Apple is updating its systems against newly revealed Spectre and Meltdown vulnerabilities, but it’s not enough to update personal devices – what about
Apple is updating its systems against newly revealed Spectre and Meltdown vulnerabilities, but it’s not enough to update personal devices – what about older PCs and the millions of servers that may also be vulnerable to the bug?
The bigger picture
The Spectre and Meltdown bugs are causing lots of distress. Meltdown impacts Intel processors, while Spectre appears to threaten chips from AMD and ARM as well. A good explanation of these vulnerabilities is here.
My over-simplified understanding follows:
- Meltdown affects Intel processors (like those in Macs). It makes it possible to overcome fundamental kernel security protection in such a way as to interfere with, send or see application data.
- The Spectre bug exist deep inside Intel, ARM (which iOS devices are based on) and AMD processor architecture, attackers can exploit it to access critical and highly protected information, passwords, encrypted communications and more.
As I understand it, attacks based on these flaws can’t take place across the Internet.
“It is important to note that this method is dependent on malware running locally which means it’s imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads,” ARM said.
In other words, in order to use Meltdown or Spectre to undermine security on a Mac, iPhone or thermostat, the attacker needs to be physically with the target system.
Big tech got informed of the flaws a few weeks ago.
Apple has already upgraded Mac security against the flaws and is thought to be preparing another upgrade for its systems. Intel’s CEO courted controversy by selling Intel shares after the company was made aware of the problem last year.
9to5Mac speculates that iPhones 4 – 5 and first, second and third generation iPads may be susceptible, but it’s important to stress that we don’t actually have all the details we need in order to figure out the magnitude of the problem, and its impact on the Mac.
We have been told the flaws may impact devices as far back as those released in 1995.
What we don’t know is for how long the existence of the flaws has been known. Discovery in the public interest doesn’t necessarily mean these flaws weren’t already known elsewhere.
The danger of these flaws is that they provide a nice route to undermine security – and while that’s bad for our personal devices (which do include some older iPhones), it’s really bad for any old and hardly-ever-updated PCs connected to the network.
What do they know?
While most end users can probably expect to receive software patches to proof their systems against the flaw (eventually), the vulnerability also impacts servers. What are those servers doing?
They might be:
- Running the Internet
- Storing birth, medical and other personal records
- Storing corporate databases, enterprise archives and other essential sales and marketing systems.
- Handling financial transactions
- Threat intelligence
In comparison with the widely discussed Heartbleed and Shellshock attacks, Spectre/Meltdown reflect decades of a deep vulnerability being in existence.
What makes this really concerning is that most reports claim that these flaws have existed for a long time. This means that if any malicious entity was previously aware of these vulnerabilities they will have been able to access a huge quantity of data, without oversight, regulation, protection, permission or control. No one knows if these flaws have been exploited in this way.
The other problem is lack of protection for older systems. Those Windows XP systems are still firmly entrenched across enterprise IT. News that Macs, PCs, iPhones and other solutions are vulnerable to these exploits is far from reassuring.
Sure, we’ll handle the minor inconvenience of a software upgrade – but what about those older devices? How quickly will SME’s who happen to hold confidential client data update their systems? Will manufacturers even update veteran systems that are still widely used despite being declared end-of-life? What control does anyone who has entrusted their data to a third-party have that the data controller will act swiftly and intelligently to quickly patch their systems? What about those iCloud servers? What’s the status of AWS servers?
Must do better
While it makes utter sense to remain resolutely secure when using any computing system, flaws like these are extremely dangerous. It really isn’t my intention to be alarmist, but these new security flaws raise questions that matter a huge amount today but will matter even more tomorrow.
Apple, Google, Facebook, IBM and all the other big tech companies like to spend lots of their time talking about digital transformation, the melding of technology within every aspect of human experience.
The vision they have reaches far beyond the “tech on the cheap” small-minded vision of the UK government, and is much more in tune with more all-encompassing national strategies.
As everything is digitized, the responsibility to ensure data is kept safely and securely can only increase. This means the big tech firms who mutter these big digital transformation promises must be held to account for any failure to ensure effective protection.
The Spectre research paper tells us that these flaws exist in part because the tech industry is focused on performance, which means the many elements (from OS to processor, drivers, components and more) that make a computer system, “have evolved compounding layers of complex optimizations that introduce security risks.”
“As the costs of insecurity rise, these design choices need to be revisited, and in many cases alternate implementations optimized for security will be required.”
Otherwise we’re likely to find ourselves living through an episode of Black Mirror. Perhaps, we already are.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?
Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.