Meltdown & Spectre: Diseases in need of immunization
February 05, 2018
To guard against hardware and software vulnerabilities that have yet to be detected, as well as attacks that have yet to be written, it is imperative to secure the entire chain of vulnerability.
Cybersecurity is very much like modern medicine that attempts to prevent infectious diseases before they strike. When prevention fails, healthcare professionals urgently treat and try to isolate illnesses so they don’t spread epidemically across increasingly distributed populations.
Security experts warn that for flaws like Meltdown, Spectre, and other known and unknown vulnerabilities, the worst is actually yet to come because of the billions of embedded endpoint CPUs that form the backbone of the IoT (Sidebar 1). These connected edge devices – including connected and autonomous cars, consumer goods, smart meters, industrial control systems, security cameras, and countless more – will inevitably be vulnerable to attacks unless a truly robust, end-to-end solution is quickly and widely adopted on an industry-wide basis.
So far, the treatment for both CPU-level security flaws and software-persistent vulnerabilities has come in the form of updating mechanisms, including galvanic and firmware over-the-air (FOTA) patches, but these have limited efficacy against current and future breaches. What is needed is a preventative approach – an immunization – to protect firmware, memory, and the cloud from malicious code and external hacking. To fully guard against hardware and software vulnerabilities that have yet to be detected, as well as attacks that have yet to be written, it is imperative to secure the entire chain of vulnerability – from deeply embedded endpoints, out to the cloud, and up into the enterprise management layer.
- Edge – IoT edge devices have varying (and sometimes limited) resources – such as energy and latency concerns. Security solutions need to accommodate these variables and be processor- and OS-agnostic. The “holy grail” of protection is to prevent overwriting, modification, manipulation, erasure, and ransomware attacks on firmware in all connected and IoT devices.
- Network – FOTA updates make edge devices extremely vulnerable. Chip vendors should consider embedding hardware in the microprocessors themselves to inoculate them from malicious software interference, while guaranteeing the preservation of system memory contents. By fully securing IoT devices during FOTA and out to the cloud, users can maintain control and analyze threats and attacks in real time.
- Cloud – Protecting, defending, and managing the firmware in an embedded system is a unique and effective way to immunize IoT edge devices. Enterprise management systems can be used as an extra layer of security, allowing companies to treat new “diseases” as they develop down the road.
Spectre and Meltdown quarantine
It is absolutely unavoidable that new security flaws will be uncovered, and that hackers will continue to find ways to exploit vulnerabilities. But with a creative and comprehensive approach to protecting IoT edge devices, we can eradicate the Meltdown and Spectre epidemics and guard against other outbreaks that will inevitably follow.
Erez Kreiner is the co-founder of NanoLock Security and the former head of Israel’s Cyber Security Authority. He is also an associate at the International Institute for Counter-Terrorism (ICT) and a lecturer at a number of academic institutions.