“Spectre” still haunting security experts: Flaw that allows hackers access to passwords and email can’t be fixed

Software troubleshooting would not be enough to repair the gaping holes in cybersecurity attributed to the recently discovered Spectre security flaw. Experts warn about the need for a total redesign of the next generation of computers and computer chips to protect them from hackers.

Spectre made it possible for malicious programs and hackers to steal data, emails, and passwords from computers. It appeared in computer chips built by AMD, ARM, and Intel.

Most of the computers in the world rely on chips from the three manufacturers – so do almost all smartphones. A lot of electronic devices are at risk of being tampered with.

Upon learning about Spectre’s existence and effects, tech firms rushed to develop fixes for the problem. Responses include Google adding a new feature to its Chrome browser. The upgrade kept each web page in isolation, thereby reducing the chance that a malicious program stole valuable data from a page.

As they worked to plug the holes, tech firms discovered that Spectre also slowed the speed of an affected device by up to 30 percent of its total processing power. (Related: U.S. Emergency alert system vulnerable to hijacking, report finds.)

Hackers can use the Spectre flaw to read the memory of a computer or smartphone

No one has come up with an approach that addressed most or all of the issues associated with Spectre. Likewise, the tech firms have not yet announced a fix for the root cause of the security flaw.

“The entire field of computing missed this,” warned security researcher Ben L. Titzer.

The current generation of computer chips increases processing speed through speculative execution. The feature lets the chip make predictions about the calculations it may need to perform in the future.

If the computer chip makes a wrong guess, it gets rid of the incorrect prediction. But if it guesses correctly, the chip saves some time.

Tech firms remain unsure about the full extent of the Spectre security flaw. They also have a hard time figuring out if earlier software fixes were working as intended.

It might not be possible to patch some of the Spectre-class security issues. As of the time of this writing, Google security researchers determined that there is no solution for Speculative Store Bypass, a flaw similar to Spectre.

Some experts suspected that software fixes and patches might never be able to resolve the security issue in computer chips. The only way to eliminate the threat of Spectre and other flaws was to come up with drastically different computers that use different codes and hardware.

Researchers are finding serious security flaws long after the fact

Spectre was one of the security flaws reported by Google’s Project Zero in January 2019. The other one was called Meltdown.

Meltdown only affected Intel-manufactured computer chips. It served as a connection between the physical memory of the computer and software applications.

Hackers usually cannot access a computer’s hardware through electronic software. But Meltdown served as a bridge over that barrier, allowing a hacker to read the device’s memory.

Project Zero came across Meltdown in June 2018. Security researchers realized that they could get their hands on the encryption keys, passwords, and sensitive data in supposedly secure applications.

By the time Google researchers revealed the existence of the Meltdown security flaw, Intel was already working on a patch. The computer chip manufacturer promised that the ongoing fix would not cause any noticeable drop in the performance of most computers.

In comparison, Spectre gave hackers the ability to convince applications to surrender secret information. It also affected AMD and ARM computer chips as well as Intel units.

Sources include:

DailyMail.co.uk

NewScientist.com

ARXIV.org