Meltdown and Spectre: Why Boxcryptor users don’t have to worry (so much)
We all were shocked lately when severe security issues in modern CPUs became public. Meltdown and Spectre immediately became our number one topics during lunch break here at Boxcryptor as well. For this reason we present you some thoughts about how these two security breaches affect Boxcryptor and our users.
What are Meltdown and Spectre?
Meltdown and Spectre work differently but they both take advantage of one single security breach. This is why they are usually mentioned together from a victim’s perspective.
But which breach are we talking about? In the past it has been taken for granted that the separation of different program’s processes is reliably executed by the working memory (RAM). Nobody considered this border, deep-seated in system software, to be vulnerable. But now, thanks to 3 teams of security experts, this has been revoked: For approximately 20 years there is existing a way for malware to read another task’s memory. This applies to all personal devices (e.g. PCs, smartphones and tablets used by individuals) as well as to virtual environments (e.g. used by cloud services).
This missing separation generates the opportunity to record data traffic of another program, including every possible information – even passwords and database entries. Simply everything that is dispatched, exchanged or otherwise processed by the processor.
Meltdown aims at the so-called speculative execution of processors. The performance of processors is optimized by computing instructions even before the user triggers them – based only on the high probability of them being actually triggered. But, as it has been recently disclosed, a rogue process may be able to read and buffer another processes’ memory. This information becomes then public, even if the predicted, pre-processed instruction was not actually executed.
Spectre means a vulnerability which makes the currently running process readable, avoiding the separation between the different programs. Theoretically any data could be read from the memory because a program can be forced to reveal passwords. The preconditions for the exploitation of Spectre, however, are very specific. For that reason experts consider data breaches via Spectre to be less likely than via Meltdown.
Meltdown and Spectre
There is uncertainty about those leaks having already been exploited over the past. Assurances that no attack has become public are rather worthless due to the fact that attackers every so often succeed in remaining undiscovered. And with Meltdown and Spectre becoming public it is certainly only a question of days or weeks until malware starts to take advantage of them.
Services like Shodan precisely target unpatched systems so attacks become efficient and fully automatable. And to be honest: Nobody wants to trust in every processor being patched reliably from the outside, while it is personal data being computed on the inside.
Meltdown, Spectre and your cloud storage
Presumably all data, subjected to cloud computing processes might be vulnerable. Cloud storage providers often themselves use (other) cloud services in order to provider their storage service. One of the biggest advantage of cloud computing is its flexibility in computing power which turns out to be the issue. This flexibility is achieved by server virtualization so that multiple virtual servers run concurrently on the same physical hardware. The user does not know where this physical server is located and who else is also using it. Resulting in lack of clarity which potential neighbor of the server might have been spying out data on the server.
This ambiguity is resolved by one thing only, end-to-end encryption. The risk of data being stolen, as we know now (and expected before the emergence of Meltdown and Spectre) can not be prevented completely. But the user may ensure that stolen data is of no use to the attacker, with end-to-end encryption.
Boxcryptor Accounts are not Affected!
The most important thing first: Your Boxcryptor account is not affected by Meltdown or Spectre.
Here is some explanation. First, all our services rely on our own dedicated server hardware to store and process data. Since the servers are not shared with other users or customers, data readout via memory is in practice impossible for third parties. Additionally we don’t use cloud services like AWS, Azure etc. where data is stored together with foreign data. Boxcryptor has been built with Security by Design in mind. This prevents some of the main issues arising from Meltdown: Information can be read from server neighbours.
But even if we would have made use of shared servers, the damage by Meltdown or any potential security breach aiming at our infrastructure would be minimal. The reason is, that we never send sensitive data like e.g. private keys to our servers. Instead, we're only processing and storing encrypted keys. Even in case of intercepted data, the attacker would only be able to harvest encrypted and therefore practically useless data.
Update your devices
The client side though is more difficult: On PCs, smartphones or tablets, even encrypted data is unencrypted while being processed. During this processing stage, it might be possible for spies to intercept.
For this reason it is crucial to keep your system updated if you want to protect yourself from being affected by Meltdown or Spectre. All major companies already are offering the respective updates now, but you should keep in mind that older operating systems may be excluded when no longer officially supported. That also applies to smartphones and free services. Once more: everyone is responsible for taking precautions for his systems and for dealing with the requirements of IT infrastructure himself.
Once someone has infiltrated your system it might already be too late. Passwords then already might have been leaked without being able to tell to what amount of time and to what extent. And as such malware is almost always operating nearly invisible the chances to gain knowledge about such incidents is very low.
In a nutshell, encrypted cloud data is still secured. Personal devices are yet something to be concerned about. If you have not taken any action yet, the best we can recommend is an immediate update of your operating system followed by a general password change if you're concerned that passwords might have been leaked - in that order.
Unfortunately, complete safety will stay an illusion. But encryption is a good way to prevent many of the potential security incidents.
Information about affected operating systems
- Chromium: Actions required to mitigate Speculative Side-Channel Attack techniques
- Firefox: Mitigations landing for new class of timing attack
- Windows: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
- Apple: Apple security updates
- Hetzner: Spectre and Meltdown