New Spectre attack can remotely steal secrets, researchers say

The attack can be run remotely on a target device without running code on the system.

(Image: file photo)

Researchers have discovered a new variant of Spectre, a set of processor vulnerabilities dating back two decades, which they now say can remotely steal data from vulnerable systems.

A paper published Friday and seen by ZDNet prior to release calls the new variant NetSpectre.

Previously, an attacker would have to run malicious code on an affected device to exploit Intel, AMD, and ARM processors by running malicious JavaScript on a user's browser. But now, an attacker can pummel a target device with malicious network traffic without running any code on the system, say the paper's authors.

NetSpectre works in a similar way to how a Spectre local attack variant works, by exploiting a weakness in how chips speculatively guess where memory is stored to help speed up processing.

"This is an information leak, similar to the original Spectre attack," said Michael Schwarz, one of the researchers at Graz University, who co-authored the paper. "The difference to the original Spectre attack is that we do not require any attacker-controlled code on the victim."

Schwarz said that the attack can be used to leak memory content, which can include sensitive data like encryption keys or passwords.

In tests, the Graz University researchers were able to extract 15 bits per hour over a network -- but could get up to 60 bits per hour on some Intel chips. The researchers verified that the bug works on local networks and in between virtual machines in Google's cloud, thanks to its fast network and low latency. Other clouds could be affected by NetSpectre.

Daniel Gruss, one of the original Spectre researchers, and co-author of the NetSpectre paper, said the attack was "very difficult" to carry out but works in real-world environments.

Although the new technique is novel, the researchers say that the slow speeds of the attack make extracting any meaningful unrealistic, and the attack largely theoretical.

Schwarz said it's possible to expect "targeted attacks on high-value targets," but downplayed the risk to ordinary users.

"We don't expect to see large-scale NetSpectre attacks any time soon," he said.

It's believed that all processors, including Intel, AMD, and ARM chips, vulnerable to Spectre variant 1 are also vulnerable to NetSpectre.

Details of the vulnerability were shared with Intel, but the researchers said they were also in contact with other chip makers and cloud providers.

Intel said that existing mitigations for Spectre variant 1 should prevent NetSpectre attacks.

In a statement, Intel thanked the researchers, adding: "NetSpectre is an application of Bounds Check Bypass, and is mitigated in the same manner -- through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate," said a spokesperson. "We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method."

Also: VPN services 2018: The ultimate guide to protecting your data on the internet

ARM updated its security page with details of NetSpectre. AMD did not respond to a request for comment. When reached, Google did not provide comment. Amazon, a rival cloud provider, did not respond to a request for comment.

NetSpectre is one of several variants and new discoveries relating to the processor design flaw. Earlier this month, a new set of Spectre-like attacks were found, adding to a growing list of chip issues,

Schwarz added that the exploit code, which the researchers do not plan to release, "is not a single tool which can be used for end-to-end exploits," and "requires quite some knowledge to adapt the tools to a specific target."

But the researchers note that their new research opens up the door to faster, more precise attacks in the future.

Got a tip?

You can send tips securely over Signal and WhatsApp at 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More