Engineering Blog

Cayan InfoSec Update: Meltdown and Spectre vulnerabilities

Introduction

This week, three vulnerabilities in common hardware CPUs were published by reputable security researchers.  The vulnerabilities impact all major CPUs including those from AMD, ARM, and Intel, and threaten most computing devices.  The vulnerabilities have been categorized into two attacks known as Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715).  Successful exploitation enables an unprivileged process to read the memory space of a process running at a higher privilege level, potentially exposing sensitive data.

  • Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
  • Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
  • Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load, memory access permission check performed after kernel memory read

Meltdown and Spectre are enablers for hackers to gain further footholds within a network; they are not data exfiltration vectors or malware.  What they can permit is the escalation of privileges for an attacker by viewing sensitive information pertaining to another process, for example an administrative accounts password.  Primarily, hackers require access to the network in the first place to exploit these vulnerabilities; however, some browser-based exploitation has been identified via web content such as JavaScript. 

The main threat for consideration when discussing Meltdown and Spectre is the ability of an attacker to execute code locally on systems.  Although, the attacker would require access to a valid account to compromise the system.  Multi-tenant deployments located in the cloud and multi-user systems present the greatest risk to exploitation.  Systems used to access compromised websites are also at risk.   Single user systems with limited privileges for execution by an attacker present a lower risk to exploitation.

It should be noted that Cayan is not leveraging multi-tenant cloud hosting providers to host our payment gateway, which limits the exposure of our systems to these vulnerabilities.

Impact

The Cayan security team are currently implementing our standard vulnerability security procedures to address systems that are deemed to be impacted. This includes assessing the susceptibility, impact, and scope of applicability to ascertain the level of mitigation required. Cayan does not believe that its payment gateway or payment terminals are vulnerable to these attacks.

Genius Impact

Cayan has worked with its terminal vendors to provide an assessment of its payment terminals.  The semi-integrated design of Genius keeps cardholder data off merchants’ Points of Sale, reducing the scope of these attacks within a merchant’s environment.

The Genius Mini solution, leveraging BBPOS’s Chipper 2X hardware, is not affected by these vulnerabilities.  No action required.

The Genius Handheld solutions, leveraging BBPOS’s WisePOS hardware, use an ARM processor which is not believed to be affected by these vulnerabilities.  The solution uses separate hardware and firmware to segregate the Android environment from the PCI/card entry environment.  No action required.

The Genius Countertop architecture avoids these vulnerabilities by preventing non-Cayan software from being installed on the Genius terminal. This safeguard is enabled via a secure execution environment, in which any application that attempts to install or run on the Genius terminal must be validated as a genuine and unmodified Cayan application. This is done via a digital signature mechanism, with a secure boot loader ensuring any application that fails digital signature is denied permission to install or run. The digital signature process is performed at a remote location using dual operator controls, driven via smart cards with PIN protection.  Only genuine Cayan software can be installed on the Genius CED, thus there is no scope for a malicious application to be installed and run alongside the Genius application on the terminal; avoiding Meltdown and/or Spectre vulnerabilities. Verifone believes that its existing security features and standard software practices, including signing and key management, protect its terminals from such side-channel hardware attacks.  No action required.

Browsers Impact

Meltdown and Spectre vulnerabilities can be exploited via web content such as JavaScript files to extract information from users visiting a compromised web page.  An unpatched browser is susceptible to downloading malicious script files with little or no knowledge of the end user; this was recently confirmed by confirmed Mozilla with a Proof of Concept.

Merchants need to beware of this attack vector as visiting a compromised website could potentially lead to exposure of sensitive data.  Google Chrome, Microsoft, Safari, and Mozilla will release patches for their software to address these vulnerabilities.  Merchants are advised to update their browsers as their vendors release their respective patches. Follow the US-CERT bulletin.

Advice for merchants

Merchants are advised to apply the recommended updates provided by their operating system, web browser, and hardware vendors, including their phones and tablets.  The US-CERT bulletin contains comprehensive information regarding the vulnerabilities and links to vendor bulletins.  Merchants should also continue to implement their PCI – DSS policies and procedures, as completing these basic security tasks can contribute to identification and disruption of attacks targeting their systems and users.

Mitigation

Cayan has and will continue to deploy patches as they become available.  In addition to mitigation activities, Cayan continues to operate a robust security program to ensure that systems are appropriately monitored to detect and respond to unauthorized access.  Cayan will continue to train and raise security awareness for all employees to ensure they fully understand how Meltdown or Spectre attacks work and can be addressed.