A recent white paper released by researchers at the Graz University of Technology in Austria reveals a new attack called NetSpectre. Unlike the internet-based Spectre attack that requires a hacker to run code locally on the target PC, this version can steal data from the target PC’s memory without running any local code.
The base method of attack is nothing new. It’s based on how a CPU speculates where its current processing path will go. A chunk of its speed stems from how it can think ahead and test different routes (branches) to determine the quickest avenue to completion. While it’s testing these routes, the chip stores data in its local cache in an unprotected way.
But with NetSpectre, there’s nothing to download. Instead, the attacker bombards the network ports of a target PC with malicious code. The good news is that this method takes an extremely long time to extract data from memory due to the noisy environment of the internet. For instance, one method directly targets the CPU’s cache at 15 bits per hour while another method targets a specific module (AVX2) at 60 bits per hour.
Of course, hackers don’t want everything stored in memory: They want the juicy bits. In addition to the slow data leak, they must sift through the garbage to pull out valuable, privileged items. Finding an encryption key in the slow data flow could take days versus accessing the same key by running malicious code locally on the target PC.
According to the paper, the NetSpectre attack consists of two components. The first is a leak gadget that pulls one or multiple bytes of data from memory, although single-bit gadgets are “most versatile.” The second component is the transmit gadget that makes the CPU’s state visible over the network, so the hacker can retrieve the data.
Hackers carry out the attack in four stages. First, they send the leak gadget to “mis-train” the processor’s predictive capability and then reset the environment to enable the encoding of leaked bits. After that, hackers exploit the Spectre Variant 1 vulnerability to leak data and use the transmit gadget to deliver the goods.
“As the network latency varies, the four steps have to be repeated multiple times to eliminate the noise caused by these fluctuations,” the report states. “Typically, the variance in latency follows a certain distribution depending on multiple factors, such as distance, number of hops, network congestion.”
But don’t worry: This isn’t a vulnerability that requires a new patch. Everything released for Meltdown and Spectre should protect your data from this new method. It’s also not in active use, but you should still make sure your PCs are armed with the latest Meltdown and Spectre updates.
- Google Chrome now consumes more memory due to a new Spectre fix
- You’ll want to perk up when it comes to the new ‘Lazy State’ Intel CPU bug
- How Chrome and other browsers came together to protect you from Spectre
Researchers at the Graz University of Technology reveals a new attack called NetSpectre. Unlike the internet-based Spectre attack that requires code running locally on the target PC, this version doesn’t need to run local code.