Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel, something we discussed in "Why The Implications Of The Intel "Bug" Are Staggering." And as Reuters describes in fascinating detail, the 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University had just breached the inner sanctum of his computer's CPU and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's 'kernel' memory, which is meant to be inaccessible to users, was only theoretically possible.

"When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.
Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.

"We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found".

The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.

Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices and ARM Holdings, a unit of Japan's Softbank.

Both would enable a hacker to access secret passwords or photos from desktops, laptops, cloud servers or smartphones. It's not known whether criminals have been able to carry out such attacks as neither Meltdown nor Spectre leave any traces in log files.

Intel says it has started providing software and firmware updates to mitigate the security issues. ARM has also said it was working with AMD and Intel on security fixes.

Finding a Fix

The discovery was originally reported by online tech journal The Register. As a result of that report, research on the defect was published a week earlier than the manufacturers had planned, before some had time to work out a complete fix.

The Graz team had already been working on a tool to defend against attempts to steal secrets from kernel memory.

In a paper presented last June they called it KAISER, or Kernel Address Isolation to have Side-channels Effectively Removed.

As the name suggests, KAISER seeks to defend the kernel memory from a so-called side-channel attack that exploits a design feature of modern processors that increases their speed.

This involves processors executing tasks "out-of-order", and not in the sequence received. If the CPU makes the right speculative call, time is saved. Get it wrong and the out-of-order task is cancelled and no time is lost.

Researcher Anders Fogh wrote in a subsequent blog  that it might be possible to abuse so-called speculative execution in order to read kernel memory. He was not able to do so in practice, however.

Responsible Disclosure

Only after the December self-hacking episode did the significance of Graz team's earlier work become clear. It turned out that the KAISER tool presented an effective defense against Meltdown. The team quickly got in touch with Intel and learned that other researchers - inspired in part by Fogh's blog - had made similar discoveries.

They were working under so-called responsible disclosure, where researchers inform affected companies of their findings to give them time to prepare 'patches' to repair flaws they have exposed.

The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero came to similar conclusions independently.

"We merged our efforts in mid-December with the team around Paul Kocher and the people from Cyberus Technology to work on two solid publications on Meltdown and Spectre," said Gruss.

Gruss had not even been aware of the work Horn was doing.

"Jann Horn developed all of this independently - that's incredibly impressive," he said. "We developed very similar attacks, but we were a team of 10 researchers."

The wider team said patches for Meltdown, based on KAISER, had been readied for Microsoft and Apple operating systems, as well as for the Linux open-source system.

There is as yet no fix for Spectre, which tricks programmes into leaking their secrets but is viewed as a harder exploit for a hacker to carry out.

Asked which of the two flaws posed the greater challenge, Gruss said: "The immediate problem is Meltdown. After that it is going to be Spectre. Spectre is more difficult to exploit but also to mitigate. So in the long run I'd bet on Spectre."

IH8OBAMA FoggyWorld Jan 5, 2018 1:22 PM

Most of those CPUs are hard wired on the motherboard.  Is everyone supposed to throw away their MB or laptop and go buy a new one when the CPUs have been redesigned to fix this vulnerability?

Sounds like a scam or built in flaw to boost computer/chip sales to me.  Trash your old computer and buy a new one or you are vulnerable!  LOL

Fireman SamAdams Jan 5, 2018 1:24 PM

Anything that comes out of that subsidized sewer, apartheid, occupied Palestine...the answer is obvious.

 

Boycott the monstrosity and all its subsidized filth!

Barcodes 500, 729 & 871 mark the filth of "Israel"

Barcodes 7219 & 7922 mark the filth from the rest of occupied, apartheid Palestine.

Son of Loki Brazen Heist Jan 5, 2018 1:08 PM

Intel CEO sold stock before chip security flaw was disclosed

 

CEO Brian Krzanich sold about $39 million in stocks and options in late November, before the security vulnerability was publicly known.

The company didn't respond to inquiries about the timing of Krzanich's divestments, but a spokeswoman told MarketWatch it was unrelated to the security flaws.

https://www.msn.com/en-us/money/companies/intel-ceo-sold-stock-before-c…

 

What a coincidence!

Joe Davola Son of Loki Jan 5, 2018 1:22 PM

Well, Intel knew at that time because it sounds as if Horn/Google had informed the cpu vendors some 6 months ago.  Google normally gives 90 days after discovering a vulnerability for the responsible party to provide a fix before going public with the information.  Seems they waited more than 90 in this case.

gdpetti Brazen Heist Jan 5, 2018 1:09 PM

Yeah, others have mentioned this for a long time... since the 90s that I know of, which fits with their role as state sponsored corporations.... same in the MSM, the sciences, religions, education.. etc... all 'state sponsored'... same with our regime change specialists... aka 'terrorists', contractors, mercenaries... all state sponsored.

This is just yet another example of the 'outing' of the OWO.

GeezerGeek zanza Jan 5, 2018 1:33 PM

My understanding that the side-channel attack is very sensitive to timing. I read that patches will increase certain timings from 4 nanoseconds to 20, and that has lead to worries that the processors will slow down. Apparently the timings come into play gazillions of times per second. I wonder if older, slower CPUs would have had this exposure.

Time to get out my old PC AT and relearn DOS.

GeezerGeek ParkAveFlasher Jan 5, 2018 1:39 PM

Just don't have anything important ever get into the memory of your computer. If all you do is watch videos and play games you should be fine.

Considering the bad things .gov and others do with computers, I may have been early when I long ago stated to friends that computer usage should have been limited to gaming. As for smart phones, anyone who uses them with an expectation of privacy is not too smart.

And by the way, I heard that there is a flaw with lots of smart cards (those things many carry in their wallets that get inserted into card readers) that can expose your data to bad guys. That is yet another reason to stick to cash, since no one ever lost data using cash. (I'll ignore the downsides of mugging and civil asset forfeiture for now.)

konputa Jan 5, 2018 1:06 PM

All in the name of stealing trade secrets, intelligence and private info that can be used to compromise an individual. This is a feature, not a bug.

Vote up!
Impoverished P… Jan 5, 2018 1:06 PM

The NSA will of course use this as a 'plausible deniability' measure, they will have all your data now and no one will be accountable. Hedge accordingly.

Bondosaurus Rex Jan 5, 2018 1:08 PM

Sooooooooo a "flaw" was in the chip that allowed a person to explore the chip. And this was all an "accident". Don't piss in my pocket and tell me its raining.

mtkd Jan 5, 2018 1:08 PM

Spectre is a class of attack (reading memory you don't have auth to) which is particularly dangerous/useful against cryptocurrency wallets in browser clients and cryptocurrency exchanges running on shared virtual machines in the cloud.

Even if the current known 3 variants of Spectre get fixed in next couple of weeks - the consensus right now is there are many more, similar, attacks to come - until new hardware becomes available with a permanent fix.

With BTC/ETH prices where they are now - there is only one way that ends.

OverTheHedge Number 9 Jan 5, 2018 1:34 PM

If it's digital, it's available to all and sundry. Air gapped stand alone pcs in security bunkers with armed guards aren't completely secure - a VPN is just a handy data collection service that you have subscribe to, to voluntarily offer up your internet traffic (even the ones who claim they don't keep logs). 

If you need privacy, don't use a computer. If you use a computer, assume at least half a dozen people are watching your every move.

Oh, and don't take rude pix of yourself/significant other on your telephone. Just don't. It only encourages Alt-RightGirl (who seems to have been thrown out, finally).

biker_trash Jan 5, 2018 1:20 PM

Looks like a limited hangout since National security is at risk if every Intel CPU can be hacked world wide. It reads like an advertisement for black hats IMO. One would think .gov would not want this to be made public until a fix is in place. Very curious indeed.

IDESofMARCH Jan 5, 2018 1:32 PM

All Chip Backdoors are left open for NSA Hackers. All hackers can take all info they want. If NSA can enter so can anyone else.  AND the tech & chip stocks keep going up cause everyone will still buy,buy.buy, smartphones, laptops, smart watches, home monitoring, autos. Who cares anymore current tech is the BIG BROTHER that's watching you. 