Computer security researchers from the Graz University of Technology in Austria have developed a Spectre variant that makes it possible to steal data from network connected systems. The variant has been called NetSpectre and works without requiring the attacker to execute any code on the target system. When the attack is successful, it’s possible for the attacker to obtain e.g. passwords or encryption keys. Billions of computers are potentially vulnerable.
However, the NetSpectre attack is not very efficient, the data can only be retrieved from the target system with a speed of maximum 3 to 60 bits per hour depending. The first Spectre attacks required an attacker to find a way to execute code on the victim’s system, with the NetSpectre variant this is no longer needed. The Austrian researchers have demonstrated their attack on a local network and between virtual machines in Google’s cloud.
To perform the attack, the victim’s computer has to run a service with exploitable code. The researchers call the exploitable code fragments ‘Spectre gadgets’.
When these Spectre gadgets are exposed through a network interface or API, the system is vulnerable and can be attacked with the NetSpectre attack. All the attacker has to do is sent a series of specially crafted requests over the network to the victim. Then the attacker has to measure the response time to obtain arbitrary memory values of the victim system. Spectre variants always exploit the branch prediction feature of the CPU, and this is also what NetSpectre attempts. The specially crafted packets are designed to train the branch predictor to always return true.
The NetSpectre attack has a big drawback however, the method can yield no more than up to 60 bits of data per hour. It therefore takes days before encryption keys or passwords can be stolen.
Nevertheless, the computer security researchers who discovered the vulnerability consider the attack a paradigm shift, as they write in the conclusion of their report (PDF), “With our NetSpectre attacks, a much wider range and larger number of devices are exposed to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all.”
Intel has stated to TheRegister that systems that were patched against previous Spectre attacks, are also protected against NetSpectre.