Significant vulnerabilities that could allow cyber attackers to compromise data have been found in common processors in almost all modern devices.
What are "Meltdown" and "Spectre"?
The vulnerabilities, known as "Meltdown" and "Spectre", are two related “side-channel” attacks in central processing chips (CPUs) designed by Intel, AMD and ARM.
Combined, the vulnerabilities affect almost every modern computer, including smartphones and tablets, from a range of vendors running any operating system. The vulnerabilities undermine security features built into the processors which are designed to keep data from different running programs separate (including data used by the operating system itself).
Processors in most devices employ a range of techniques to speed up their operation, one of which is “speculative execution” – attempting to anticipate (and execute) the parts of a program that might be needed in future. A malicious attacker can exploit the two vulnerabilities to manipulate processors into executing code which works on data that would ordinarily be inaccessible to the attacker, and then spy on the processor (via the side-channel attack) to discern the content of the data being processed.
As a result, malicious code running on vulnerable devices can access unauthorised areas of memory and data. In theory, any data on the device can be accessed, including data of other running programs, or even data running on other virtual machines on the same hardware. This could result in the compromise of sensitive data, including encryption keys and passwords.
How to protect your organisation?
Device and platform manufacturers are releasing updates to mitigate the issues posed by these vulnerabilities. The Head of Technology Policy at the Information Commissioner's Office ("ICO"), recently published guidance on Meltdown and Spectre which recommends that organisations determine which systems are vulnerable and ensure that the latest patches are installed "as a matter of urgency". This is re-iterated in advice from the National Cyber Security Centre ("NCSC"), which also recommends not using devices where patches will not be issued to fix the vulnerabilities.
The ICO guidance states that failure to patch known vulnerabilities is considered when determining whether a breach of the seventh principle of the Data Protection Act 1998 (appropriate technical and organisational measures taken against unauthorised or unlawful processing of personal data) is serious enough to warrant a civil monetary penalty. Under the EU General Data Protection Regulation ("GDPR"), organisations could also be held liable for a breach of security that relates to measures, such as patches, that should have been implemented but were not.
Whilst these vulnerabilities could in theory cause widespread exfiltration of data, there is currently no indication that they have been exploited or that any data has actually been compromised. Importantly, the vulnerabilities can only be exploited by malicious code on the device – so there needs to be another vulnerability present on a particular system for it to be exploited. Indeed, the first attempts by cyber attackers to exploit the vulnerabilities have seen attackers issue fake security updates purporting to fix the vulnerabilities, but that are in fact themselves malware.
The Meltdown and Spectre vulnerabilities present some unique issues for cloud services.
Whether cloud service providers are acting in as a data controller or a data processor, they will likely be obliged to consider patching affected systems.
A challenge exists in that systems may need to be patched at multiple layers for the patches to be effective. For example, hardware running virtual machines might need to be patched at the firmware (BIOS) level, at the hypervisor level (the software managing the virtual machines), and on the guest operating system of each virtual machine. In practice, different corporate entities might be responsible for these components, such that cooperation and coordination is required.
For example, when using Infrastructure as a Service (IaaS), the service provider should patch the hardware and hypervisor, but organisations will themselves need to update the operating system of any virtual machines they manage. For Platform as a Service (PaaS) and Software as a Service (SaaS), the cloud service provider might have responsibility for installing all the required patches.
A particular issue arises for so-called "multi-tenanted" cloud systems that hold data from more than one party on the same infrastructure. Absent patching at all levels there is potential for data to be leaked between tenants. However, patching multi-tenanted systems may require cooperation between the service provider and all the respective tenants where those tenants manage their own software.
Whatever the type of hosting, organisations that use cloud-based systems should check the contractual responsibility for security (and patching in particular) and seek assurances from their service provider that these vulnerabilities have been patched. For multi-tenanted systems, since there will not necessarily be a direct contractual relationship between one tenant and another, in practice seeking such assurances will require the service provider to liaise between tenants to ensure all the guest operating systems are patched.
To patch or not to patch: the balancing act
The patches released to address Meltdown and Spectre go to the core of the operating system and processors concerned, making changes to the “kernel” of operating systems as well as the microcode that runs within the processors. Such patches are complex and carry risk.
Since the existence of Meltdown and Spectre was leaked before the patches were ready, the development of the patches had to be accelerated. The patches released for both AMD and Intel hardware have led to system instability (spontaneous reboots) as well as systems failing to boot at all. Since the data protection principles also relate to accidental loss or destruction of personal data (as well as the risk of data breach), systems resilience is equally important and system owners will have to balance the competing risks.
Even when the patches are made stable, there are confirmed issues with reduction of system performance where the patches have been installed. The reduction in performance is most acute for systems that involve significant storage access, which will often be the case for multi-user cloud or database systems. Some anti-virus solutions are not yet compatible with the issued patches too, meaning the patches cannot be installed until the anti-virus providers have added support.
Whilst the ICO acknowledges that it will ultimately be up to an organisation whether it applies a patch, if the organisation chooses not to, the regulator would expect "significant mitigations to be in place and well understood".
A layered security system is the key
The ICO guidance explains that cyber attackers should not be able to access core systems in the first place. The concept of "privacy by design" should be "in every part of your information processing, from the hardware and software to the procedures, guidelines, standards and policies that your organisation has or should have". Privacy by design is one of the best‑practice concepts given statutory recognition under the GDPR; it requires controllers to consider privacy and cyber security at the inception of projects and system design.
The ICO recommends that organisations have an effective "layered security system" to mitigate an attack. Organisations should look at their data flows, understand how data moves through, and beyond, the organisation and consider system protections at each step. Organisations should be evaluating the impact of a data breach to the organisation (both financially and from a reputational point of view). Data should also be secure at rest as well as in transit (for example, through encryption, or salting and hashing techniques), so that even if data is compromised, it cannot be read by the attacker. While encryption could be circumvented through Meltdown and Spectre (by compromising the encryption key), salted and hashed passwords, even if compromised, can remain secure.
A well‑designed system will ensure that the network infrastructure is also adequately protected. The ICO recommends using firewalls, access control lists and VLANs as well as physical security measures such as CCTV, fences and security personnel if required. The guidance reiterates that security is not just an IT issue: ensuring that appropriate policies and procedures are implemented, enforced and reviewed will also be key. A combination of senior management buy-in, governance and appropriate training will help support this. The ICO says that "the more layered approach you take, the less likely a vulnerability like Meltdown or Spectre could be exploited".
What about liability?
Given the spectrum of end-users, organisations, service providers and manufacturers affected by the vulnerabilities, the terms and liability regimes in their respective commercial arrangements are likely to be scrutinised.
For example, cloud service agreements can often use cumulative processor time as the charging metric. Due to the degradation in performance caused, customers may find increased costs (which they will want to recoup) even though the workload itself has not increased. On the other hand, service providers will be reviewing their force majeure provisions to determine whether they are triggered by the vulnerabilities, and therefore whether they are relieved of their contractual obligations.
Cloud service providers and customers may also seek redress from processor manufacturers if they are required to purchase additional hardware to maintain present levels of processing power. At least three class-action law suits have already been filed against one processor manufacturer on behalf of affected consumers. Even if cloud service providers and customers choose not to sue, the need to renew end-of-life hardware will likely mean that the issue arises in negotiations, with organisations seeking discounts or rebates, backed with the threat to procure processors from alternative providers.
It remains to be seen what the longer term legal fall-out will be from the Meltdown and Spectre vulnerabilities.
A version of this article first appeared on the Legal IT Insider website
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2019