Computer News & Safety – Harry Waldron Rotating Header Image

NetSpectre – Spectre v1 REMOTE exploit too slow for effective attacks

This is one of 1st REMOTE exploit attacks of the Spectre v1 vulnerabilities crafted.   Thankfully, by retrieving only 15 bits per hour of exposed side channel memory in the CPU bus designs — it is not practical for real attacks. And hopefully the MELTDOWN / SPECTRE vulnerabilities are extremely difficult to craft into future attacks.

A new PoC attack using Spectre variant 1 called NetSpectre marks the first time Spectre v1 has been exploited remotely, although questions remain on the practicality of the attack.  “NetSpectre” and claim it is the first remote exploit against Spectre v1 and requires “no attacker-controlled code on the target device.”

“Systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing [it] to read arbitrary memory over the network,” the researchers wrote in their paper. “The attacker only sends a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.”

The speed of NetSpectre — Part of the research that caught the eye of experts was the detail that when exfiltrating memory, “this NetSpectre variant is able to leak 15 bits per hour from a vulnerable target system.”  For the record, if you were ever actually be able to exploit it in real world (big if) it gives 15 bits of information per hour. There’s 8,000,000,000 bits in 1gb. So only 60822 years to extract 1gb of RAM.

“The amount of traffic required to leak meaningful amounts of data is significant and likely to be noticed,” Williams wrote. “I don’t think attacks like this will get significantly faster. Honestly, the attack could leak 10 to 100 times faster and still be relatively insignificant. Further, when you are calling an API remotely and others call the same API, they’ll impact timing, reducing the reliability of the exploit.”

Comments are closed.