Meltdown and Specter security failure: how it affects cryptocurrencies

 

A hardware failure affects “all” computers in the world. Dubbed as Meltdown and Specter, the bug affects Intel, AMD, ARM processors, including mobile phones and tablets. Errors in modern computers filter passwords and confidential data.

Meltdown and Specter take advantage of critical vulnerabilities in modern processors. These hardware errors allow programs to steal data that is currently processed on the computer. While programs usually do not have permission to read data from other programs, a malicious program can exploit Meltdown and Specter to obtain secrets stored in the memory of other running programs. This can include your passwords stored in a password or browser administrator, your personal photos, emails, instant messages and even business-critical documents, so the private keys of your cryptocurrency in use on affected computers could be compromised.

Meltdown and Specter work on personal computers, mobile devices and in the cloud. Depending on the infrastructure of the cloud provider, it may be possible to steal data from other clients.

Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against MeltdownWhite Paper by Meltdown. 

Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches. White Paper by Spectre.

How it affects the ecosystem of cryptocurrencies

As we have indicated before, if a device is attacked by these techniques, it is exposed to the filtering of passwords and confidential data, so that:

* Do not trust your PC, laptop or smartphone.
* Do not believe that applications (and private keys) are protected
* Use a hardware wallet

Pavol Rusnak, CTO of the manufacturer SatoshiLabs of TREZOR, tweeted on January 4 to confirm that his devices are not affected by Meltdown and Specter, and noted:

“Using a (hardware) wallet is now more important than ever.”

https://twitter.com/pavolrusnak/status/948863100194836480

 

¿Solución?

The CERT (Computer Emergency Response Team) is a response center for security incidents in information technology created in 1988 in response to the Morris worm incident. While Microsoft, Amazon, and Google claim that their computers are protected, the CERT ensures that the best solution is to change the affected CPU, a practically incalculable expense.

“To eliminate the vulnerability completely, it will be necessary to replace the affected CPU.”

In its most modern chips, Intel has chosen to “solve” this problem by isolating the core page table (PTI), which is responsible for separating core memory from user processes.

The patch for Meltdown has a counterpart since it causes the system to slow down between 5 and 30 percent (depending on the task and the model of the processor). If this is the only solution, it could be a problem for those companies that base their business on a great power of processing, in our case, those that mining with CPU algorithms like Monero, would reduce their calculation speed.

Anyway, CERT recommends that users apply these patches, updating operating systems and browsers to stop Specter and Meltdown. This vulnerability is so widespread that it could affect most of the planet’s computers.

At the moment we only know that there is no perfect solution.

Below, we show 2 videos of how Meltdown acts:

Official communications by manufacturers and companies until the date of publication of this article:

Intel  Security Advisory    /     Newsroom
ARM  Security Update
AMD  Security Information
Microsoft  Security Guidance    /     Information regarding anti-virus software    /     Azure Blog
Amazon  Security Bulletin
Google  Project Zero Blog    /     Need to know
Mozilla  Security Blog
Red Hat  Vulnerability Response
Debian  Security Tracker
Ubuntu  Knowledge Base
SUSE  Vulnerability Response
LLVM  Spectre (Variant #2) Patch
CERT  Vulnerability Note
MITRE  CVE-2017-5715   /    CVE-2017-5753    /     CVE-2017-5754
VMWare  Security Advisory
Citrix  Security Bulletin
Jose Felip

Jose Felip

The difficult thing is not to learn, the difficult thing is to know how to teach. Editor and coordinator of the free book "La era de las BLOCK punto COM" CEO of bitcoiner.today