Meltdown and Spectre gave us another reminder of crypto vulnerabilities

17:14 12/01/2018

The Meltdown and Spectre news in the beginning of 2018 looms over the cryptocurrency world like a big dark cloud. It has been reported that there is a flaw in the design of Intel’s processor chips that makes the system susceptible to hackers. In an article about the bug, The Register reports that this vulnerability lets the unauthorized programs distinguish the “layout or contents of protected kernel memory areas.” This has busied the programmers of companies like Microsoft and Google to create patches for the two exploits- Meltdown and Spectre.

Breaking down “Meltdown” and “Spectre”

Often computer bugs and viruses make the headlines but this time the flaw is in the design of the Intel processor. Immediate steps were taken to correct the flaws such that the users’ data remain protected within the system (Windows, Linux). The exploits Meltdown and Spectre can be used to access the area where the device stores and protects the passwords. The exploits were brought to light by Google.

The revelation of the bug shook the world as any device that has an Intel chip and connects to the internet can be the target of the hackers.

According to Google, the hackers can “read sensitive information in [a] system’s memory, such as passwords, encryption keys, or sensitive information open in applications”.

Meltdown breaks the isolation between a user application and the operating system while Spectre breaks the isolation between two user applications. The Meltdown attack enables a program to access the device memory (secrets of other programs and the operating system). The Spectre attack, on the other hand, tricks an error-free program to leak its secrets.

The Impact of Meltdown and Spectre on Security                

Devices that were manufactured and have Intel chips from 1995 (except Intel Itanium and Intel Atom before 2013) to approximately 2011 have high chances of being affected by the two exploits. Whenever a running program works (open a network connection or write to a file), the program hands over the control of the processor temporarily to the kernel. In order to fasten the transition of control from user to kernel and back to the user, the kernel is present in all the virtual memory address spaces of the processor. The kernel’s memory space is not visible to the user processes and programs. The kernel memory houses all the login keys, passwords, files cached and so on. If the system is hacked into due to this flaw, the hacker at the worst scenario will be able to read all the passwords and login keys. This means that they will be able to access all the accounts of the user and collect critical data and account details. The hacker will thus be able to transact money from a person’s bank account by simply giving the login details. Several businesses and institutions using devices manufactured within this period (stated previously) are at risk. Vital project details and company secrets may be leaked out.

The Cure of Meltdown and Spectre

One of the solutions is to randomize the position of the kernel’s code in the memory of the device such that the exploits cannot find the internal gadgets. The hackers would then need to fully compromise the system. The security programmers have already released the first wave of patches to Windows 10, MacOS, Android and Linux. These fixes were speculated to slow down the system. As near about 90% of the devices have Intel chips, one can understand that it will be a large scale backlog. Intel, however, has released a statement the solution will not slow down the computers as much as speculated.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Intel recommends the users to regularly check for device updates and immediately install and execute them such that the hackers do not find any opportunity to breach the security.

How Meltdown and Spectre Affect the Cryptocurrency Market

The Meltdown and Spectre news came forward on 3rd January 2018 and on the next day itself the cryptocurrency exchange had to take numerous wallets offline. It is a reminder and warning that how much the cries are that cryptocurrency and blockchain technology is safe; the safety may be simply superficial. The cryptocurrency account holders, therefore, are right to fear the consequences of such an attack. Most of the cryptocurrency exchanges completely rely on the cloud storage system. The cloud computing providers usually save data from different clients on the same server. Theoretically speaking, the attacker can access all the accounts if the server is hacked. After the news, many exchanges like CEX.io, Kucoin and Einstein Exchange had to take the wallets offline. While some of the crypto exchanges are on the way to implement the patch others simply refer to maintenance. The plus side is that the cryptocurrency miners are most likely to remain unaffected.

“An attacker who has knowledge of a sufficiently powerful vulnerability can theoretically force your CPU to reveal secret data such as private keys used to control your Bitcoin.” said Bryan Bishop, Bitcoin Core developer.

The cryptocurrencies and blockchain technology are always portrayed as secure protocols. But they need to save the private keys properly, preferably in a device that does not have access to the internet. Bryan Bishop further says that to become a victim of this attack, all the user has to do is to click on a link by mistake. The link opens up to a website that displays bad ads with a malware code that is more likely going to steal your data.

Other than a miner or a cryptocurrency trader, the threat is also serious for the cryptocurrency exchanges. If a hacker targets a crypto-based business or exchange then, they will get access to millions of account holders at one go. The exchanges are dependent on cloud hosting services and these, in turn, are susceptible to these attacks. Hopefully, the solution of patches will tide over until a better solution is reached that will completely eliminate the risk.

Featured image courtesy of Shutterstock.