Researchers have found a new variant of the Spectre CPU flaw that shows how attackers could steal data remotely without having to run malicious code on a local system.
Called NetSpectre by the team of Graz University engineers who discovered it, the weakness is a network-based version of the Spectre Variant 1 (bounds check bypass, CVE-2017-5753) flaw first publicised earlier this year.
That announcement also revealed Spectre Variant 2 (CVE-2017-5715), which like Variant 1 affected numerous microprocessors used from different vendors (Intel, AMD, ARM), and Meltdown (CVE-1027-5754), which was specific to Intel.
A steady trickle of Spectre variants has been discovered since then, all exploiting weaknesses in the speculative execution design used by modern CPUs, so why might NetSpectre be any more menacing?
Mainly because, as its name indicates, this is the first version of the family that allows an attacker to exploit this weakness over a local network or even between cloud servers.
The explanation in the paper is abstruse for anyone not familiar with the detail of microprocessor design but it’s essentially the same principle exploited in Spectre Variant 1 – that the contents of protected memory can be inferred using what is called a cache timing attack (a fuller explanation can be found in our original story on Spectre).
Via the network driver layer, this means:
The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.
Being able to exploit Spectre without having to sneak malware onto the target system sounds worrying but there is a big caveat here – it’s achingly slow.
When the researchers tested it, they achieved a data rate of 15 bits (yes, bits) per hour over a LAN, which rose to 60 bits per hour for recent Intel microprocessors using the Advanced Vector Extensions 2 (AVX2) X86 instruction.
Stealing useful data at that rate would take months at least, and even that assumes a fast connection with good latencies and the ability to reach the target inside a network. Attackers wouldn’t just be able to reach out across the internet and nab data without anyone knowing.
However, very small pieces of data might be vulnerable. For example:
In particular, APTs typically run for several weeks or months. Such an extended timeframe is clearly sufficient to leak sensitive data, such as encryption keys or passwords, using the NetSpectre attack in a cloud environment.
Intel, which was informed of the attack, said it wasn’t worried, pointing out that the Graz researchers’ findings can be mitigated in the same way as Spectre Variant 1.
But the real defence against NetSpectre is the same as was the case with Spectre, Meltdown and other so-called side-channel attacks based on inference – the world knows about them.
It shows how a group of diligent researchers (many at publicly-funded institutions) can for once put the defenders ahead of the attackers.
Chalk NetSpectre down as a rare weakness the world has been able to hear about before the fact rather than after it.