A vulnerability in Intel chips could allow attackers to steal any data recently accessed by the computer processing unit (CPU).
The security flaw, dubbed ZombieLoad, exists in almost every Intel chip made since 2011. Computer chips underpin the hardware that form our devices, from desktops to cloud data centres.
ZombieLoad was discovered by researchers at Graz University of Technology in Austria and KU Leuven University in Belgium. The chip vulnerability can also be used to monitor browser behaviour on breached devices, which the researchers demonstrated in a YouTube video.
“ZombieLoad enables an attacker to leak recently loaded values used by the current or sibling logical CPU,” the researchers state in their findings. “We show that ZombieLoad allows leaking across user-space processes, CPU protection rings, virtual machines, and SGX enclaves.”
It is not known whether it has been used by malicious hackers, but cybersecurity experts have said it requires high levels of skill to execute, making it far less likely they have done so.
How does ZombieLoad steal data?
ZombieLoad stems from recent chip vulnerabilities known as Meltdown and Spectre, which chipmakers AMD, ARM and Intel were all susceptible to.
Like Meltdown and Spectre, ZombieLoad exploits a process known as speculative execution, in which chips preemptively carry out tasks even though they may not be needed. While this increases speed, researchers have shown it can create weaknesses for attackers to manipulate.
Rather than injecting malicious code, attackers can siphon off potentially sensitive information, such as passwords, that is briefly stored in the processor.
Ben Johnson, chief technology officer at Obsidian Security, told the Financial Times that ZombieLoad is “hard to exploit – but it’s also hard to fix”.
Intel has issued a patch to fix the problem. However, this needs to be applied by individual manufacturers’, such as Google and Apple, and then users need to ensure they install the update.
The fix could considerably slow down some computer systems. Apple said that it “may reduce performance by up to 40%”.
However, patches for previous speculative execution vulnerabilities have not resulted in the dramatic slowdowns that researchers feared.
ZombieLoad: A “scary reality”
Jake Moore, security specialist at cybersecurity firm ESET, said: “Spying tools should never be underestimated, as they are constantly being tried and tested in the wild.”
He added that “being able to eavesdrop on a target is always a favourite in a cyber criminals’ toolkit but we also shouldn’t forget that tools such as this aren’t just used by the bad guys.”
The Microsoft zero-day exploit EternalBlue is one example of an exploit being used on both sides of the law. Initially developed by the US National Security Agency (NSA), it was stolen by a hacker group and unleashed as part of the WannaCry ransomware attack in May 2017.
Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi, warned that a chip vulnerability like ZombieLoad could be used to steal crucial data relating to machine identities.
“This vulnerability represents a scary reality that’s actually been around for a quite a while – attackers exploiting the identities of machines to obtain sensitive data,” he said.
“Things like code signing keys, TLS digital certificates, SSH keys are all incredibly valuable targets, and chip vulnerabilities like this make it possible for hackers to steal these critical security assets when running on nearby cloud and virtual machines.
“Security teams need to accept that they won’t be able to avoid vulnerabilities like ZombieLoad; instead they need to focus on protecting the keys and certificates attackers are targeting.”
He added that security professionals should consider ZombieLoad a “dress rehearsal for the day quantum computing breaks all machine identities”.