The so-called Spectre vulnerability, making it easier to hack into computer systems thanks to the way modern microprocessors handle branch conditions, has been of concern for several months. However, it now appears that the problem is much, much worse than originally feared. German computer magazine C'T reports:
A total of eight new security flaws in Intel CPUs have already been reported to the manufacturer by several teams of researchers. For now, details on the flaws are being kept secret. All eight are essentially caused by the same design problem – you could say that they are Spectre Next Generation.
. . .
One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap. Intel's Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.
Although attacks on other VMs or the host system were already possible in principle with Spectre, the real-world implementation required so much prior knowledge that it was extremely difficult. However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected.
. . .
Overall, the Spectre-NG gaps show that Spectre and Meltdown were not a one-off slip-up. It is not just a simple gap that could be plugged with a few patches. Rather, it seems that for each fixed issue, two others crop up. This is the result of the fact that during the past twenty years, safety considerations have only played second fiddle to performance in processor development.
An end to patches for hardware problems of the Spectre category is not in sight. But a never-ending flood of patches is not an acceptable solution. You can't shrug off the fact that the core component of our entire IT infrastructure has a fundamental security problem that will keep leading to more problems.
There's more at the link. Some similar errors have been detected in AMD microprocessors as well.
This is an absolutely fundamental level of computer operations - in other words, any program (or hacker) gaining access to the central processing unit at this level can bypass almost every computer security program ever written. Its implications for data privacy and control are absolutely horrendous. As Karl Denninger points out:
Every one of you stupid ******* firms -- and governments -- that have put your crap in the cloud have already had it stolen along with all of your encryption keys.
If you think hostile governments don't know already know about and haven't been actively exploiting it for quite some time by now you're dumber than a box of ****ing rocks.
. . .
IF YOU GIVE A SINGLE **** ABOUT DATA SECURITY CLOUD IS, AS OF RIGHT NOW, DEAD, BURIED, AND RADIOACTIVE WASTE.
Again, more at the link.
Mr. Denninger is not exaggerating. Most large corporations use so-called "cloud computing", keeping their data and critical software on third-party (i.e. remote) servers, which are not under their direct control. Even the most sensitive organs of the US government, its security services, are doing the same. Effectively, every one of those organizations is now vulnerable to hackers who can exploit the chips in the computers that run the "cloud", and access even the (supposedly) secure data in it.
This is absolutely horrendous for modern business and commerce, which depends on the Internet and its "cloud" data handling infrastructure for many of its most critical functions. Every consumer was already at risk due to poor privacy and security provisions in most programs and data storage applications. Now that risk has become a virtual certainty that our data has been compromised by malicious hackers - or, if it hasn't, it soon will be, because the hardware, the very chips that run almost all modern computer programs, are vulnerable. Their manufacturers emphasized speed of processing over security measures - and now that's biting them (and us) where it hurts the most. Worse, the new security "layers" that will have to be built into future computer processors will inevitably mean that they're much slower than current models. That'll have a drastic effect on the efficiency of all data processing, whether in the "cloud" or not.
Effectively, any nation that wishes another nation harm can bring its computer-based commerce to a grinding halt by exploiting these vulnerabilities. I suppose we're in for another "Mutually Assured Destruction" environment, where the only thing stopping that happening is the greater or lesser certainty that if one country does it to another, it'll be done in reverse as well. If a nation thinks it can "insulate" its information technology infrastructure from such a counter-attack, it'll have little or no incentive to hold back its own computer aggression.
If the C'T report is true, the implications of this are simply staggering.