In the last
few months of 2017, security companies made their own forecasts about incoming
cyberthreats and the measures that needed to be taken to ensure a better and
cybersafer 2018, often advocating the use of protective software tools made by
that vendor. Lo and behold! 2018 started with a scenario hardly anyone
could have foreseen. Two serious design vulnerabilities in CPUs were exposed
that make it possible, although not always that easy, to steal sensitive,
private information such as passwords, photos, perhaps even cryptography
certificates.
Lots has been
written about these vulnerabilities already: if you are new to the subject we
suggest that you read Aryeh Goretsky’s article “Meltdown and Spectre CPU Vulnerabilities: What You Need to Know.”
Now, there is
a much larger underlying issue. Yes, software bugs happen, hardware bugs
happen. The first are usually fixed by patching the software; in most cases the
latter are fixed by updating the firmware. However, that is not possible with
these two vulnerabilities as they are caused by a design flaw in the hardware
architecture, only fixable by replacing the actual hardware.
Luckily, with
cooperation between the suppliers of modern operating systems and the hardware
vendors responsible for the affected CPUs, the Operating Systems can be
patched, and complemented if necessary with additional firmware updates for the
hardware. Additional defensive layers preventing malicious code from exploiting
the holes – or at least making it much harder – are an “easy” way to make your
desktop, laptop, tablet and smartphone devices (more) secure. Sometimes this
happens at the penalty of a slowdown in device performance, but there’s more to
security than obscurity and sometimes you just have to suck it up and live with
the performance penalty. To be secure, the only other option is either to
replace the faulty hardware (in this case, there is no replacement yet)
or to disconnect the device from the network, never to connect it again
(nowadays not desirable or practical).
And that is
exactly where the problems begin. CPUs made by AMD, ARM, Intel, and probably
others, are affected by these vulnerabilities: specifically, ARM CPUs are used
in a lot of IoT devices, and those are devices that everybody has, but they
forget they have them once they are operating, and this leaves a giant gap for
cybercriminals to exploit. According to ARM, they are already “securing” a Trillion
(1,000,000,000,000) devices. Granted, not all ARM CPUs are affected, but if
even 0.1% of them are, it still means a Billion (1,000,000,000) affected
devices.
IoT of issues
Now I can
hear already someone say “What kind of sensitive data can be stolen from my
Wi-Fi-controlled light? Or my refrigerator? Or from my digital photo frame? Or
from my Smart TV?” The answer is simple: lots. Think about your Wi-Fi password
(which would make it possible for anyone to get onto your local network), your
photos (luckily you only put the decent photos on the digital photo
frame in your living room, right? Or did you configure it to connect
automatically to Instagram or DropBox to fetch your newly-taken pictures?),
your credentials to Netflix? Your… Eh… There is a lot of information people
nowadays store on IoT devices.
Ok, to be
fair, to get access to these IoT devices, your attackers need to have
compromised the network already to get into them? Or they have to compromise
the supply chain, or compromise apps or widgets that can run on the device, or…
as you can see, there are many ways to get access to these devices.
It is not
feasible, in fact not even possible, to replace all CPUs in all devices. It
would be too costly, besides the success rate for unsoldering and resoldering
pin-throughs in multi-layer boards will never be 100%. In the real world,
people will keep their existing devices until those devices reach the end of
their lifecycles. So for years to come, people will have households with
vulnerable devices.
Do you know
how many IoT devices you have on your local network? Probably not. Several
products, including from ESET, exist that will identify all the network-aware devices
in your network. If you use any of these you may be surprised you
discover some devices you have never realized are there in your household at
all.
As mentioned,
it would be too costly to replace all the faulty CPUs, especially in the
cheaper IoT devices. On those, even updating the firmware or (patching) the
operating system may not be possible. As a warning, when you are buying a new
IoT device, it makes sense to check which CPU it is running on, and if that CPU
is affected by these vulnerabilities. It is expected that some devices may
suddenly be offered cheaply by the manufacturer, hoping to rid their inventory
of old(er) faulty CPUs while manufacturing new devices with updated CPUs, when
these become available. So: caveat emptor. A bargain may turn out to be
a nightmare once you connect it to your network.
The
bottom-line: IoT or “smart” devices are here to stay, affected or not, so be
sensible with the information you store within them.