Remote control? New Spectre-based attack carried out via network

CPU flaw can be executed remotely, but a successful exploit would be slower than an 1850s electric telegraph

Researchers have devised a way to exploit the speculative-execution design flaws in modern processor chips over a network connection, a new attack dubbed NetSpectre.

Spectre, a known vulnerability, carries out password-stealing attacks which requires malicious code to be running on a vulnerable machine.

But the new NetSpectre attack removes this limitation by allowing attacks to be run from compromised devices on the same network – albeit with severe limitations that render it almost certainly impractical.

This side-channel attack only leaks data at a rate of 15 bits per hour, or 60 bits an hour via an AVX-based covert channel.

Even after data is collected at a trickle, it would still need to be sorted to obtain useful information such as an encryption key or authentication token.

Either way, it’s slower than an 1850s electric telegraph.

Systems also patched against the earlier Spectre attack should already be protected, Intel told The Daily Swig.

“NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate,” an Intel spokesperson said.

“We provide guidance for developers in our white paper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method.”

Spectre attacks exploit the micro-architectural side effects of aborted speculative execution
operations to read memory contents of other programs.

A team of researchers from Graz University of Technology extended their previous work on Spectre to develop its networked nephew, NetSpectre.

NetSpectre attacks work in local area networks as well as between virtual machines in the Google cloud.

The approach, for all its limitations, might lend itself to attacks on high-value targets. Even Spectre itself has not been abused by malware seen in the wild to date, and NetSpectre would be even harder to abuse.

Professor Alan Woodward, a computer scientist from the University of Surrey, told The Daily Swig: “It’s naturally a concern when any exploit is capable of being run remotely. However, the rate at which this exploit can extract data is relatively low, so the threat is also relatively low.

“The new work does include a new side-channel attack based on measuring the timing of the execution of specific instructions.”

“Although this provides some increase in the data extraction rate it also is likely to show up as something like a DDoS on a network,” he added.