Much has been written, said and tweeted about the Meltdown and Spectre security flaws in the month since they were unveiled, but the reality is that this conversation is just getting started.
The staggering number of microprocessors that are impacted by these critical, design-level security vulnerabilities in modern CPUs (billions of existing devices) pales in comparison to the number of smart, connected and deeply vulnerable devices that will exist in just a few more years. All of these “endpoints,” including pervasive edge devices like phones, cars, industrial control systems, smart meters and consumer goods, will be susceptible to malicious hacking unless the processor industry starts to think creatively and act swiftly to protect the entire chain of vulnerability.
Intel, ARM, Qualcomm, AMD and others have leapt into action, working to develop an industry-wide approach to resolve this issue promptly and constructively. And to be fair, these newly-revealed vulnerabilities represent architecture-level design flaws that date back more than 20 years, when few people could have imagined such a wholly connected world of vehicles, homes, buildings, and automated factories and utilities — all reliant on a massive profusion of microprocessors. Even when we look at the short term, the ability of designers to predict how devices will look and behave three to five years from now is questionable, not to mention untrustworthy.
The sheer number of edge devices that makes up the rapidly expanding Internet of Things (IoT) escalates the inherent systemic susceptibility, as well as the need to urgently address it. Because of the high-volume of intelligent endpoints coming to market every day, there is a need to make them cheap, simple and power-efficient, and working with a minimum latency. Unfortunately, these very characteristics also make them more vulnerable to attack. Our industrial imperative is to quickly deliver an equally cheap, simple and low-power solution to protect these endpoints, and make their fundamental bricks as unbreakable as can be.
To date, “fixes” for Meltdown and Spectre have come in the forms of many kinds of updating mechanisms, including galvanic and over-the-air (OTA) firmware patches, which are slowing computer performance and even causing reboots, prompting Intel to advise its customers to stop installing the patches.
This software-only approach is also intrinsically short-sighted and ineffective. We know from the OS and application security updates to which we are so frequently subjected that software is fundamentally vulnerable and easily exploited. Worse, software patch installations actually open the door to hacking, placing a device is at its most vulnerable during the update process.
What we need is an end-to-end solution that secures the entire chain of vulnerability – from deeply embedded endpoints, out to the cloud, and up into the enterprise management layer.
Endpoints’ firmware should be updated when hardware-based protections are in place for the CPU and memory, so that malicious software can’t wreak havoc. Protecting firmware will defend against current and future breaches that occur because of internal design flaws, coding errors, or external hacking.
Just like the chip vendors 20 years ago couldn’t have predicted the interconnected world we live in today, we must look ahead and try to anticipate security challenges we may face down the road. Experts warn that the worst is yet to come, but with innovation and a whole new approach to the problem, we can prepare for — and defend against — the coming flood of security breaches, and the catastrophic results.
— Erez Kreiner is the co-founder of NanoLock Security and the former head of Israel’s Cyber Security Authority. He is also an associate at the International Institute for Counter-Terrorism and a lecturer at a number of academic institutions.