Meltdown & Spectre: 2 Ways Your Banking Device Is Vulnerable
You may have seen the headlines just a few weeks back: Intel computer processors at risk form hackers. The computer technology firm owned up to some serious flaws in their systems and began to implement patches. Below Rusty Carter, VP of Product at Arxan Technologies, explains the ordeal and touches on the detail of the vulnerabilities, from CPUs to mobile banking.
Earlier this year the appearance of two vulnerabilities, Meltdown and Spectre, which affected a significant proportion of the world computer processors, hit the headlines and gained serious attention across the security and application industries.
The critical vulnerabilities that were recently found in Intel and other Central Processing Units (CPU) represent a significant security risk. Because the flaw is so low level, the usual protections that web developers are accustomed to, do not apply. Due to the vulnerabilities existing in the underlying system architecture, they can be exceptionally long-lived, providing attackers with sufficient time to develop direct attacks aimed at the hottest targets, a big one being the mobile banking and payments industry.
Both Meltdown and Spectre can affect devices used within the banking industry, an obvious one being mobile banking applications. Although similar, the vulnerabilities do have their differences. They both affect Intel; must have code execution on the system; and can be managed or mitigated through software patching. However, they each have slightly different methods of attack – both use speculative execution, but Meltdown also uses Intel privilege escalation, whilst Spectre uses branch prediction. Thus, they each have slightly different impacts. Additionally, Meltdown only affects Intel whereas Spectre can affect Intel, ARM, and AMD.
The location of the vulnerabilities makes them particularly hard to protect against. This is because it is the processor, its registers, and also its memory, that are being attacked. This creates unique challenges for protection, however, does not make protection impossible. Meltdown has now been patched in most cases, therefore, Spectre is the more concerning of the two.
With both vulnerabilities, the exfiltration occurs via the registers or memory addresses of legitimate programs in use, meaning cryptography-related items such as decryption keys and API credentials will be the likely first targets. This is because the vulnerabilities go across users of an application and, therefore, can provide ‘keys to the kingdom’. Follow-on targets are likely to be individual users’ personal information managed by marquee applications.
The banking industry is likely to suffer the effects of both these vulnerabilities, especially with regards to mobile banking and payments. Customer data such as account numbers and user credentials are very likely to be exposed.
With the rising popularity of mobile banking, applications are seeing more and more security risks affecting them. Even well written applications are still vulnerable. Whilst most applications maintain security by encrypting data between the app and the data centre, this is not enough. In order to be fully protected, banks need to encrypt the data within their application, only decrypting it at the moment it is needed, and then encrypting it again. Further application protection that is highly recommended for banks to incorporate into the security of their applications is anti-reverse engineering and anti-tampering.
For customers using mobile banking, it is vital they remember to turn off JavaScript if possible and to ensure they exit applications they do not need, or are not using at the time. Ultimately the application is run on a processor, when there is a vulnerability there, nothing is really safe. However, if a mobile application is not running, these vulnerabilities cannot facilitate the stealing of data. Encrypting data and implementing application protection that uses a variety of different techniques, can make it much more difficult to read memory out of a register, or to leverage a vulnerability such as Spectre. By doing this, banks can put themselves ahead of others within the industry, as well as protecting their customers and overall reputation.