Usually when you hear about large scale security problems, it’s because there’s been an obscure exploit of some incredibly complicated code that somebody’s worked out a way around, leading to the need for software patches, or an entirely human error where access was pilfered via purely social means. Hardware flaws that affect computer security aren’t unheard of, but they’re (thankfully) pretty rare.
Or, at least, they were. It’s been revealed that there’s a major bug affecting processors supplied by Intel, and also possibly AMD and even the ARM processor architecture that runs most smartphones and tablets. While the full extent of the issue isn’t entirely public, because companies are rushing to release updates to mitigate its severity, the worst affected has to be Intel, simply because of the chip giant’s massive presence in this space. Chances are pretty darned good that if you’re reading this on a computer, it’s got an Intel processor inside. Even Apple got on the Intel train many years ago, and to give some perspective, the issue relates to processors up to 20 years old. If you’re running a computer more than 20 years old, you’re probably safe, but you’re also probably painfully slow compared to what a modern computer can do.
Dubbed collectively Spectre and Meltdown, the issue relates to the way that modern CPU architecture does what is called “speculative execution”. That’s pretty much what it sounds like; the CPU performs a task that it estimates may be needed before it’s actually asked for, because that way if you do require that task, it’s already done and performance can be boosted remarkably for just a little potential overhead. Speculative execution has been part of computing for a long time now, and the Meltdown issue essentially attacks the areas of the CPU that store that speculative information, potentially allowing malicious parties access to it.
To put that in more concrete terms, imagine you’re using a password manager (which, if you’ve been reading this column long enough, you should know I encourage you in no uncertain terms to do) on your computer, and your actions lead the CPU to think that you might need a password soon for some task. It speculatively fetches that information, stores it for a very brief time and then moves on, whether or not you needed the password. While it’s storing it, the Meltdown bug could (in theory) make it accessible via the exploit.
You’ll notice I’m couching my terms here, and the good news is that while the existence of the exploit is public, the specifics are not, and as such there’s no clear evidence that any systems, personal or major have been attacked in this way just yet.
The Spectre bug (which may also affect AMD’s processors and the ARM architecture that runs most phones and tablets) works in a broadly similar way, although both Apple and Google say that most updated phones and tablets should at least be partially hardened against attacks. Apple says that while there’s potential for exploits, doing so would be “very difficult” for hackers. That’s not quite the same thing as impossible, but if you’re updated, you should be fine.
The same advice is true on the PC/Mac end of the scale, although at the time of writing major software updates were still pending for Windows 10 and macOS to cover consumer and business systems. As always, patch early and patch often to keep yourself safe, but also be ready for something of a performance hit.
That’s to do with our old friend speculative execution again. In order to fix the issue, its ability to preconfigure scenarios before execution has to be dialled back, and that means a potential system performance hit.
Now, quite how significant this will be is a little tricky to gauge right now. Some early reports suggested the hit could be as bad as 30%, while Intel’s own releases suggest a more moderate hit for most systems, possibly as low as 5% or less. Bear in mind that it’s not just your own PC that may see a slowdown, with many of the world’s largest servers that provide web services also potentially liable for slowdown issues. Having said that, some, like Amazon, have indicated that pre-existing patching and security is already present on most of its services, so the impact there may be lessened somewhat.
So what should you do? In short, make sure everything’s updated, from any hardware updates that your computer manufacturer supplies, through to software updates and even browser updates, because when (not if) attacks do come, they’re likely to be delivered over the web. Make sure you’re running anti-virus software with up-to-date security as well, because while again that’s a cat and mouse game, keeping your system safe in 2018 is going to be, well, rather important.