Everyone is talking about the new CPU-Flaws Spectre and Meltdown. ButI think the most people doesn’t really know what it is in detail and how itcould affect their daily lives. Crypto is booming these days and many non-tech savvy persons are in the market, too. Therefore, I wrote a shortsummary regarding to the technical details of Meltdown and Spectre andtheir effects on crypto currency exchanges and wallets.
So, what are Spectre and Meltdown in detail?
They are vulnerabilities which affect CPUs made by Intel, AMD and ARM. Meltdown was already discovered in 2017 but publicly disclosed at the 3rdJanuary 2018 by two companies, Cerberus Security and Google ProjectZero, as well as the Technical University of Graz. Spectre has been identified by Google Project Zero and the researcher Paul Kosher. Both vulnerabilities affecting Windows, Linux, MacOS and other operating systems and affects all devices like mobile phones, laptops, Desktops andServers. There are two different variants of Spectre and one variant of Meltdown. Meltdown is affecting nearly every modern Intel Chip and the two Spectre variants are affecting the least Intel, AMD and ARM Chips.
Meltdown and the two types of the Spectre attacks are taking advantage of a process within the CPUs which is speed up processing of any given code without a performance loss whilst guessing which the next process will be. Every time this process will be executed a small change to the processor is made. Unfortunately, this change can also be measured by other programs which means that the information can be leaked to malicious programs, too. Spectre is using JavaScript to steal the leaked information while Meltdown is leaking the information within the kernel memory. Modern operating systems using page tables to map kernel memory or processes and physical memory of the system and split it into two parts, one for processes and one for the kernel. Since the kernel memory is shared for all processes, Meltdown takes advantage of this shared memory, finding leaks in the data and forward them to a third party. Spectre could be exploited in a CPU to make it mispredict and execute malicious code instead of the predictive code. With the second version of Spectre an attacker could trick the CPU into making the wrong speculative accesses outside its boundaries, driving the CPU away from a normal prediction to the one that the attacker wants. Both Spectre vulnerabilities could allow an attacker to gain access to data on the chips, that is meaning in detail that encryption keys, passwords and other sensitive information could be exfiltrated.
Every time when the CPU guesses what information is needed to continue its process, the attacker could see the data. Spectre allows an attacker to start the guessing process, by measuring how long it takes to perform this task, then the process can be detected by a third-party process. This could lead to buffer overflows attacks for example. Bad news for all admins, Spectre affects also virtualized machines. For the exploitation of Meltdown, a lower skill set is needed as for Spectre. It enables a third-party process to read the data directly from the kernel and allows the attacker to view the data. These Attacks are so called “Side-Channel-Attacks” and accessing data while it is used for legitimate process. The vulnerability leads not to a specific vendor like often told in the news but lays in the design of the Chips itself. Amazing, we can call most of our processors vulnerable by design! Updates are on their ways for the most device or are deployed already. So, what does that have to do with the crypto world?
As we’ve learned so far, Spectre and Meltdown can both lead to sensitive information leaks, which also means that your private keys for your cryptowallets could be stolen! This could happen through a malicious website, abrowser plugin or of course, through a file delivered via an E-Mail phishingattempt. You are not affected by the flaws if you stored your private keys on a safeplace, far away from the internet or using a hardware wallet. So, what is about exchanges like binance.com or third-party wallets likeCoinPouch? Customers never get access to their private keys on exchanges as well ason many third-party wallets. We don’t know if our private keys are maybe stored on the same server like our public keys. We need to rely to the operators that they are keeping everything secure. If we have a look atrecent happenings like the CoinPouch- or Blackwallet-Hack. Between 2011 and 2017 there were 1040422,756 Bitcoins ($ 11.122.373.837,85) stolen just from exchanges. If I would include alt-coins and hacks against wallets in this calculation we would reach a much higher amount. The history showed hackers often finding methods to get into different crypto exchanges or wallets. At the moment there are more than 120Crypto-Exchanges and many third-party online wallets out there, some of these are just operated by a few people and it is very obscure who is really behind them. Regarding Spectre and Meltdown we need to rely on all of these 120 exchanges updating their systems properly and in time to besecure. If they won’t, it could look like this soon: So, what is about those new decentralized exchanges? Yes, good choice, it would protect you against the Spectre and Meltdownattacks. But keep in mind that there are many other dangers around. Formore information please check about the recent Etherdelta hack.
So, what if we putting all together? Meltdown and Spectre are definitely big deals for centralized-online-exchanges and third-party wallets as well as your private wallets. Most of the security of your private wallet lays in your own hands: keep the keys off your computer or just use a hardware wallet like Ledger Nano. At exchanges and third-party wallets, the security relies on the operators and how skilled they are. Be Careful do not leave too much coins on the exchanges, as you can never be sure what is running behind the frontends. And of course, just don’t use third-party wallets. If possible use a Hardware or paper wallet, but please not a paper wallet from eBay with pre-generated private keys because this could lead to lose of your coins, too. For decentralized exchanges Meltdown and Spectre got a low impact, but keep in mind that there are many other possibilities to get your coinsstolen. My personal advice is to keep all your systems up to date, store higher amounts of coins in a hardware wallet and of course, don’t trust anyone.