“Meltdown” and “Spectre” : the clock is ticking for chip flaw fixes to start working

Home / Uncategorized / “Meltdown” and “Spectre” : the clock is ticking for chip flaw fixes to start working
Uncategorized
0
0

 

Eric De Grasse
Chief Technology Officer

The Project Counsel Group

17 January 2018 (Detroit, Michigan)– We are taking a short break this morning at the North American International Auto Show (NAIAS) to finish our review of the Consumer Electronic Show 2018 (CES) which ended in Las Vegas last week. And, yes, NAIAS and CES had some overlap this year. Both events had some riveting presentations on the “obvious ability to weaponise self-driving cars” and “the amazing amount of data being collected by cars”. More to come on on both points tomorrow in our CES wrap-up report.

But as I was reviewing my notes I also realized I had not caught up on the ticking clock …

… for fixing those chip flaws that blasted the news wires at the beginning of the year. I gave a short overview at the beginning of the year (click here) and herein is a short update from sources I scanned:

Cures for Meltdown and Spectre chip flaws aren’t working, and the hacks are incoming:

  • The Register has a detailed report on software patches that cause some industrial hardware to become unstable.
  • And Intel has warned that even its fixes have issues, causing some chips to reboot.
  • Meanwhile, there have been a flurry of reports from security researchers (for just one click here) that have already shown
     they can weaponize the chip vulnerabilities. Crooks won’t be far behind with their own attacks.
  • More to come? “There are probably other things out there like [Meltdown] that have been deemed safe for years”, says Simon Segars, CEO of chip firm ARM.

In any case, the number of wobbles shows just how shoddy a lot of the software is in this area. It was either going around OS protection mechanics or had some ultra-optimistic (not to say delusional) ideas on how long it would for a particular syscall. And as I have said in numerous posts, you should not connect things to the internet because you can. Using the internet as a mode of transferring information should only be used securely – and given most systems lack security it should not be done.

And let’s face it: the problem is there isn’t a parallel test system very often on which you can deploy patches. If your kit costs tens of thousands of dollars/euros/yen (if not much much more) and it is in use 24/7 asking “can you buy us a complete parallel system to test” is something you are going to have a wee of trouble getting past finance. So …

 
Our boss will be at the mega-annual cyber security event in Lille, France next week … there will be several detailed presentations on Meltdown and Spectre … and he’ll have a further report.
Related Posts
FROM GERMANY: in the state of North Rhine-Westphalia, economic legal proceedings could in the future be conducted in the English language
LIVE FROM CPDP2018 IN BRUSSELS: the European Commission releases extensive GDPR guidance … and the crowd opines