By Rusty Carter, VP of Product at Arxan Technologies
It’s been an eventful start to 2018 with the confirmation of Spectre and Meltdown, two security vulnerabilities of unprecedented scope just three days into the new year.
Between the two of them, these vulnerabilities affect all devices running all but the most recently patched versions of iOS, Android, Linux, macOS and Windows – effectively covering the vast majority of connected devices in the world and proving that there are no trusted environments for high-value apps…
The critical vulnerabilities were discovered in most Central Processing Unit (CPU) chips from major manufacturers, with Meltdown impacting Intel, while Spectre also affects ARM, and AMD. The two exploits are related, but work in different ways. Meltdown uses Intel privilege escalation, whilst Spectre uses branch prediction, but the use of speculative execution means both exploits enable attackers to gain access to sensitive information on a victim’s machine.
How do the vulnerabilities work?
To use the exploits, an attacker first needs to get code running on the target system, which could be accomplished via malware, malicious websites, or delivered by other methods such as malvertising or phishing. Once this has been achieved, the attacker will need to escalate their privileges, so they can run code on the machine, and from there they can activate the Meltdown and Spectre vulnerabilities. Information can then be revealed in the computer’s kernel memory, which includes data such as keystrokes, passwords and encryption keys.
Because the flaw that makes such an attack possible is below the operating system, the usual assumptions of safety that developers are accustomed to do not apply. Due to the vulnerabilities existing in the underlying system architecture and because they are also responsible for significant performance improvements in the processor, they can be exceptionally long-lived, providing attackers with sufficient time to develop direct attacks aimed at the hottest targets.
The financial industry is one of the most obvious targets for such an attack, particularly the mobile banking applications that are fast becoming the most common way for people to complete transactions.
Accessing the device’s memory means an attacker could pull out data for any application, including user credentials and account numbers. Armed with this information, a cybercriminal may be able to access the victim’s account and conduct a devastating level of theft or fraud.
An attacker could also target the bank itself by extracting cryptography-related items such as decryption keys and API credentials –giving them important intelligence they likely need in order to gain access to the backend systems including transaction systems and user databases.
Can the financial sector defend itself?
Worryingly, the way the vulnerabilities work means that even the most well written banking apps are exposed to loss due to Spectre and Meltdown. The most effective way for a financial organisation to protect its customers and assets from this attack is to maintain encryption of data until the moment it’s necessary, and use techniques like those that manipulate control flow and obfuscate functionality within the application itself.
While an attacker can flush out data such as usernames and account numbers, if that data is encrypted, the likelihood they will actually be able to access it when it’s in an unencrypted state is significantly reduced. Most apps in the financial space encrypt data when it is transmitted from the app to the data centre or another device. Crucially though, to minimise vulnerability to Spectre, they will also need to encrypt all data within the app itself, and only decrypt it when absolutely necessary.
Another valuable defensive measure for financial organisations is to monitor and analyse the behaviour of the app itself. Anti-tampering and anti-reverse engineering measures combined with detection and reporting capabilities can provide businesses with signals indicating that something unusual is happening.
While the vulnerabilities are currently being patched – particularly Meltdown – the process has not been perfect, leading to performance issues and continuing to leave some devices exposed. Even if when both exploits are completely fixed however, their existence should serve as a strong warning to financial organisations about potential threats to their customers that are essentially out of their hands. Encrypting all data within the app, as well as deploying other advanced methods like anti-tamper solutions, will ensure that financial apps are best equipped to defend themselves even when the next big vulnerability rears its head.