IoT devices vulnerable to Spectre and Meltdown exploitation, patch now
Healthcare organizations should use risk management processes to ensure the security of health information and protect against the vulnerabilities stemming from the Spectre and Meltdown threats.
Those chip vulnerabilities could wreak havoc for healthcare cybersecurity, potentially affecting personally identifiable information leakage and medical device security problems, according to an update from the Healthcare Cybersecurity and Communications Integration Center.
"Medical devices and supporting medical equipment, may not resemble computers, but may run operating systems (Windows, Linux, etc.) on processors that could be vulnerable to Meltdown and Spectre," said the update from HCCIC. "Contact medical device manufacturers through security portals, if available, for information specific to each medical device and the manufacturer's recommendations for patching medical devices."
Meltdown and Spectre can work around computer defenses and reveal just about all information on a computer, including encrypted data, passwords and more. They affect many processors and operating systems in use today. According to reports, affected processors include Intel, AMD and ARM. Also, according to reports, affected systems include Windows, Linux, Android, Chrome, iOS and MacOS (including laptops, embedded devices, servers, clients, mobile phones and more).
According to the new update, the potential for data leaks is greater in situations where infrastructure is shared, such as the cloud.
If an organization has not been offered a security update by its relevant software vendors, it could be running incompatible anti-virus software and the organization should follow up with its vendors, the update added.
In describing the Meltdown vulnerability, researchers have characterized it as follows:
"Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. … Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer."
Additionally, "Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary."