In the last few months of 2017, security companies made their own forecasts about incoming cyberthreats and the measures that needed to be taken to ensure a better and cybersafer 2018, often advocating the use of protective software tools made by that vendor. Lo and behold! 2018 started with a scenario hardly anyone could have foreseen. Two serious design vulnerabilities in CPUs were exposed that make it possible, although not always that easy, to steal sensitive, private information such as passwords, photos, perhaps even cryptography certificates.
Lots has been written about these vulnerabilities already: if you are new to the subject we suggest that you read Aryeh Goretsky’s article “Meltdown and Spectre CPU Vulnerabilities: What You Need to Know.”
Now, there is a much larger underlying issue. Yes, software bugs happen, hardware bugs happen. The first are usually fixed by patching the software; in most cases the latter are fixed by updating the firmware. However, that is not possible with these two vulnerabilities as they are caused by a design flaw in the hardware architecture, only fixable by replacing the actual hardware.
Luckily, with cooperation between the suppliers of modern operating systems and the hardware vendors responsible for the affected CPUs, the Operating Systems can be patched, and complemented if necessary with additional firmware updates for the hardware. Additional defensive layers preventing malicious code from exploiting the holes – or at least making it much harder – are an “easy” way to make your desktop, laptop, tablet and smartphone devices (more) secure. Sometimes this happens at the penalty of a slowdown in device performance, but there’s more to security than obscurity and sometimes you just have to suck it up and live with the performance penalty. To be secure, the only other option is either to replace the faulty hardware (in this case, there is no replacement yet) or to disconnect the device from the network, never to connect it again (nowadays not desirable or practical).
And that is exactly where the problems begin. CPUs made by AMD, ARM, Intel, and probably others, are affected by these vulnerabilities: specifically, ARM CPUs are used in a lot of IoT devices, and those are devices that everybody has, but they forget they have them once they are operating, and this leaves a giant gap for cybercriminals to exploit. According to ARM, they are already “securing” a Trillion (1,000,000,000,000) devices. Granted, not all ARM CPUs are affected, but if even 0.1% of them are, it still means a Billion (1,000,000,000) affected devices.
To read the original article: