With computer hacks on massive scales now a frightening reality of modern life, the discovery by University of Virginia researchers of a computer chip security flaw is a welcome piece of progress.
That information can help designers correct the problem and potentially thwart hackers in the future.
Just so far in 2021, several far-reaching cybercrimes have paralyzed industries across the globe. Local residents will remember the recent hijacking of the Colonial Pipeline network, in which the criminal DarkSide organization, believed to be based in Russia, blocked the pipeline’s transmission of gasoline and jet fuel. That caused shortages and panic across the Southeast. The hackers demanded a $4.4 million ransom, which the company paid via Bitcoin. The U.S. Justice Department, using its own cyber-wizardry, was able to take back some of that money.
Just ahead of the July 4 holiday, another Russian-speaking group, REvil, hacked a software product used by businesses and governments around the world and demanded $70 million to supply a “decryptor” remedy. By mid-month, though, the organization had gone dark — leaving many to hope it had been dismantled but fearful that it has simply gone underground to prepare its next assault.
Another hack targeted the D.C. police department and resulted in the exposure of employees’ personal information. Ditto for a school system in Florida.
Another shut down hospitals in Ireland and New Zealand.
Now, we’re not saying that the flaw uncovered by UVa researchers was exploited in any of these hacks. We are saying that the problem of cybercrime is extensive, dangerous — and growing.
To further illustrate that danger, consider that both Russia and China are believed to be behind some of these attacks, perhaps working covertly with independent criminal groups.
The U.S. just last week accused China of being involved in a ransomware hack of Microsoft last spring, and already had blamed the massive SolarWinds attack of 2019-2020 on Russian espionage.
Anything we can do to defend against such attacks is welcome.
The UVa researchers found a weakness in a defense that already had been constructed.
The original problem was discovered in 2018. It involves a microchip feature that increases processor speed by allowing the computer to successfully predict the user’s next instructions and to act on those instructions even before they can be fully input — a process called speculative execution.
But of course, such predictions also can involve such things as passwords. Hackers found a way to gain access to this type of sensitive information through the speculative execution process.
Industry experts and researchers created patches that addressed the problem. UVa’s Ashish Venkat, an assistant professor of computer science, was among the researchers working on those patches.
More recently, though, Venkat and his team from the school’s engineering department found a flaw in the fixes that could allow hackers to break through those defenses and steal information. The flaw affected all patches, including those Venkat helped create.
The average consumer doesn’t really have to worry about this particular flaw.
“Information that’s important, like military information, is something hackers will be willing to go to greater lengths to target...,” said Logan Moody, a member of the research team. “But they’re not going to be targeting your grandma” — at least, not yet.
Most consumers just need to do the things they already know they should do — being careful about what they download, constructing strong passwords, that sort of thing.
But it’s reassuring that experts are concentrating on the bigger problems — thefts of military information, for example.
No single defense will fully prevent cybercrimes and espionage, but every improvement makes us a bit safer.