Meltdown and Spectre vulnerabilities are making headlines and causing security headaches. Our customers are asking us about how Spectre and Meltdown will affect point-of-sale security. This is a good time to reiterate that there’s no reason to spread fear and panic, but that you need to stay on top of the latest information and be proactive.
Security for point of sale systems
Payment security experts are warning that some merchants with payment systems that transmit cardholder data from the processor back to the point of sale could be at risk to the Meltdown and Spectre hardware flaws. Specifically, these flaws could lead to the exposure of passwords and encryption keys and ultimately to the exposure of cardholder payments data. The risk is similar to past attacks at large retailers that retained a cached database of cardholder data. Also, with regards to POS Systems there are some specific concerns:
- Updating all the POS devices with upgrades and patches is an extremely difficult task.
- Particularly when Retailers need to ensure that their customers do not experience delays or other inconveniences while completing their purchases.
- Windows XP has been embedded in many Point of Sale Systems over the years, but Microsoft will not be releasing a patch for Windows XP.
- As mentioned previously upgrades and patches may be flawed or unable to prevent the Meltdown and Spectre threats.
- Upgrades and patches will not be available for many older devices.
There is some good news – Retailers that use semi-integrated solutions have greater protection from the chip flaws.
Meltdown and Spectre explained
Meltdown and Spectre both take advantage of features in CPUs that enabled them to process data faster. These two features are:
- Speculative Execution – the chip is attempting to predict the future to process data faster.
- Caching – small amounts of data that are stored in the CPU memory storage (CPU cache) that will be used soon or often
- Data that is output by Speculative Execution is stored in the CPU cache.
These two features combined with Protective Memory is what essentially creates the vulnerabilities to sensitive data. Protective Memory is data being worked in the CPU cache (because of Speculative Execution) before it receives permission to do so – this is known as the Privilege Check. If the Privilege Check is not passed, the data is discarded. It is while this data is stored in the CPU cache, and before it is discarded that it is vulnerable.
Meltdown CPU Bug
Meltdown is a more straightforward and immediate threat to CPUs. It affects primarily Intel’s CPUs, but has also been found in some ARM CPUs. Meltdown makes it possible break the isolation between the user applications and the operating system. Vulnerable systems are at risk of leaking sensitive and secure information.
Spectre CPU Bug
Spectre is not as urgent of a threat, but is more insidious. It is harder to exploit, but harder to mitigate. Spectre breaks the isolation between applications and allows an attacker to use something as simple as running JavaScript on a website to get access to sensitive and previously secure information. Also, not just Intel Chips are susceptible, virtually every high-performance processor ever made is susceptible to Spectre.
Responding to Meltdown and Spectre vulnerabilities
Since these threats were announced, a number of patches have been released that will hopefully mitigate the threats. However, there are some problems and concerns though with the patches:
- Some patches were not fully tested and contain bugs
- One patch released by Intel is causing continuous reboots of the devices.
- Other patches are causing noticeable slowdowns in the processing of data; particularly for older devices.
- It not has not yet been fully determined if the patches will prevent the threats of Meltdown and Spectre. It may be several months before the effectiveness of the patches can be truly determined.
- Intel will release patches for 90% of the CPUs introduced in the last five years. It has not announced any release plans for CPUs that are more than five years old.
- New chips that are not vulnerable to the Meltdown and Spectre threats won’t be released for several months.
Patching: What FSS is doing to protect customer data
Federated Service Solutions is very concerned about the safety and security of all of their data; particularly customer data. As viable patches become available, we’ve been updating our computers and servers. Our IT Department is also staying updated on all new information, upgrades and patches that are released about Meltdown and Spectre.
What we are doing to help our customers neutralize Meltdown and Spectre threats:
- Federated Service Solutions is staying informed of all new developments with the Meltdown and Spectre threats and how we can assist our Customers with neutralizing them.
- Customers with devices that use chips with available upgrades and patches should plan on implementing them as soon as the upgrades and patches have been vetted for flaws. Federated can assist our Customers by planning and implementing the upgrades and patches.
- Customers with devices that contain older chips are strongly encouraged to replace those devices with devices that can be upgraded or patched, or in a few months with devices that will contain the new chips that are not vulnerable to Spectre and Meltdown. Federated can also assist our customers by planning and executing those upgrades and deployments.
- If upgrades and deployments are currently not an option, we can help our Customers to determine if there is a way to still mitigate the threats and then assist with implementation.