Andrew Lohn is an engineer at the nonprofit, nonpartisan RAND Corporation.
The security community is still reeling from the discoveries of the Meltdown and Spectre computer vulnerabilities and now it seems that a rash of new hardware vulnerabilities called MasterKey, RyzenFall, Fallout, and Chimera have been found in the past few months too.
Unlike most previous threats, all these vulnerabilities attack a computer’s hardware, rather than its software. This second release of attacks may be early indications that Meltdown and Spectre have opened a new front in the war between hackers and defenders in the realm of computer chips.
While experts are working to make and distribute patches for these bugs, the question remains: what does this mean for cyber security as a whole? The answer to that question starts with understanding a bit about how hackers work.
Hackers are a social and trendy bunch. A couple of years ago, hacking onboard computers on cars was common, so a bunch of vulnerabilities were found and patched and now cars have become somewhat harder to commandeer. Then drone hacking was all the rage and drone manufacturers too have implemented patches and become somewhat more secure.
That is how cyber defenses work. Some smart researcher finds a new hole. If they’re nice (most are nice), they tell the manufacturers about it so they can fix the bugs. With Meltdown and Spectre, the researchers were nice and informed the manufacturers months beforehand. The MasterKey, RyzenFall, Fallout, and Chimera researchers were not so nice and only gave them a day. If the researchers are really not nice and decide instead to use their exploit, then some unlucky person or organization is probably going to have a very bad day.
That moment of discovery is the starting gun for an intense race between the defense community and the hacker community. Some hacker genius somewhere already knows how to use the bug and other hacker geniuses start working overtime to write their own code that exploits it.
Once a few of them figure it out, one of them will write a simpler version for people who don’t understand the details so that hackers who aren’t geniuses can use it too. Soon after that, it gets included in the common hacking databases. From that point on, anyone can literally point and click their way into your computer.
Although not much can be done for the folks who already had their bad day, the defense community, as a whole, almost always wins that race. As soon as their fastest programmer finds a fix, it can be quickly distributed throughout the world, making the new hacking toys only useful against the stragglers who fell behind the herd. And these days, it’s gotten pretty hard to fall behind. The patching process has become invisibly smooth and most regular computer users never even know that there was a race on.
With hardware vulnerabilities, things could be different. You can’t change hardware by sending an invisible string of 1’s and 0’s through the air. For Meltdown and Spectre, workarounds where changing the software can help block the hardware problem are still being figured out and distributed. These workarounds showed up quickly at first but the process has been anything but smooth and proof-of-concept code for exploiting these vulnerabilities has been seen online for over a month. As for the more recent vulnerabilities, it’s not clear yet what workarounds exist and there might not always be a workaround that creates software solutions to hardware problems.
Though stark, this situation is not entirely unprecedented. Some operating systems are no longer supported by their vendors, which means that any new hole will go un-patched. The most famous example is Windows XP. Most people know by now that using Windows XP is not safe, but don’t fully understand how unsafe it is.
Today, any computer savvy high schooler can watch a YouTube video and learn in just a couple hours how to point and click their way to control of someone else’s computer on the internet so long as it is running Windows XP. Even with Windows XP though, when a truly nasty bug comes out, Microsoft can choose to go back and patch it like they did last year for the WannaCry ransomware. With a nasty hardware vulnerability that may not even be an option.
So what can be done? Hopefully, the hacking community will not become enthralled with searching for hardware vulnerabilities. They might not. It is hard and requires rare expertise that is not as easy to come by as software hacking. If we are not so lucky, then defending the herd by responding quickly to the first attack may no longer be a viable approach, but herd immunity comes in many forms.
Perhaps it will be from increased diversity of chip designs or perhaps approaches to slow the spread of information from hacker genius to amateur. Perhaps it will be from improved perimeter defenses, although hardware at the perimeter may be just as vulnerable as the rest.
Time and again, the adaptability of the world’s smartest engineers have overcome the most dire threats to computing and the internet. The safe money is on them to win the day again, but with hardware vulnerabilities it may require a whole new approach for defending the herd.