Meltdown and Spectre - How Does It Affect Your Dealership

by Kyle Masters, Chief Technology Officer
2/8/2018 - Sioux Falls, SD

Last month, it was announced that the processors that run most computers and servers were vulnerable to a couple of bugs known as Meltdown and Spectre.  The bug was uncovered by programmers and they found that the bug affects processors manufactured for at least the last ten years.  It was initially reported that the bug only affected Intel processors, however it has been acknowledged that Meltdown and Spectre affect the big three processor families (Intel, AMD, and Arm). 

First, let's look at what Meltdown and Spectre do, how it can affect your dealership, and how Carbase was at the front of the line to protect your data.

What are Meltdown and Spectre, and what do they do?

Meltdown and Spectre were kept confidential for months to give software vendors time to release fixes for the issue.  The exact issue exposed by these bugs is related to the way that regular apps and programs interact with the Central Processing Unit (CPU) via a system known as the Kernel.  Kernels in operating systems (such as Windows or Linux) have complete control over the entire system.  They run the show.  Kernels connect applications (software) to the processor, memory, and other physical pieces (hardware) of the computer. The flaw that was discovered initially in Intel processors lets attackers bypass the kernel access security and protections so that a regular app can read the contents of the kernel memory.  Essentially, it was a portal which granted access to any data on the system.

This obviously has serious security implications.  For example, on your home PC an attacker could read passwords you enter, data from your banking websites, etc.  That is why the bug was kept confidential until fixes were in place.  Looking into the automotive realm, the bug could have had serious implications.  Service providers host what are called Virtual Machines to run web servers, databases, and many other business related processes.  Several virtual machines can be run on one physical server cutting infrastructure costs, which is why all service providers use them.  With Meltdown and Spectre, if an attacker were to utilize the kernel vulnerability on the virtual machine host (called a hypervisor), they would then have access to all data stored either on the physical server, or within any of the virtual machines hosted on that hypervisor.  The attacker would have access to encryption keys, stored passwords, payment information, and other personally identifiable information.

How is it fixed?

Now for the good news.  There have been no known attacks using the Meltdown or Spectre bugs.  Again, this is why the manufacturers kept it confidential while patches were worked out.  These patches involved a rewrite of the Windows and Linux kernels in order to lock down the protected memory.  The problem with the fixes is that with any security that you add, it slows the system down.  Users were reporting slowdowns between 5 and 30 percent. 

Thankfully, Carbase runs distributed systems that don't tax our machines to their 100% capacity.  We always make sure that we have enough overhead for upward growth and issues just like this.  Our systems have been patched, updated, and are unaffected by Meltdown and Spectre, and there have been no measurable performance implications.  Your data remains safe in the Carbase system and your loading times will remain consistent with SEO standards.

In summary, if you have services that are not hosted with Carbase, you should contact your service providers to ensure that they have patched their production systems to protect your data.