The security gaps discovered are not a software problem, but a processor design problem. This is because the vulnerability exploits the following procedure in modern processor architectures: In order to speed up processes, information that may be required at a later point in time is retrieved in advance. Under certain circumstances, this allows hackers to read sensitive data such as passwords or private keys through side-channel attacks. Various Intel, ARM and AMD processors are affected by the security gap - and some of them have been for over 20 years. But how great is the danger for computer systems used in production?

"In order to exploit the security gaps, it is necessary to use malware that is adapted to the processor type of the attacked system. Such malware can either - like any other malware - get onto the system via careless behavior on the Internet or be physically installed on the system," explains Benedikt Merl, Head of Marketing at Inonet. This is why different conditions apply to industrial PCs than to private systems. "As a rule, no unauthorized programs are installed on computers in production or dubious emails are opened in order to catch malware," continues Merl. Vanessa Kluge, Product Manager at ICP, adds: "In order for these security vulnerabilities to be exploited, malicious code must be executed on the computer systems. However, malware has not only been around since the discovery of Spectre and Meltdown. Protection against malware has been an integral part of all professionally used computers for many years - and this naturally also applies to systems in the production chain." Dr. Harald Hoffmann from Janz Tec is also certain: "If companies are not able to prevent access to the system, not only Spectre and Meltdown, but any attacks on the company's cyber security are an incalculable risk." Congatec CTO Gerhard Edi takes a similar view: "The existing protection mechanisms prevent the execution of third-party software. If these mechanisms are too weak, this represents a security gap that can be exploited by malware - but then the data can be accessed directly. The complicated path via Spectre or Meltdown is then not necessary."

Cloud particularly at risk

However, there are different potential risks for the systems used in production. For example, industrial and panel PCs as well as gateways with affected processors pose a low risk, Vanessa Kluge is certain: "These systems are generally used in protected infrastructure environments. You also have to take into account that hackers primarily focus on mass-produced goods." According to Benedikt Merl, the vulnerability is also not critical for many embedded systems or routers, as new code is never loaded here. Certain simpler processors, such as those used in Raspberry Pi systems, are also not affected by this type of side-channel attack.

However, the situation is more difficult with server systems, for example: "They are usually permanently connected to the internet and have connections to many other clients. However, they are not normally operated directly by a user who can - intentionally or unintentionally - load malware onto the system. The system must therefore be secured primarily on a virtual level," says Merl. Edi also sees a threat for virtualized servers in particular, "as instances from other companies, for example cloud-based CRM systems, may also be running on a physical server. As the customers of the virtual servers have full rights to install software, the Spectre and Meltdown code can be executed to capture data from other virtual servers on the same machine."

What can users do?

In order to close the security gaps, providers such as Intel and Microsoft have launched various updates on the market - more will follow. "First and foremost, the manufacturers of the CPU hardware and secondly the manufacturers of the operating systems must provide the corresponding updates," explains Hoffmann. The current status can be found on the support pages of the respective manufacturers. However, users should note that updates are accompanied by a reduction in performance. This is because functionalities such as out-of-order processes and speculative execution are restricted during updates in order to close the security gap in question. According to Merl, there is no general answer as to how this affects the application: "The extent of the performance losses depends largely on the software running and the hardware configuration of a system. Experts expect greater losses with high-performance SSDs in particular. Higher latency times in data processing can certainly lead to the failure of the entire application. In any case, users should never forgo security updates in order to avoid performance losses." He advises: "Updates to the microcode of the processors via BIOS updates or operating system patches as well as updates to programs that contain critical information generally offer protection. In addition to the updates provided at operating system level, programs that execute microcode or process sensitive information, such as password libraries or programs that contain business-relevant data, should also be checked for software updates."