Security

Spectre attack variant can be remotely mounted to extract sensitive data

What we know so far about Spectre attacks is that it relies upon execution of malicious code. The code is executed on computers having speculative-execution design flaws in processor chip; once a device is compromised, it becomes possible to obtain sensitive data such as passwords, PINs, and keys. Such data is usually stored in the memory of software installed on the device.

According to security researchers, there is a way to exploit the processor flaws over a network connection. The technique, dubbed by researchers as NetSpectre, can help attackers in extracting private information from any device that is connected to the network without execution of malicious code, by exploiting the branch prediction mechanisms. This technique makes billions of computers and gadgets at risk of exploitation to some extent.

See: Spectre bug protection forcing Chrome to use 10 to 13% more RAM

The newly discovered [PDF] Spectre-class CPU attack certainly marks an evolution in Spectre attacks since it eradicates the requirement of downloading and running malicious code or accessing a website that runs malicious JavaScript code on a targeted machine. Using NetSpectre, an attacker can very conveniently launch the attack by bombarding the computer network ports to get the desired results.

The only potential shortcoming of this technique is that the exfiltration speed is comparatively slower with an approximate speed of 15/bits per hour. Researchers could reach a higher speed of exfiltration (up to 60bitsper hour) by targeting a CPU’s AVX2 module, but the model is only specific to Intel CPUs.

This shortcoming makes NetSpectre more like a theoretical threat than something possessing real danger for organizations and users. Since the attack is linked to the Spectre v1 vulnerability classified as CVE-2017-5753, so all the CPUs that are vulnerable or have been affected by Spectre v1 will be at risk.

Researchers claim that the purpose of this research was to prove that Spectre attacks doesn’t merely rely upon “local code execution” but can also be “mounted remotely.”

According to Michael Schwartz, one of the researchers, “Spectre does not necessarily require the cache to leak values.” Schwartz further added that the data leakage should be worrisome but the exfiltration speed is most certainly the biggest downside of NetSpectre.

“Luckily, the speed is quite limited, which makes this attack mainly interesting for targeted attacks on high-value targets. If the system is fully patched against Spectre.. the attack should be prevented. However, we are still at the beginning of understanding how Spectre gadgets can look like, so this is not a problem that is trivial to solve,” stated Schwartz.

According to the official statement from Intel:

NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753) and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in a place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of the Graz University of Technology for reporting their research.

Full details of this research are available in the paper titled “NetSpectre: Read Arbitrary Memory over Network [PDF].”

Image credit: Depositphotos

You Might Also Like