Modern computer processors have severe security flaws

Malicious exploits Meltdown and Spectre could abuse speculative execution to steal data

Modern computer processors have severe security flaws

Two bombshell research papers recently revealed a pair of crippling security flaws, called Meltdown and Spectre, that are present in practically every modern computer processor running today.

Meltdown affects almost all manufactured Intel chips and some Arm chips, whereas Spectre likely affects all major brands: Intel, AMD, and Arm. Intel and AMD chips are used in personal computers, while Arm chips are used in smartphones. As a result, most devices are vulnerable.

Both flaws abuse an advanced processor feature known as speculative execution. As your device runs an application, it also looks ahead at decision points in the code, guesses which direction the application is likely to follow, and runs the code preemptively. Modern processors are surprisingly good at guessing in which direction the application will go.

If the application follows the predicted path, valuable processor time is saved, as the results will have already been computed. If not, the results are discarded.

The speculative execution feature does not have an effect on the outcome of an application’s task if it follows a different path than predicted. However, the application can detect that it took slightly longer to perform certain instructions.

From this information, the nature and content of data in a device’s memory can be deduced. For example, JavaScript in your browser could steal saved passwords using this method.

This has implications for institutions like U of T. “If an attacker successfully gets malware on a U of T device, that malware could use these vulnerabilities to steal passwords or keys being used on that device,” said David Lie, a software security expert and professor in the Department of Electrical and Computer Engineering.

The studies’ researchers actually discovered the flaws last year and privately told large technology firms to start preparing for software patches before the release of their findings.

Fortunately, software companies are now rolling out security updates at the operating system (OS) level, which users are highly advised to install in order to protect against these vulnerabilities. Meltdown is reasonably simple to patch in software, although Spectre is much more difficult.

Unfortunately, these OS patches come at the cost of performance. Most programs will be hit with a slight slowdown, with the theoretical worst-case scenario being a 50 per cent reduction. Operations such as disk access may be significantly affected as well.

Older processors, unfortunately, do not have the ability to selectively disable features as specifically as recent models. “There is collateral damage as the patches have to disable… features that are [not at risk] to ensure that the vulnerable features are also disabled,” said Lie. Therefore, older processors will see a more significant slowdown as a result.

U of T’s Enterprise Infrastructure Solutions (EIS), which operates the campus network backbone, also manages servers for cloud computing. EIS informed its users via email that it has “actively taken steps to secure our cloud services.” Most of their servers have already been patched, although “customers will also need to update the OS as soon as possible.”

Aside from certain technology firms, it appears that no other organizations were warned ahead of time. “There was no advance knowledge besides the public release of the information,” said Michael Wiseman, Acting Director of Information Security at U of T.

According to Wiseman, U of T will be following all recommended procedures to fix the security flaws, including installing patches.

While the world is now aware of these vulnerabilities, and organizations are taking the steps to fix them, there remains a lingering fear. Since researchers have been aware of Meltdown and Spectre since last year but only released this information in 2018, it is possible that malicious exploits have taken advantage of these flaws already.

Lie dispelled these fears, noting that although the vulnerabilities are powerful, exploiting them is not easy, nor could it be done quickly. “If an attacker has several vulnerabilities they could use, Meltdown or Spectre may not be the first one they reach for unless the other vulnerabilities have been patched.”

Wiseman agreed, noting that the sophistication of Meltdown and Spectre suggests that it is unlikely that an attack involving these vulnerabilities has occurred as of yet.

“Now that the information is out, we all have to be a bit more concerned,” said Wiseman.

Is your Fitbit spying on you?

Accuracy, privacy concerns plague wearable fitness tech industry, find U of T students and researchers

Is your Fitbit spying on you?

If your New Year’s resolution was to be more active, you aren’t alone. The emergence of devices like those produced by Fitbit, Jawbone, and Apple have people reexamining the role technology has to play in achieving their fitness goals. Dr. Greg Wells, an exercise physiologist and assistant professor in the Faculty of Kinesiology and Physical Education, refers to these devices as “quantified self-trackers,” which allow you to measure things like sleep, distance traveled, and steps taken.

Step counting is commonly used as a measure of activity with a frequent goal of 10,000 steps a day. According to Statistics Canada, only a third of Canadian adults manage that many.

Traditionally, step count was measured by a waist worn pedometer, which have evolved into wrist worn devices that use accelerometers to detect movement.

The accuracy of these wrist worn devices is questionable, however. A recent study by the Faculty of Kinesiology and Physical Education concluded that pedometer apps are not accurate and that pedometers worn on the waist are still the most effective method of counting steps. Despite the inaccuracy of wrist worn devices, they help give an estimate of activity levels, with some devices enabling you to compete with friends.

Naima Salemohamed, a U of T graduate student uses her Fitbit Charge and says it helps her reach her fitness goals because of its competitive features. “I always compete with my friends who live in Vancouver. I like to have that aspect. Moreover, it ensures that I do 10,000 steps because I am constantly checking how many steps I am doing,” she says.

After using Nike’s Fuel Band for a year, primarily because it was sleek and had a display unlike other fitness trackers at the time, I found that the activity stats were inaccurate. Simply moving my arms triggered the device, whereas attending a spin class or running on the treadmill did not.

U of T student Kara Place found her Fibit to be inaccurate, however, she feels it generally gives a decent estimate. “Sometimes my band will vibrate to let me know I’ve hit 10, 000 steps when I’m putting on a sweater,” she said.

In addition to questions of accuracy, a recent report by U of T’s Citizen Lab found that users’ personal data may be at risk of being leaked to third party sources. Wells confirms that privacy risks are significant and that people should be aware that the data collected by their device are accessible to the company who made the device.

Place is also concerned about her privacy, but says it will not deter her: “We live in a world where we are all at risk of having our privacy breached or being tracked… so though this is annoying, I’m sure there are already other ways for people to gain my geographic location.”

Although wearables are inaccurate, both students feel that their Fitbit has helped them stay active. Place says, “If I see that one day I was less active then I’ll try to step it up the next day to compensate!.”

In terms of predicting future health, assistant professor of digital health Dr. Jayson Parker says, “the new ‘smoking risk’ is sedentary activity: the more you sit, the greater your cardiovascular risk… devices that remind you to stand to interrupt long periods of sitting, or to encourage you to spend more time moving, have pretty obvious benefits.”

Dr. Leah Hiller, a sports medicine fellow at the David L. MacIntosh Clinic agrees with doctors Wells and Parker that fitness trackers aren’t all bad, and that the benefits they provide in terms of connecting with a community of other wearers is valuable.

“Fitness trackers often provide forums for connecting with other people about activity, which can be beneficial,” she said, adding that “for the purposes of improving health outcomes, a five per cent discrepancy in reported activity level is likely inconsequential. What is more important with regard to health outcomes, is that people are being active.”

Parker says that “people can learn a lot about our patterns, sleep, people just needs to be aware that they are not entirely accurate. Early tech with limitations so take it with a grain of salt.”

No safe place in cyberspace

A call for increased privacy protections

No safe place in cyberspace

When I was ten years old, my cousin told me how hackers could take control of my webcam from anywhere in the world and watch what I’m doing. I went to bed that night terrified that some creep halfway across the world was watching me sleep, and  grew up to be one of those people paranoid about online privacy, putting masking tape over my webcam.

While my cousin’s story may have seemed like a cheap scary story at the time, it has become reality. Recently, the CBC reported that Shodan — a search engine that indexes computers and devices — “nanny cams, security cameras and other connected devices around the world that don’t ask for a username or password.” Users can find videos from all over the world, ranging from a child sleeping on a couch in Israel to an elderly woman stretching in a Polish fitness center.

The particularly terrifying thing about this engine is how it can gain access to more than just webcams. One of Shodan’s features allows users to see “The Big Picture,” which according to their website means tapping into “power plants, Smart TVs, refrigerators and much more.” Not only that, but Shodan gives away your unique IP address, allowing users to put a physical location to the image.

While it seems like an extreme case, Shodan reveals several problems with the way we interact with the Internet and technology. First, as various devices become increasingly diffused into our daily lives, our individual actions to combat privacy infringements are getting correspondingly more onerous. Most of us do not have spare time, nor technical knowledge to actually ensure each of the devices or platforms we use is completely secure.

Even if we did, many of our actions remain exposed through other means we cannot control. If you’re not on Facebook, your friends are, and there are probably photos of you that you don’t know about. If you don’t keep your location settings on in your phone, that doesn’t matter — your location can still be determined by tracing which Wi-Fi networks your phone has picked up on. If you’re anywhere in public, you can bet on the fact that you can be surveyed in some way. Cameras are inexpensive and ubiquitous, from corner stores to traffic lights and everywhere in between.

70 years after Orwell wrote 1984, Big Brother really can watch you at home.

A significant consequence of this is that this information can be translated into consumer behavior data to sell to corporations. Indeed, Shodan boasts to provide corporations with a “competitive advantage” by allowing them to tap into “empirical market intelligence” through the search engine. By showing a client who is using their product and where, companies can create more targeted advertising to manipulate consumer behavior.

A state in which citizens are  being watched, recorded, and manipulated by corporations erodes the principles we enshrine in a liberal democracy; that is, individuals being able to act on their own free will with minimal intervention. Yet, we seem to be desensitized to these dangers — after all, Facebook has been doing it for years now.

The normalization of this behavior, however, is no reason to excuse it; in fact, it provides even greater impetus to protest and fight back. On an individual level, we can certainly attempt to keep on top of privacy settings, protecting our various social media platforms and devices with complex passwords and turning off location services for certain apps.

It is imperative, however, for top down legislative cyber regulation to come into effect. Simply giving consumers the option to make their technology more secure puts an unreasonable onus on the regular citizen to police their own behavior, when it is in fact the government’s responsibility to ensure our protection. The scope and magnitude of this problem is hardly manageable for the citizenry to attempt to combat.

Ema Ibrakovic is a first-year student at Victoria College studying social sciences.