Virtually every computer and smartphone in the world appears at risk of being hacked, after researchers found vulnerabilities in three major brands of microprocessor.
The hacks, known as Meltdown and Spectre, can allow access to the kernel memory of your computer or smartphone, where items like your saved passwords are stored.
The vulnerabilities are so far believed to affect microprocessors designed by Intel, AMD, and ARM, which are used in the vast majority of computers and smartphones.
Intel-based microprocessors are used widely by companies including Apple, Lenovo, HP, Samsung, Sony, and Dell computers.
Meanwhile, ARM-based microprocessors are used in Apple’s iPhone, Google smartphones, and Samsung products too, among others.
And AMD-based processors are mostly used in gaming devices, including Microsoft’s XBox and the Sony PlayStation.
Major players are collaborating on finding a solution. In the meantime, the best you can do is finally install those updates you’ve been putting off – and keep updating as more come out.
The vulnerabilities were discovered by an international team including researchers at Graz University of Technology in Austria.
In a release on Thursday, researchers from the university described one of the hacks, Meltdown, as a simple code with “devastating consequences.”
“Meltdown is a very simple exploit – only four lines of code are needed to gain access,” explained Moritz Lipp, Michael Schwarz and Daniel Gruss.
“Spectre is significantly more labour-intensive, and consequently more difficult to protect against. It uses the code itself to trick the system into giving up its secrets.”
Exploiting the need for speed
Researchers explained that the hacks take advantage of the way modern microprocessors operate differently in order to speed up computing.
“Modern processors perform calculations in parallel rather than sequentially,” reads the release.
“In parallel to lengthy tasks, the processor attempts to predict the next steps that will be required and prepare for them.”
During that process, say the researchers, no check is made as to whether the program accessing data has permission to do so.
“If a predicted step is not required, or if permissions are not present, the processor discards the preparations it has made,” they said.
“This preparation phase can be exploited to read data from the kernel – for example passwords saved in commonly used browsers.”
The researchers have developed their own patch to protect users against the Meltdown hack, which they say may affect the operating speed of devices.
As well, they say, developers from the major IT companies have adapted and further developed their patch, and are delivering these with their latest security updates.
Intel is providing security updates
In its latest response to the findings, Intel indicated it had already known about the vulnerabilities and had been working to find a solution.
“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available,” read the response.
The company is working closely with many other tech companies, including AMD and ARM, to develop “an industry-wide” solution, said the release.
“Intel has begun providing software and firmware updates to mitigate these exploits,” it said.
“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”
Intel advises users to check with their operating system vendor or manufacturer and apply any available updates as soon as they are available.
“Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers,” read the company’s response.
‘Total protection remains elusive’
Meanwhile, in their own release, AMD emphasized that the Meltdown and Spectre hacks have not been seen outside of the research environment.
However, the company had immediately engaged “across the ecosystem” to address the research team’s findings about the vulnerabilities.
“As the security landscape continues to evolve, a collaborative effort of information sharing in the industry represents the strongest defence,” read the statement.
“Total protection from all possible attacks remains an elusive goal and this latest example shows how effective industry collaboration can be.”
AMD advises customers to stay safe online – do not click on unrecognized links, use strong passwords, use secure networks, and accept all software updates.
Google engineers also working to protect users
In a blogpost, Google said its own Project Zero team had also discovered the vulnerabilities and its engineers had been working to protect Google Cloud customers.
“We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web,” read the blogpost.
“All G Suite applications have already been updated to prevent all known attack vectors.”
More in depth information on how the vulnerabilities affect Google users can be found here.
Apple and ARM had yet to respond to news of the vulnerabilities at the time of writing.