The computer industry was rocked in early 2018 by the announcement that all computers, tablets, and smartphones made in the last twenty or more years are affected by two serious vulnerabilities, called Meltdown and Spectre. These two vulnerabilities are unusual and important discoveries because they are not software or operating system problems. The flaws are in the basic structure of how computer processors (CPUs) work. Because Meltdown and Spectre are fundamentally computer hardware issues, all operating systems – Windows, Mac, Linux, iOS, Android, etc. – are vulnerable.
According to the National Health Information Sharing and Analysis Center (NH-ISAC), Meltdown and Spectre “circumvent protections to expose data which could include passwords, proprietary information, or encrypted communications.” The HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC) described Meltdown and Specter as follows:
This vulnerability set … allows a malicious computer program to bypass data access restrictions and gain unauthorized access to potentially sensitive information from other programs. Such sensitive information could include items such as passwords, social security numbers, medical information, or other sensitive data.
In short, Meltdown “breaks the most fundamental isolation between user applications and the operating system” and Spectre “breaks the isolation between different applications.” The one bright note about these vulnerabilities is that they are not easy openings for bad actors to use, because they have to gain access to a system before being able to use Meltdown or Spectre to access critical information.
Computer security researchers from Google, Cyberus Technology, and Graz University of Technology discovered the Meltdown and Spectre vulnerabilities in 2017. They immediately shared the discoveries with processor manufactures like Intel and AMD, key computer hardware and software companies such as Microsoft, Apple, and Google, and many others. This standard practice allows affected companies to begin working on patches and fixes before a public announcement increases the likelihood of attacks. Meltdown and Spectre were announced publicly in early January.
These discoveries represent something new and surprising to the tech world. “Computers are and always will be vulnerable,” writes security expert Bruce Schneider, “but Spectre and Meltdown represent a new class of vulnerability. Unpatchable vulnerabilities in the deepest recesses of the world’s computer hardware is the new normal.”
Continue reading with Meltdown and Spectre Part II: Impacts to Healthcare Organizations
Further Reading