This week, two disastrous new processor vulnerabilities spilled out into the open — and the tech world is still coming to terms with the damage. The vulnerabilities, dubbed Meltdown and Spectre, affect nearly every processor made in the last 20 years. Meltdown is the immediate threat, with proof-of-concept exploits already available, but Spectre is much deeper and harder to patch, potentially leading to generations of more subtle exploits in the years to come. The result has left nearly every major technology company scrambling to protect themselves and their customers.
The focus so far has been on personal devices, with a flood of patches already available this morning, but many experts think the most severe damage is likely to come when the exploits are turned on cloud services. “These vulnerabilities will allow one tenant to peer into the data of another co-hosted tenant,” says Mounir Hahad, the head of threat research at Juniper Networks. “This is the reason many organizations steer clear of hosted services when it comes to processing sensitive information.”
The Spectre attack is much more powerful in the cloud
Both Meltdown and Spectre deal with data leaking from one part of the computer to another, which makes them particularly dangerous when a single device is shared between users. With lots of commands running in parallel, the attacks found a way to extract data from the processor cache through a complex timing attack, sidestepping the usual privileges. Executed right, that could let a low-level process like a web plugin get access to passwords or other sensitive data held in a more secure part of your computer.
On a personal computer, that attack would be most useful for privilege escalation: a hacker running low-level malware could use a Spectre bug to own your whole computer. But there are already lots of ways to take over a computer once you’ve got a foothold, and it’s not clear how much a new processor attack would change things.
But privilege escalation is much scarier in the cloud, where the same server could be working for dozens of people at once. Platforms like Amazon Web Services and Google Cloud let online companies spread a single program across thousands of servers in data centers across the world, sharing hardware the same way you’d share an airplane or a subway car. Collective hardware isn’t a security problem because even when different users are on the same server, they’re in different software instances, with no way to jump from one instance to another. Spectre could change that, letting attackers steal data from anyone sharing the same chip. If a hacker wanted to perform that kind of attack, all they’d have to do is start their own instance and run the program.
Cloud services are also a lucrative target for anyone hoping to cash in on Spectre. Lots of midsize businesses run their entire infrastructure on AWS or Google Cloud, often trusting the platform with sensitive and potentially lucrative information. Bitcoin exchanges, chat apps, even government agencies all keep passwords and other sensitive data on cloud servers. If you’re running a modern web service, there’s simply no other choice. If someone did set a new exploit running on a cloud instance, there’s no telling what kind of data might shake out.
Researchers will be finding new variants and exploits for years
So far, cloud platforms are taking the threat seriously, and doing everything they can to contain it. Amazon Web Services, Google Cloud, and Microsoft Azure all immediately deployed patches against the Meltdown attack, and there’s no indication that the available exploits could work against any of those platforms. Where there have been lingering vulnerabilities, it’s because companies are waiting on patches from third parties, like the Windows-based instances of Amazon EC2. The major platforms have handled the immediate response well, and there’s no reason to think we’re headed toward a cloud catastrophe in the days immediately to come.
(Reached by The Verge, a Google representative said the company’s cloud services had been protected against both Meltdown and Spectre, although they declined to elaborate on the Spectre protections. Amazon did not respond to a request for comment.)
What’s more worrying is what happens in the next few years. Deeply rooted vulnerabilities like Spectre can be hard to stamp out. Researchers will be finding new variants and exploits for years — much like we saw with Stagefright — and not all of the new tricks will be as well-publicized as Spectre and Meltdown were. It’s easy to imagine an undiscovered Spectre exploit falling into criminal hands six months from now — and when it does, platforms like AWS and Google Cloud will be extremely tempting targets.
It’s particularly daunting because those platforms undergird almost all of what we think of as the internet. They run nearly every program on your phone, stream your songs and shows. It’s hard to think of a piece of information on the internet that doesn’t pass through those servers at some point, even just for caching. In a material sense, they are the internet. And while they’re staffed by some of the best security teams in the world, the attack surface is almost unlimited. Dealing with the fallout from Spectre will be one of the hardest security problems the system has ever faced — and it’s a problem that won’t go away anytime soon.