Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel, something we discussed in "Why The Implications Of The Intel "Bug" Are Staggering." And as Reuters describes in fascinating detail, the 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University had just breached the inner sanctum of his computer's CPU and stolen secrets from it.
Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's 'kernel' memory, which is meant to be inaccessible to users, was only theoretically possible.
"When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.
Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.
"We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.
Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found".
The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.
Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices and ARM Holdings, a unit of Japan's Softbank.
Both would enable a hacker to access secret passwords or photos from desktops, laptops, cloud servers or smartphones. It's not known whether criminals have been able to carry out such attacks as neither Meltdown nor Spectre leave any traces in log files.
Intel says it has started providing software and firmware updates to mitigate the security issues. ARM has also said it was working with AMD and Intel on security fixes.
Finding a Fix
The discovery was originally reported by online tech journal The Register. As a result of that report, research on the defect was published a week earlier than the manufacturers had planned, before some had time to work out a complete fix.
The Graz team had already been working on a tool to defend against attempts to steal secrets from kernel memory.
In a paper presented last June they called it KAISER, or Kernel Address Isolation to have Side-channels Effectively Removed.
As the name suggests, KAISER seeks to defend the kernel memory from a so-called side-channel attack that exploits a design feature of modern processors that increases their speed.
This involves processors executing tasks "out-of-order", and not in the sequence received. If the CPU makes the right speculative call, time is saved. Get it wrong and the out-of-order task is cancelled and no time is lost.
Researcher Anders Fogh wrote in a subsequent blog that it might be possible to abuse so-called speculative execution in order to read kernel memory. He was not able to do so in practice, however.
Responsible Disclosure
Only after the December self-hacking episode did the significance of Graz team's earlier work become clear. It turned out that the KAISER tool presented an effective defense against Meltdown. The team quickly got in touch with Intel and learned that other researchers - inspired in part by Fogh's blog - had made similar discoveries.
They were working under so-called responsible disclosure, where researchers inform affected companies of their findings to give them time to prepare 'patches' to repair flaws they have exposed.
The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero came to similar conclusions independently.
"We merged our efforts in mid-December with the team around Paul Kocher and the people from Cyberus Technology to work on two solid publications on Meltdown and Spectre," said Gruss.
Gruss had not even been aware of the work Horn was doing.
"Jann Horn developed all of this independently - that's incredibly impressive," he said. "We developed very similar attacks, but we were a team of 10 researchers."
The wider team said patches for Meltdown, based on KAISER, had been readied for Microsoft and Apple operating systems, as well as for the Linux open-source system.
There is as yet no fix for Spectre, which tricks programmes into leaking their secrets but is viewed as a harder exploit for a hacker to carry out.
Asked which of the two flaws posed the greater challenge, Gruss said: "The immediate problem is Meltdown. After that it is going to be Spectre. Spectre is more difficult to exploit but also to mitigate. So in the long run I'd bet on Spectre."
If this is known publicly today, imagine how long ago intel agencies have kept the secret.
I assume the down votes are coming from those who are just now beginning to wake up and see the world for what it really is? I took that trip years ago.
In reply to If this is being done… by Brazen Heist
What's really troubling is the thousands and thousands of these chips in US government sensitive items. Wonder if th Awan brothers knew about this one?
In reply to Some of us have known for… by SamAdams
Most of those CPUs are hard wired on the motherboard. Is everyone supposed to throw away their MB or laptop and go buy a new one when the CPUs have been redesigned to fix this vulnerability?
Sounds like a scam or built in flaw to boost computer/chip sales to me. Trash your old computer and buy a new one or you are vulnerable! LOL
In reply to What's really troubling is… by FoggyWorld
Enjoy those secure CRYPTOS!
In reply to Most of those CPUs are hard… by IH8OBAMA
"Installing new Chrome with Meltdown fix makes it even easier for spy agencies to get in your computer."
Headline in 2 weeks from now.
In reply to Enjoy those secure CRYPTOS! by Pinto Currency
No, this has been known for years. That's why some of us try to use AMD when possible.
In reply to Most of those CPUs are hard… by IH8OBAMA
Meanwhile the replacement chips are getting the real backdoor installed for the spooks.
In reply to Most of those CPUs are hard… by IH8OBAMA
CIA, NSA, et al are pissed that their handy work was discovered. 20 years down the drain
In reply to Especially those sneaky Jooz! by Megaton Jim
Spectre-
You see, if you have this chip, this mark on your hand or forehead you will be able to buy and sell. If not, you get to shop at the no longer in existence retail outlets. The fix. It is all about your safety and security. How else can you be verified that you are really you and have the right to access your data?
In reply to CIA, NSA, et al are pissed… by Gert_B_Frobe
Intel CEO sold stock before chip security flaw was disclosed
CEO Brian Krzanich sold about $39 million in stocks and options in late November, before the security vulnerability was publicly known.
The company didn't respond to inquiries about the timing of Krzanich's divestments, but a spokeswoman told MarketWatch it was unrelated to the security flaws.
https://www.msn.com/en-us/money/companies/intel-ceo-sold-stock-before-c…
What a coincidence!
In reply to If this is being done… by Brazen Heist
"it was unrelated to the security flaws"
Yeah, and Mooshell is really a woman.
In reply to Intel CEO sold stock before… by Son of Loki
Well, Intel knew at that time because it sounds as if Horn/Google had informed the cpu vendors some 6 months ago. Google normally gives 90 days after discovering a vulnerability for the responsible party to provide a fix before going public with the information. Seems they waited more than 90 in this case.
In reply to Intel CEO sold stock before… by Son of Loki
"but a spokeswoman told MarketWatch it was unrelated to the security flaws."
Right. And my name's Benedict XVI.............................
In reply to Intel CEO sold stock before… by Son of Loki
Yeah, others have mentioned this for a long time... since the 90s that I know of, which fits with their role as state sponsored corporations.... same in the MSM, the sciences, religions, education.. etc... all 'state sponsored'... same with our regime change specialists... aka 'terrorists', contractors, mercenaries... all state sponsored.
This is just yet another example of the 'outing' of the OWO.
In reply to If this is being done… by Brazen Heist
I'll do you one better, Brazen. What if this was not only known, BUT BUILT INTO THE SYSTEMS AT INCEPTION?
Leaves no trace, how nice.
But hey, we got faster computers.
In reply to If this is being done… by Brazen Heist
Its possible.
In reply to I'll do you one better,… by BandGap
Intel agencies probably had it designed into the chip to begin with.
dingdingding, Jim Stone has been talking about this for years and warning about the intel corevpro chip
In reply to Intel agencies probably had… by zanza
My understanding that the side-channel attack is very sensitive to timing. I read that patches will increase certain timings from 4 nanoseconds to 20, and that has lead to worries that the processors will slow down. Apparently the timings come into play gazillions of times per second. I wonder if older, slower CPUs would have had this exposure.
Time to get out my old PC AT and relearn DOS.
In reply to Intel agencies probably had… by zanza
Right back to pen and paper for me.
Just don't have anything important ever get into the memory of your computer. If all you do is watch videos and play games you should be fine.
Considering the bad things .gov and others do with computers, I may have been early when I long ago stated to friends that computer usage should have been limited to gaming. As for smart phones, anyone who uses them with an expectation of privacy is not too smart.
And by the way, I heard that there is a flaw with lots of smart cards (those things many carry in their wallets that get inserted into card readers) that can expose your data to bad guys. That is yet another reason to stick to cash, since no one ever lost data using cash. (I'll ignore the downsides of mugging and civil asset forfeiture for now.)
In reply to Right back to pen and paper… by ParkAveFlasher
All in the name of stealing trade secrets, intelligence and private info that can be used to compromise an individual. This is a feature, not a bug.
Entropy rules
The NSA will of course use this as a 'plausible deniability' measure, they will have all your data now and no one will be accountable. Hedge accordingly.
Trust is a fool's opiate.
Sooooooooo a "flaw" was in the chip that allowed a person to explore the chip. And this was all an "accident". Don't piss in my pocket and tell me its raining.
Fletcher: There's another old saying, Senator: Don't piss down my back and tell me it's raining.
why does everyone get this wrong?
In reply to Sooooooooo a "flaw" was in… by Bondosaurus Rex
Why do you give a shit?
In reply to Fletcher: There's another… by Number 9
Spectre is a class of attack (reading memory you don't have auth to) which is particularly dangerous/useful against cryptocurrency wallets in browser clients and cryptocurrency exchanges running on shared virtual machines in the cloud.
Even if the current known 3 variants of Spectre get fixed in next couple of weeks - the consensus right now is there are many more, similar, attacks to come - until new hardware becomes available with a permanent fix.
With BTC/ETH prices where they are now - there is only one way that ends.
Hey they have to fund those black budgets somehow. They're running out of new opiate addict customers in the US, after all.
In reply to Spectre is a class of attack… by mtkd
hardware wallets are even more important now, and are not affected by these "features"
In reply to Spectre is a class of attack… by mtkd
My wallet!!
Its not a flaw folks. It was done with intent.
people fucking doing my back door entry, fuck stay out of my chips!!!!!!
use a vpn and dont let anyone in your house around your comps.. problem solved..
If it's digital, it's available to all and sundry. Air gapped stand alone pcs in security bunkers with armed guards aren't completely secure - a VPN is just a handy data collection service that you have subscribe to, to voluntarily offer up your internet traffic (even the ones who claim they don't keep logs).
If you need privacy, don't use a computer. If you use a computer, assume at least half a dozen people are watching your every move.
Oh, and don't take rude pix of yourself/significant other on your telephone. Just don't. It only encourages Alt-RightGirl (who seems to have been thrown out, finally).
In reply to use a vpn and dont let… by Number 9
I'm sure Sears and Toy's R Us have neglected their networks. How do we exploit their Intel chips?
Gee, this sounds like the Deep State might have access to almost everyone's CryptoKeys.
How do you think Israel controls congress .........
https://www.youtube.com/watch?v=K66IWmiVSII&t=2s
Looks like a limited hangout since National security is at risk if every Intel CPU can be hacked world wide. It reads like an advertisement for black hats IMO. One would think .gov would not want this to be made public until a fix is in place. Very curious indeed.
Well, there does all those ANON coinz like ADA etc haha
All Chip Backdoors are left open for NSA Hackers. All hackers can take all info they want. If NSA can enter so can anyone else. AND the tech & chip stocks keep going up cause everyone will still buy,buy.buy, smartphones, laptops, smart watches, home monitoring, autos. Who cares anymore current tech is the BIG BROTHER that's watching you.