Spectre and Meltdown do not represent a simple exploit, but rather a newly discovered type of side channel attack that affects all modern cpus from your smartphone cpu to your computer. The entire computing world is at risk.
Imagine a person was sitting in a chair just before you walked into a room. When you walk in the room, they ask you to guess which chair they were sitting in. While you cannot go back in time and see, you could simply feel the chairs in the room and find out which one feels warm. This is analogous to a side-channel attack. The fact that the chair holds heat leaks information. Spectre and Meltdown show a method of using something called speculative execution to generate side-channel information. Information is leaked by detecting cpu caching of certain values. In essence they allow one process to gather data that another process has stored in memory without permission.
Yes, simply visiting a website can trigger a Spectre style attack and do so invisibly. You won’t know it’s happening.
Different than the majority of exploit attacks and viruses we see today, Spectre does not modify binaries on your machine or leave a trail of infected files. Instead, it affects the CPU cache, so there may be no easy way to even know you were hit by an attack later or forensically trace it back. Even if the exploit code is cached and recovered it will be difficult to know what information the attack yielded.
Protecting cryptocurrency is about protecting information: Your private keys. Reading information is the specific capability of these attacks — A hack could make off with your private keys and you would not even know it happened till the cryptocurrency left your account.
If you are interested in cryptocurrency you probably visit websites that discuss them which presents a problem: Even if the website is legitimate and trustworthy, a simple paid advertisement can run a Spectre attack in your browser and potentially recover cryptocurrency private keys. Once the keys are stolen, the cryptocurrency can be transferred without your permission. There is more immediate reward to attacking cryptocurrency websites than probably any other niche pocket of the internet. There is nearly a trillion dollars of value to extract.
Since proof-of-concept attacks are available, malicious actors will be crafting them into real attacks in the coming days, weeks, and months that will get more sophisticated over time. This could also mean expansion of the attack vectors beyond what we currently know about.
Unlike exploits we normally see, the patches released thus far do not completely solve the problem. First of all, the current patches only close some of the known holes, not all of them. Secondly, these attacks represent a new type of attack, and fixing all the ways they could be exploited may even take years because we don’t know all the ways they can be exploited yet.
This article was originally posted on Medium and can be found here.