Significant vulnerabilities that could allow cyber attackers to compromise data have been found in common processors in almost all modern devices.
What are “Meltdown” and “Spectre”?
The vulnerabilities, known as “Meltdown” and “Spectre”, are two related so-called “side-channel” attacks that have been found in central processing chips (CPUs) designed by Intel, AMD (Advanced Micro Devices Inc) and ARM (Advanced RISC Machines Ltd). The issue was recently discovered by security researchers at Google’s Project Zero in conjunction with academic and industry researchers from several countries.Combined, the vulnerabilities have the ability to affect almost every modern computer, including smartphones, tablets and personal computers from a range of vendors running almost any operating system. The vulnerabilities undermine security features built into the processors which are designed to keep data from different running programs separate (including data used by the operating system itself).
Processors in most devices employ a range of techniques to speed up their operation, one of which is so-called “speculative execution” – attempting to anticipate in advance (and execute) the parts of a program that might be needed in future. In simple terms, a malicious attacker can exploit the two vulnerabilities to manipulate a processor into executing code which works on data that would ordinarily be out of bounds to the attacker, and then spy on the processor (via the side-channel attack) to compromise the content of the data being processed.
As a result, malicious code running on a vulnerable device is in effect able to access unauthorised areas of memory and data not normally visible to an attacker. In theory, any data on the device has potential to be accessed, including data of other running programs, or even data running on other virtual machines on the same hardware. This could result in the compromise of particularly sensitive data, including security keys and passwords.
How to protect your organisation?
Device and platform manufacturers are releasing updates to supported products to mitigate the issues posed by these vulnerabilities. The Head of Technology Policy at the Information Commissioner’s Office (“ICO”), recently published guidance on Meltdown and Spectre which strongly recommends that organisations determine which of their systems are vulnerable and ensure that the latest patches have been installed “as a matter of urgency”. This is re-iterated in related advice from the National Cyber Security Centre (“NCSC”), which also recommends not using unsupported devices where patches will not be issued to fix the vulnerabilities.
The ICO guidance goes on to state that failure to patch known vulnerabilities is a factor that the data protection authority will take into account when determining whether a breach of the seventh principle of the Data Protection Act 1998 (appropriate technical and organisational measures taken against unauthorised or unlawful processing of personal data) is serious enough to warrant a civil monetary penalty. Under the EU General Data Protection Regulation (“GDPR”), there may also be circumstances in which organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been implemented but were not.
Whilst these vulnerabilities have the theoretical potential to cause widespread exfiltration of data and disruption, there is currently no clear indication that they have been exploited to date or that any data have actually been compromised. It is also worth noting that the vulnerabilities can only be exploited by malicious code on the device – so there necessarily needs to be another vulnerability already present on a particular system for it to be exploited. Indeed, the first attempts by cyber attackers to exploit the existence of these vulnerabilities have seen them issue fake security updates purporting to fix the vulnerabilities, but that are in fact themselves malware.
Vulnerabilities in the cloud
The Meltdown and Spectre vulnerabilities present some unique issues for cloud services.
Whether cloud service providers are acting in the capacity of a data controller or a data processor, there will likely be obligations upon them to take steps to patch affected systems.
A challenge exists in that systems may need to be patched at multiple layers for the patches to be effective. For example, hardware running virtual machines might need to be patched at the firmware (BIOS) level, at the hypervisor level (the software managing the virtual machines), and on the guest operating system of each virtual machine. In practice, these components may be the responsibility of different corporate entities, such that cooperation and coordination is required.
For example, when using Infrastructure as a Service (IaaS), the service provider should patch the hardware (and possibly also the hypervisor), but organisations will themselves need to update the operating system of any virtual machines they manage. For Platform as a Service (PaaS) and Software as a Service (SaaS), the cloud service provider might have responsibility for installing all the required patches.
A particular issue arises for so-called “multi-tenanted” cloud systems that hold data from more than one party on the same infrastructure. Without effective patching at all levels, there is potential for data to be compromised and leaked between tenants. However, patching multi-tenanted systems may require cooperation between the service provider and all the respective tenants where those tenants manage their own software.
Whatever the type of hosting, organisations that use cloud-based systems should double-check the contractual responsibility for security (and patching in particular) and seek appropriate assurances from their service provider that these vulnerabilities have been patched. For multi-tenanted systems, as there will not necessarily be a direct contractual relationship between one tenant and another, in practice seeking these assurances will require the service provider to liaise between tenants to ensure all the guest operating systems have been patched.
To patch or not to patch: the balancing act
The patches being released to address Meltdown and Spectre by necessity go to the core of the operation of operating system and the processors concerned. They make changes at the “kernel” level of operating systems as well as the microcode that runs within the processors themselves. Such patches are complex and not without risk.
The fact that the existence of Meltdown and Spectre was leaked before the patches were quite ready means that development of the patches has had to be accelerated. There have been reports that patches released for both AMD and Intel hardware have led to system instability (spontaneous reboots) as well as systems failing to boot at all. Since the data protection principles also relate to accidental loss or destruction of personal data (as well as the risk of data breach), systems resilience is equally important and system owners are somewhat between a rock and a hard place.
In addition, even when the patches are made stable, there are confirmed issues with reduction of performance of systems where the patches have been installed. The reduction in performance is most acute for systems that involve significant storage access, which will often be the case for multi-user cloud or database systems.
Some organisations have also found that their anti-virus solutions have yet to be made compatible with the issued patches, meaning the patches cannot be installed until the anti-virus providers have added support.
Whilst the ICO acknowledges that it will ultimately be up to an organisation whether it applies a patch, if the organisation chooses not to, the regulator would expect “significant mitigations to be in place and well understood”.
A layered security system is therefore the key
The ICO guidance explains that cyber attackers should not be able to access core systems in the first place. It reiterates that the concept of “privacy by design” should be “in every part of your information processing, from the hardware and software to the procedures, guidelines, standards and policies that your organisation has or should have”. Privacy by design is one of the best practice concepts given statutory recognition under the GDPR; it requires controllers to think about privacy and cyber security at the inception of projects and system design.
The ICO recommends that organisations have an effective “layered security system” to mitigate the repercussions of an attack. It suggests that organisations look at their data flows, understand how data moves through, and beyond, the organisation (both in electronic format and the “real” world format) and consider system protections at each step. Organisations should be evaluating the impact of a data breach, or data loss, to the organisation (both financially and from a reputational point of view). Data should also be as secure at rest as when it is in transit (for example, through encryption, salting and hashing techniques), so that even if data is compromised, it cannot be read by the attacker. While encryption could in theory be circumvented through Meltdown and Spectre (by compromising the encryption key), salted and hashed passwords, even if compromised, can remain secure.
A well designed system will ensure that the network infrastructure is adequately protected and the ICO recommends that such a system would incorporate firewalls, access control lists, VLANs as well as physical security measures such as CCTV, fences and security personnel if required. The guidance reiterates that security is not just an IT issue; ensuring that appropriate policies and procedures are adequately implemented, enforced and reviewed in practice will also be key. A combination of senior management buy-in, governance and appropriate training and awareness of staff will help support achieving this aim. To reiterate the words of the ICO “the more layered approach you take, the less likely a vulnerability like Meltdown or Spectre could be exploited”.
What about liability?
Given the spectrum of end-users, organisations, service providers and manufacturers in the supply chain affected by these latest cyber vulnerabilities, there is no doubt that these players will be closely reviewing the terms and liability regimes in their respective commercial arrangements.
For example, cloud service agreements can often use cumulative processor time as the charging metric. Due to the degradation in performance caused, customers may find themselves subject to increased costs (which they will want to recoup) even though the workload itself has not increased. On the other hand, service providers will no doubt closely scrutinise their force majeure provisions to determine whether these provisions could be triggered by the vulnerability, and therefore whether the service providers are relieved of their contractual obligations.
In turn, cloud service providers or customers may seek redress from processor manufacturers if they are required to purchase additional hardware to maintain present levels of processing power. At least three class-action law suits have already been filed against one processor manufacturer on behalf of affected consumers. Even if cloud service providers and customers choose themselves not to sue, the need to renew end-of-life hardware will likely mean that the issue arises in negotiations with organisations seeking discounts or rebates, backed with the threat to procure processors from alternative providers.
It remains to be seen what the longer term legal fall-out will be from the Meltdown and Spectre vulnerabilities.
A version of this article was first published on the Legal IT Insider website.