Experts spot CPU security hole
Australian cybersecurity researchers have reported on serious bugs at the heart of millions of modern PCs.
Dr Yuval Yarom from the University of Adelaide's School of Computer Science, and Data61, is part of an international team that has reported on security vulnerabilities in Intel processors made over the last two decades, which could affect computers, mobile phones and cloud servers.
The team has published two reports online on what they describe as "bugs" in modern computers that can potentially leak passwords and other sensitive data. These bugs are known as Meltdown and Spectre.
“This is a significant discovery because both Meltdown and Spectre exploit critical vulnerabilities in modern processors, which are the main part of our computers,” says Dr Yarom, who is co-author of both reports.
“These bugs in the hardware can enable hackers using malicious programs to steal sensitive data which is currently processed on the computer. Such programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
“They do this because the processor leaves behind traces of the information that it's processing, and these traces could lead a hacker to discover important information,” he says.
Such information might include passwords stored in a password manager or browser, personal photos, emails, instant messages, and other sensitive documents, Dr Yarom says.
“We have found the Meltdown and Spectre bugs in processors used for personal computers, mobile devices, and in the cloud. This raises a number of concerns about the security of each of these devices worldwide,” he says.
Dr Yarom says there are now patches against Meltdown for computers with Windows, OS X and Linux operating systems, and technology companies are issuing or working on updates to fix the problem. However, such fixes do not currently exist for Spectre, he says.
“Ultimately, I think our discovery will help to change the way processors are designed, to help prevent such cybersecurity concerns,” he says.
These discoveries were made by a number of institutions and individuals, including Google Project Zero, the University of Adelaide and CSIRO's Data61 in Australia, Graz University of Technology in Austria, Cyberus Technology GmbH in Germany, University of Pennsylvania, University of Maryland and Rambus in the USA.