New NetSpectre attack can leak data over your network
A new remote attack vector for Spectre has been found, but existing mitigations should keep you safe.
The Meltdown and Spectre attacks revealed earlier in 2018 kicked the year off with a concerning bang due to the wide range of hardware affected. Since they were disclosed, Microsoft, AMD, Intel, and other companies have managed to limit the potential for widespread attacks with a series of hardware and software mitigations. Still, new variants on the attack continue to be discovered, and the latest widens the potential pool of devices impacted.
Discovered by researchers at Graz University of Technology, the new attack, dubbed NetSpectre (via Ars Technica), has one major advantage over the previously disclosed attack vectors: it can be executed remotely. According to the researchers, NetSpectre allows an attacker to read the memory of a system without having to execute any code locally.
Fortunately for potential victims, there are two major aspects of this attack that bend fate in their favor. The first is that this method of attack is incredibly slow: researchers were only able to demonstrate leaking data at a rate of between 15 bits and 60 bits per hour. Second, because the method described relies on the Spectre variant 1 attack, existing mitigations, released after the original Spectre attack was first described earlier this year, should protect devices that have been patched.
For a detailed overview of the attack, you can read the white paper released by the team of researchers at Graz University of Technology.
Updated July 27, 2018: Intel has reached out with a statement on NetSpectre, confirming that it can be mitigated in the same manner addressed by previous Spectre patches. From Intel:
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl.