Students from Graz University of Technology have shown a proof of concept for an attack called NetSpectre, which is based on a Spectre variant 1 attack, but can be executed remotely with no local code execution on the target system. However, industry insiders believe this particular attack is too impractical to pull off.
The Austrian students presented their findings in a paper, explaining that the attacker needs only to send a series of crafted requests to a vulnerable target, and then measure the response time to leak a secret value from the victim's memory.
“NetSpectre marks a paradigm shift for Spectre attacks, from local attacks to remote attacks. With our NetSpectre attacks, a much wider range and larger number of devices are exposed to Spectre attacks,” the researchers said, adding that their study found NetSepctre, in combination with the AVX-based covert channel, can leak 60 bits per hour from the target system and the research verified NetSpectre functions in local networks as well as in the Google cloud.
Brajesh Goyal, Cavirin's VP of engineering, called NetSpectre innovative and a vulnerability that is hard to defend against.
“This does, in fact, introduce a new, quite sophisticated attack vector. As noted in the research, there is no foolproof counter to this, from Intel, Microsoft, the Linux community, or even at the network level. Best practices are to ensure proper patching and multi-layer security to ensure one's cyber posture, and closely track the evolution of any countermeasures to NetSpectre,” he said.
However, the number of prerequisite items, such as the Spectre gadget, and overall complexity of this attack structure make implementing such an attack impractical, said Mounir Hahad, head of threat research at Juniper Networks.
“We are getting too far into the weeds with these types of attacks – there are too many conditions for them to be practical. Today, threat actors have access to much easier tools to compromise victims – they won't need to deal with the complexity and uncertainty of a network-based Spectre attack,” he told SC Media.
Even though the odds that pulling off this type of attack are low, NetSpectre, should not be shrugged off or ignored.
“Although, in practice, the threat of this new evolution of the Spectre vulnerability being exploited is low, it is something to continue watching. Researchers continue to find flaws that could potentially lead to remote code execution in the future and security companies and practitioners need to continue to keep up-to-date with the latest research and mitigation techniques,” said Dan Hubbard, Lacework's chief security architect.
Vectra's Chris Morales, head of security analytics, said both Spectre and NetSpectre are not well-designed to pull large amounts of data from a network, mainly because they are both too slow. However, since each methodology is adept at grabbing bits of information, like passwords and some PII, it is an excellent reconnaissance vehicle. For attackers looking to obtain more data techniques, such as phishing, are much more useful.
“The good news is that existing mitigation techniques for Spectre also apply to NetSpectre. The bad news is this is proof of research into new methods that Spectre can be used for an attack and I'm sure there will be many more methods exposed over time. We are not in the clear on the Spectre attack and nor will we be for quite some time. There could potentially be a whole new generation of malware and attacks developed around Spectre,” Morales said.