meltdown

The recently announced major hardware bugs, Meltdown and Spectre (technical details), potentially give rise to significant security failures—the criminals have yet to write the exploits, apparently, but you can be confident they will. Spectre affects many manufacturers, is apparently difficult to exploit, but patches and fixes are not yet available. Meltdown is mostly Intel specific, is apparently easier to exploit, and operating systems can be patched. How are my systems vulnerable?

In my DMZ I use Soekris 65xx single board computers (SBCs). The company, which unfortunately closed down last year, made good quality low power SBCs, perfect for my requirements.

Unfortunately for me, they used Intel CPUs.

Worse, they run OpenBSD. For reasons only known to themselves, Intel did not warn any open source BSD operating system developers of the problem, so none could prepare. I cannot think of a good reason for this attitude, given they told some open source Linux distributions and the closed source BSD developer Apple. The result is I cannot patch my DMZ against Intel’s errors.

There are two Intel CPU families which are not affected, Itanium, and Atoms introduced before 2013. Fortunately for me, those Soekris boxes using Atom E6xx series processors, which were introduced in 2010. They are immune. Phew!

I’ve already bought another SBC, a PC Engines APU2, which uses an AMD processor. AMD claim their CPUs are far less susceptible to Meltdown, although, like all processors, they are at risk from Spectre. Given AMD recently introduced some major new processors which are as good, if not better, than their Intel competition, I suspect that company is going to have a bumper year.

The kit inside my DMZ, Mac and NUC, are not at significant risk from Meltdown because they run macos and Windows, both of which have been patched (Apple, Microsoft). However, like almost all computers, they are susceptible to Spectre, but will, of course, be patched as patches are introduced. These events, and hints that more nasty hardware bugs are on the way, give me strong reason to reintroduce intrusion detection into my home network. Reintroduce? Yes; I was running Snort on an old Soekris 48xx SBC, but unfortunately it couldn’t keep up with faster network speeds recently introduced by my ISP. That’s why I bought the PC Engines APU2.


PS: I don’t like the Register, because it likes to lie (although it might have improved), but I have to give it a pat on the back for breaking this story with a classic piece of journalistic detective work (based on this blog post). I suspect the technical reporters who dug it up have just made their career.

The story broke a week before it was going to be announced anyway. Although a lot of big companies had to rush out their patches and apologies early, I suspect this was actually for the better. Many organisations were still recovering from the Christmas break, with a lot of staff getting back up to speed, or still on holiday—or still hungover. In other words, there was less going on than normal, so it was a easier to force the necessary patches through.