computer by serving up results at the same time you request them. However, once it has created these predictions, it stores them in an area of memory that applications can access, using data from memory that applications cannot accss. That’s when the meltdown attack strikes, getting that decrypted information before it’s thrown away. Meltdown was named because it “melts down” the walls between the application and the memory, which should be inaccessible and secure.
What is Spectre?
Let’s continue with a security box metaphor. Though it’s imperfect, it does give a decent visual. Say there’s a bank with security deposit boxes in separate vaults. You need ID to get into the bank, but once you’re in, they trust you. You can walk up to a teller, ask for your deposit box, and, they’ll go fetch it for you. They don’t check your ID. If you don’t a security check they toss the box aside, you can’t leave with it. But, for a brief moment, you can sneak a peek at the other person’s information.
I'm going to try explaining the Spectre attack with an analogy: Imagine a bank with safe deposit boxes. Every client has an ID card, and can request the contents of various boxes, which they can then take out of the vault.
— Clay Shirky (@cshirky) January 5, 2018
This Twitter thread (in full below) explains Spectre with a metaphor in just 10 tweets.
In this scenario, a hacker accesses the private memory of another application, such as your password. Like a ghost, a malicious application can slip in, undetected, and request that information. It won’t get it, but, if you’re observing the holding place where the processor is temporarily storing the information, you can gain access to it. Spectre tricks your machine into giving a malicious program the memory contents of another program.
How are they Different?
Both Spectre and Meltdown work by exploiting predictive computing, used in all modern processors. Meltdown is an easier attack, but, realistically, it’s still not an easy one to carry out. Meltdown only applies to Intel and high-end mobile processors, including Apple’s. Spectre, on the other hand, is much more difficult to perform. Specter also works on all processors, from the one in your computer to the one in your smartphone. Between the two, every single machine that isn’t patched is vulnerable to at least one of these attacks. Hackers will use these methods as part of their toolkit, but not the first tool they’ll reach for. What’s the difference between the two? Meltdown spies on predictive information from anywhere in memory. Spectre spy’s on predictive information from running applications. Both are incredibly dangerous, though, for those with Intel processors (like those in every Mac since 2005 and most PCs), or an iOS device, Meltdown is the biggest concern.
How Can I Protect Myself?
Simply put, update your computer, your iPhone, your Android device, and anything else. Most vendors, Apple, Google, Microsoft, Amazon, and others, already have patches out. You may have updated already (Apple’s were out late last year), so don’t panic if there are no updates for your machine or device yet. If you have an Android phone older than a year, you might have to wait a while for Google’s update to come—if it comes through the pipeline at all—so upgrading your phone may be the best option. The same goes for iOS users who are on iOS devices older than 4-5 years. If you’re on the latest version of macOS, iOS, Android, and Windows, you’re safe. If your device is too old for an update, you might be in trouble.
Here’s the thing with the patches though, for all current processors, the patch will slow your computer/device down. This is inevitable, as predictions will be walled off, slowing the system down. You can expect a 5% to 30% drop in performance, but it’s necessary. These hacks allow a hacker to access all the data on your computer, even encrypted information as it’s decrypted through transit through your machine. These are flaws in the very processor design itself, and the only way to protect users is to add additional firmware-based security between your software and the hardware. Most users won’t actually notice a difference at all, as all vendors have emphasized, but others will notice a large slowdown of some applications that relied on predictive computing.
Will this Always be a Problem?
Short answer: no. Longer answer: it will be a problem until you buy a new computer, or at least a new processor. Those of you who have built computers before might want to consider a new processor your next upgrade. Not only for the security, but also for the 5%-30% boost in improvement you can see just by allowing predictive computing back to your machine without software blockades.
What I think gets lost in a lot of Spectre coverage is that it's just one of many flaws and if an attacker wants to read stuff on your computer there's probably an easier way of doing it.
— Selena Larson (@selenalarson) January 5, 2018
It’s true, but you should still update to protect yourself.
Meltdown and Spectre are fascinating, as they turn something vital for modern processor performance against us. Predictive computing like this will only grow, and we’ll have to be sure that we’re more careful in the future. On a larger scale, artificial intelligence will be able to (and already is) predict what users will want and have things, such as search results, pre-loaded in the cache, so it has finished loading a website before you finish your search phrase. We need tools like these, and we need rapid access to results, but security must always be considered first.
- Devin Coldewey, TechCrunch: “Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?“
- MeltdownAttack.com: Meltdown and Spectre
- Paul Miller, The Verge: “Explaining Meltdown with parallel worlds, libraries, and a bank heist.“
- Jack Morse, Mashable: “Here’s what you need to know about Spectre and Meltdown.”
As promised, here are two full tweet threads explaining Spectre and Meltdown, respectively. Enjoy!