New NetSpectre attack can leak data over your network

The Meltdown and Spectre attacks revealed earlier in 2018 kicked the year off with a concerning bang due to the wide range of hardware affected. Since they were disclosed, Microsoft, AMD, Intel, and other companies have managed to limit the potential for widespread attacks with a series of hardware and software mitigations. Still, new variants on the attack continue to be discovered, and the latest widens the potential pool of devices impacted.

Discovered by researchers at Graz University of Technology, the new attack, dubbed NetSpectre (via Ars Technica), has one major advantage over the previously disclosed attack vectors: it can be executed remotely. According to the researchers, NetSpectre allows an attacker to read the memory of a system without having to execute any code locally.

Cyber Monday may be over but these Cyber Week deals are still alive

Fortunately for potential victims, there are two major aspects of this attack that bend fate in their favor. The first is that this method of attack is incredibly slow: researchers were only able to demonstrate leaking data at a rate of between 15 bits and 60 bits per hour. Second, because the method described relies on the Spectre variant 1 attack, existing mitigations, released after the original Spectre attack was first described earlier this year, should protect devices that have been patched.

For a detailed overview of the attack, you can read the white paper released by the team of researchers at Graz University of Technology.

Updated July 27, 2018: Intel has reached out with a statement on NetSpectre, confirming that it can be mitigated in the same manner addressed by previous Spectre patches. From Intel:

NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.