Northeastern's Andrea Matwyshyn and Notre Dame's Mike Chapple discuss the Spectre and Meltdown chip flaws.

In the fall of 2016, two Israeli researchers doing work in cryptography and computer security — longtime pals Daniel Genkin and Yuval Yarom — met fellow cryptographer Mike Hamburg at a conference in Santa Barbara, Calif. During conversations about the work they were doing, they got the idea that the particular way computer chips were designed might be exploited by hackers. “It was just an idea floating around,” Genkin said. “None of us knew of the implications back in 2016.”

It wasn’t until the following year’s cryptography conference — held this time in Taiwan — that things began to gel. Genkin, who is a post-doctoral fellow at the University of Pennsylvania and University of Maryland, Yarom and Hamburg met Paul Kocher, a well-respected cryptographer. It was then that the enormity of the chip vulnerability hit them. “Oh, this is really bad,” Genkin said. “This is a big problem. This is an industry-wide problem.”

In December 2017, Kocher notified Intel of their findings. The chipmaker told them that other groups had independently found the same vulnerabilities as well — notably Jann Horn of Google Project Zero and six others. Genkin’s group and Horn separately found a security hole called Spectre, while Horn and two other teams found the Meltdown flaw. On January 3, Intel disclosed the flaws publicly, following a story in The Register.

What makes Spectre and Meltdown stand out is the sheer scale of their impact. They affect not only Intel but major chipmakers AMD and ARM, which powers Apple products, household devices and others. (Apple disclosed that all of its Mac and iOS products are affected, except for the Apple Watch.) “The interesting part of this is that it’s so pervasive and affects almost every device that everyone uses,” said Dan Alig, chief information officer of Wharton Computing and Information Technology.

“It might sound a little esoteric at first, but it’s actually a very significant threat.”–Mike Chapple

Spectre and Meltdown can be exploited in the chips of billions of devices — substantially all computers, smartphones, tablets and other products using computer chips, from internet-enabled cars to even multifunction copiers found in offices worldwide. The flaws also are found in the servers of data centers and cloud services such as those offered by Amazon and Microsoft. Hackers could exploit them to steal passwords and other sensitive information. What’s more is that “Meltdown and Spectre leave very little traces behind them,” Genkin said.

The chip or central processing unit (CPU) “is at the heart of every computer and basically every electronic device. It’s what carries out the instructions that we give it and it runs our software,” said Mike Chapple, academic director of the master of science in business analytics program at the University of Notre Dame, on the Knowledge at Wharton show on SiriusXM channel 111. (Listen to the full podcast using the player at the top of this page.)

How Meltdown and Spectre Work

The root of the problem can be traced back to half a century ago in a technique called speculative execution, said Jonathan M. Smith, professor of computer and information science at the University of Pennsylvania, who has served as a consultant on security and technology for Intel. Speculative execution was designed into chips because it boosts the processing speed of computers. That makes computers multitask more efficiently and better able to run complicated software programs.

“In speculative execution of software, computer hardware pursues multiple possible paths from a decision point with an unknown outcome, guessing that one will be correct, providing the illusion of ‘look ahead,’” he said. “Once the decision is known, the paths from wrong guesses and their consequences should disappear and a correct calculation results. However, if the wrong paths have ‘side effects’ that a hacker can control by putting malicious code in the non-taken paths and influencing predictions made by the hardware to run their code, data can be stolen.”

The bottom line is that these flaws “exploit some weaknesses that have been discovered that are buried deep inside these CPUs,” Chapple said. “They allow one program to access the memory being used by another. It might sound a little esoteric at first, but it’s actually a very significant threat.”

Smith pointed out that when faster chips were being designed using speculative execution, security was not topmost of mind because nobody thought hackers would enter this way. “I’m almost certain that people didn’t realize the consequences of this speculative execution for security and I think now they’ve got it,” Smith said. Think about using your credit card at gas station pumps. These payment methods came about to make it more convenient for drivers. But thieves learned to insert card-skimmers to steal credit card numbers — something creators of the system likely didn’t foresee.

As a result of the discovery of Meltdown and Spectre, the industry will now have to prioritize security as well as functionality and efficiency. “There’s a security ecosystem emerging where you really have to design with adversaries in mind,” Smith said, adding that he believes Spectre is the “nastier” vulnerability of the two. “This is pretty serious. But the fact is, the computer companies are taking it seriously. It’s not just Intel [but also] everybody that uses speculative execution — and everybody uses it because it’s such a win for performance.”

Industry Solution

Companies are scrambling to send out software patches to protect against the flaws: Intel, AMD, ARM, Google, Microsoft, Apple, Oracle, Amazon and others. While the vulnerabilities are in the physical hardware — the chip — the way to fix the situation short of replacing the chip itself is to beef up the protections around it. Google, Apple and Microsoft don’t make any chips but they do make the web browsers that people use to surf the internet. They are rolling out fixes to make their browsers more resilient to Spectre and Meltdown.

“There’s a security ecosystem emerging where you really have to design with adversaries in mind.”–Jonathan Smith

Intel, AMD and ARM are issuing patches for the firmware — software they developed that sits between the hardware and operating system (Mac OS, Windows, iOS) to make the computer do things like turn on before the operating system takes over. The hope is that by putting strong fences around the flawed chips, they would slow down or even thwart Meltdown and Spectre attacks.

Should consumers be worried? Experts say average users should download the required patches and run the most updated operating system — and they should be good to go. “It’s yet another attack,” Genkin said. “It’s no more dangerous than phishing,” where hackers entice users to open emails with viruses by disguising the communication as coming from a trusted source.

Genkin said the greater danger is in the cloud, where companies store their data in shared servers. “If they are running on the same hardware where you and I can rent time on, and now if I can read the secret data of someone else, it’s very unpleasant to that someone else.”

Business Impact

Some patches have turned out to be problematic, causing computers not to boot up among other complications, according to tech news website Ars Technica. There’s also concern that the patches are slowing down performance — reportedly by up to 30% — although Genkin and Smith believe the drag varies. “If you use applications that have more privilege, you’re going to see more performance loss,” Smith said. “But for, say, engineering applications where you’re designing auto bodies for aerodynamics, it’s not going to be a problem.”

However, even a slowdown of 10% to 20% is significant and will translate to higher costs for businesses as they will have to replace their equipment sooner than expected, Alig said. “The biggest cost to businesses is just going to be the lifecycle of all the hardware that we previously assumed we can use for two [to] six years or more. It is now going to end its lifecycle sooner because it’s not going to be as powerful,” he said.

“The biggest cost to businesses is just going to be the lifecycle of all the hardware that we previously assumed we can use for two [to] six years or more.”–Dan Alig

“As consumers, we all see this when we have an older iPhone that seems [to run] slower and slower as software starts doing more and more,” Alig continued. If that happens to a work computer, “we think about needing a new laptop or desktop when it gets so slow that you’re starting to notice that you can’t do your work.” There could be other costs, too, he said, but they remain to be seen.

Most CIOs and other tech officers typically are focused on keeping enterprise IT secure, Alig said. But “the biggest threat to most of our businesses does not come through the big systems that we run but through our users and their ability to keep themselves secure, and work with us to keep them secure,” he said. “We just need to make sure that everyone is paying attention — we help them understand that for systems that they’re using personally that are going to be interacting with our systems or elsewhere, [it’s necessary] to make sure they’re patched.”

Even so, nothing is ever truly foolproof. Not only was there a constant arms race among chipmakers to improve performance, but computers have become so complex that it is difficult to foresee every vulnerability. “There are so many lines of code, so many transistors, so many vectors of potential threats that even with lots of resources, there’s no way for an entity to be aware of all of them,” Alig said. “It’s hard to know what we don’t know.”