The New Year began with the announcement of a new kind of cyber vulnerability, this one perhaps more stealthy and insidious in providing an opportunity for hackers to get your information than the run-of-the mill ransomware and phishing attacks of the past. This vulnerability stems from hardware bugs - dubbed Spectre and Meltdown- that impact the most widely used microprocessors in the world and exist in almost everybody’s computers. The challenge in fixing these vulnerabilities is that they exist in the physical hardware of our computers, and we are left to rely on software patches and solutions to address those hardware vulnerabilities. It is enough to send us all back to pencil and paper. Notably, these vulnerabilities were discovered months ago and a group of private companies and academics have been collaborating on a solution to address this widespread problem. While there has been no reported breach of personal data as a result of these vulnerabilities, less than 24 hours after Intel announced the existence of the issue, a class action lawsuit was filed against Intel in the United States District Court for the Northern District of California. Spectre and Meltdown illustrate, from a technical standpoint, the challenges of securing our information technology and, from a legal standpoint, highlights the much-debated foundational issues of standing and harm that exist in many cybersecurity matters.
The Technical Challenges
Past data exposures and spills can nearly always be traced back to one of two causes: a software defect or a human error. For example, the Target data breach resulted from a software defect that allowed devices to siphon off client data from point of sale devices. Far more frequently, data breaches trace back to human error, when, for example, a person clicks on a link in a phishing email that downloads a keystroke logger (captures and send every character you type to a hacker located somewhere across the internet). Perhaps equally as frequently, an email comes from email address that looks at first glance like it originated from a friend or colleague but actually came from a hacker. The recipient trusts the sender and shares key information that can be used to breach a software system. Would you quickly notice the difference between firstname.lastname@example.org and email@example.com?
Meltdown and Spectre are different. So what are these hardware bugs and how do they work? Most of the time one software application is prohibited from reading data used by another software application, but because of the hardware vulnerability in microprocessors that power everything from cloud computing centers to smart phones, a software application may be processed by that hardware in a way that enables one software application to read and copy data stored in memory for use by another software application. Software applications that access passwords and personal data, and even private client and business documents stored in memory represent especially attractive targets for those that are able to exploit Meltdown and Spectre. This access can lead to a data breach when one application accesses passwords and another application reads and shares those passwords. This can occur within large cloud computing centers and across all types of computing devices. Once data has been copied, the data can be sent or stored anywhere the software application can access.
Meltdown was independently discovered and reported by three different teams and the bug was reported to Intel and other hardware manufactures before being made public. Those teams included Google Project Zero, Cyberous Technology, and Graz University of Technology. Similarly, Spectre was discovered by two people and the resulting paper coauthored by a host of individuals. In this particular case, collaboration and sharing not only detected the bug but moved to assist in developing a fix before an announcement provided an opportunity for wider exploitation of computing systems through this vulnerability.
Researchers in both commercial and academic labs, as well as some of the biggest private companies in the world, collaborated on detecting this vulnerability and working together to solve the potential data exposures that could result. Patches have been made available to protect Linux, MacOS, and Windows against Meltdown by, in effect, overriding hardware functions. Unfortunately, these patches have the potential to slow down performance of those computing systems. Spectre is proving to be more difficult to protect against, hardware changes will be required to close the vulnerability. While the implications of these new hardware vulnerabilities is disheartening, the collaboration and response between Google, Intel, and researchers in both private and public labs acknowledges the need for and willingness to engage in a collective effort in addressing daunting cybersecurity challenges.
The Legal Challenges
While teams of people have spent months searching for solutions to mitigate the Spectre and Meltdown vulnerabilities, it took less than 24 hours to file a class action lawsuit relating to those issues. While the flaws in the hardware are serious, there has been no reported exploitation of those flaws. The lawsuit alleges, in part, that because the patches and solutions to the hardware vulnerabilities slow down the performance of individuals’ computers and devices, they are getting a product that is less than that for which they bargained. Like other cases relating to cybersecurity incidents, this case illuminates the issue of establishing standing where no exploits have been reported and no personal data has been compromised. As courts work through this issue, trying to make sense out of Spokeo, they will hopefully add more clarity on what it takes to bring a lawsuit in a world where cybersecurity vulnerabilities are inevitable.
The Spectre and Meltdown class action also hits on the issue of informational harm raised by the FTC late last year. As the FTC focuses its enforcement actions to those matters resulting in informational harm to consumers, would the slowing down of computers and devices as a result of a company’s effort to mitigate the harm that could potentially befall consumers from a hardware vulnerability rise to that level?
In the meantime, right now is the time to install the critical fixes on software systems ranging from web services to handheld devices. While some confusion exists about the processers currently used in handheld devices (AMD specifically), it is important to make sure your IT staff is on top of what processor and operating systems are currently in use and install the latest patches as soon as possible. These latest threats to our information systems also further illustrate the benefits of data minimization (only collecting minimum amounts of data necessary for intended purposes) so that less data is put at risk to begin with.
It seems that all sides of our technical triangle are vulnerable: software, human, and now hardware. Pencil and paper sound more secure, but don’t forget a copy of General Robert E. Lee’s battle plans fell into Union hands before the Battle of Antietam.