On January 2, 2018, two of the biggest security vulnerabilities of all time were made public. The back story on their discovery is both interesting and instructive.
The two threats, known as Meltdown and Spectre, are significant because they occur inside physical computer chips, known as CPUs, and are not limited to certain operating systems or application software. What’s more, the flaws have gone undetected for decades. All of this means that the Meltdown and Spectre weaknesses are resident in just about any electronic device in use today. Scary stuff, for sure.
Discovery of the flaws is credited to a 22 year-old genius, Jann Horn.
Horn, a German, works in Geneva as a part of Google’s Project Zero.
Project Zero was formally announced in 2014 as Google’s team tasked with researching undetected security threats. The group takes its name from so called “zero-day attacks”, which arrive as an unpleasant surprise with zero notice.
Once a threat is identified by Project Zero, its protocol is to confidentially inform the owners of the vulnerable technology, suggest software remedies, and then “responsibly disclose” the threat soon after the fixes have been deployed.
Horn first contemplated Meltdown and Spectre while leafing through the technical manual of an Intel CPU in April 2016. He soon developed prototype attacks proving his hypotheses and, by June, Project Zero had reached out to Intel and makers of similar microprocessors. It’s unclear what, if anything, the chip companies did with the work.
In December 2016, other researchers independently stumbled upon the same flaw and the fire was lit. Intel, AMD, Apple, Google and others scrambled to review Project Zero’s work, make fixes and broadcast them within a matter of days.
Without Project Zero’s early investigation, such remedies would not have been possible in such a short period of time.
The takeaway here is that software updates matter.
PCs, tablets, smartphones and IoT devices are kept secure and up-to-date through automated downloads. The same should be true for payment terminals and PIN pads. Quite unfortunately, many updates still require attended button pushing or, worse yet, equipment swap-outs.
RevChip supports secure, automated updates of in-store payment devices. Broadcasts of software patches and new features can be programmed to occur on a staggered schedule or they can be pushed into the field immediately.
EMV need not be a huge expense or a technology hassle. Merchants should be able to preserve their current POS marketing programs and start running Quick Chip EMV and Apple Pay in just a few days. If you agree, check out RevChip.