(Image courtesy of Thinkstock).
(Image courtesy of Thinkstock).
(Image courtesy of Thinkstock).
(Image courtesy of Thinkstock).
(Image courtesy of Thinkstock).

Meltdown and Spectre Casualty List Does Not Include Microcontrollers

Jan. 5, 2018
Meltdown and Spectre Casualty List Does Not Include Microcontrollers

When Intel revealed that almost all its computer chips were exposed to exploits that could allow hackers to swipe their memory contents, the company denied that it alone was afflicted. The Meltdown vulnerability is specific to Intel, but the company said that it would work with rivals AMD and ARM to resolve a fault that also affects them, called Spectre.

ARM is the company behind an architecture that has been shipped in more than four billion chips installed in everything from smartphones to factories, and which is inside chips vulnerable to the Spectre flaw. The company recently revealed that the exploit does not affect its microcontrollers, but it could pose a threat to higher performance chips.

The firm stressed that the exploits would not work against Cortex-M designs, which are used in microcontrollers for the Internet of Things and which have been shipped in tens of millions of devices. On Wednesday, the company published a chart of vulnerable devices, which include several Cortex-R and Cortex-A products used in smartphones and other chips sold by Nvidia and Samsung.

“All future Arm Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches,” the company said in a statement. ARM said that the patches needed to protect devices would be based on the processor’s operating system, which companies like Google and Microsoft have started to fix. Apple said that it had released "mitigations" for its devices, which are all affected.

The flaws can be exploited in a side-channel attack, which take advantage of quirks in the computer processor’s circuits rather than software vulnerabilities. Spectre, like Meltdown, tricks applications into granting access to locations in memory, giving it a secret passage around the digital ramparts built into major operating systems like Linux and Windows.

The problem stems from a technology called speculative execution, which allows chips to guess what should be the next task and start working on it, speeding up software. If the chip guesses wrong, then it throws out the result. The exploit takes advantage of the fact that the hardware is cheating, allowing it to access data that would normally be sealed off securely, like passwords.

Intel has highlighted its quick response to the exploits, which it learned about last year but only acknowledged on Wednesday after the existence of the Meltdown flaw began to leak through news websites. There is no evidence that hackers have taken advantage of the flaws, but the blast radius of the vulnerabilities has shaken the entire technology industry.

Spectre is harder to exploit than Meltdown, but it is also harder to prevent and could require chips to be redesigned. But the prognosis also appears to have improved. The United States Computer Emergency Readiness Team, part of the Department of Homeland Security, recently removed a note that advised companies to replace all hardware vulnerable to the exploits. 

Voice your opinion!

To join the conversation, and become an exclusive member of Supply Chain Connect, create an account today!