With the talk of various “CPU bugs” in the news over the past few days, many customers across the industry are wondering how these vulnerabilities affect IoT. In response to significant press coverage and online speculation, Google’s Project Zero security research team, who initially discovered the issues, today released details of various vulnerabilities ahead of the originally coordinated disclosure date of January 9, 2018.
Three variants of this “side channel” attack have been confirmed, grouped into two categories, known as “Spectre” and “Meltdown“. Google has also created a website dedicated to both vulnerabilities which details in technical terms the scope and impact of the issues. Both categories of exploits stem from newly discovered vulnerabilities within the speculative execution engines found in many modern x86- and ARM-based processors that help enable efficient out-of-order execution of CPU instructions.
To briefly summarize the technical details; these vulnerabilities enable non-privileged applications running locally on a machine to access areas of memory normally reserved for the operating system kernel. The practical impact is that any application running on a system, may be able to access normally off-limits data, such as passwords, security keys, or other sensitive information stored in-memory on the local machine. These vulnerabilities are particularly relevant to multi-tenant/shared hosting environments, including major cloud vendors such as Google, Amazon, and Microsoft, though mitigation efforts are currently in progress or completed for all aforementioned vendors.
While the impact is not limited to Intel CPUs, as originally reported and speculated, the more serious Spectre category of vulnerabilities, does currently appear to be affect nearly all recent Intel’s x86-64 CPUs and a selection of ARM-based processors as well. While Microsoft, along with the Linux Kernel developers have already patched the most serious aspects of the vulnerabilities, these fixes do come with an as-yet-undetermined performance penalty. Current speculation indicates as much as a 20-30% decrease in performance for database-focused workloads, with a smaller 5-10% decrease in performance for more typical enterprise applications, and a <5% decrease for typical desktop applications.
In terms of applicability to the IoT domain, several factors should be considered. As these vulnerabilities are not so-called “remote exploits”, the impact is mostly limited to environments where sensitive applications are running alongside externally-accessible applications within the same physical system. Typical IoT deployment scenarios tend not to have external-facing services exposed directly from IoT devices, therefore as currently understood, the immediate impact to deployed assets may be minimal. However, as any application developer can attest, there is no such thing as bug-free code. Therefore until all affected systems receive patches for these new vulnerabilities, customers should evaluate any external-facing applications and consider the risks should those applications be exploited and gain access to protected kernel-space memory.
Impact on IoT
Today’s disclosures also reinforce two important aspects of IoT security.
The first is the requirement for effective device management and specifically the ability to quickly deploy patches not just to IoT applications, but to the operating systems underlying these applications and devices. In the case of today’s disclosed vulnerabilities, a kernel-level patch must be deployed to affected devices, which requires updating one of the most low-level aspects of device firmware, and also typically requires a device reboot to apply. Effective device management platforms can greatly ease the burden of applying such patches to thousands or millions of actively deployed devices.
The second requirement is for strong hardware-based security. While today’s disclosed vulnerabilities allow applications to access protected areas of kernel memory, modern best-practices can ameliorate some of the security impact by isolating sensitive information such as device keys and certificates into hardware-based cryptographic elements. Examples include ARM’s mBed OS and its usage of on-chip memory protection units to implement functionality like the uVisor as well as other technologies like dedicated TPM chips which are supported by a variety of vendors, including Microsoft’s Windows 10 IoT Core.
While understanding the impact of today’s vulnerabilities is still an ongoing process which will continue through Q1 2018 and beyond, it is clear that vulnerabilities can occur even in the most trusted aspects of a security solution. Therefore, it is critical to implement multiple layers of protection, preferably with the aid of dedicated hardware solutions, as well as providing effective methods for quickly remediating vulnerabilities through software updates to deployed assets.