The Web is full of scary reports about some newly detected vulnerabilities in Intel and other CPUs and about exploits that can put your system at risk. In most cases, Actus recommendation is to perform all Windows software updates but not to perform any firmware update. There are some exceptions.
Let us try to summarize the problem in simple terms.
The two main vulnerabilities are:
1. MELTDOWN
The name MELTDOWN relates to breaking down the security barriers separating one program from another. It allows one program to read the memory of another program.
2. SPECTRE
The name SPECTRE is derived from the term “Speculative Execution”. It breaks the isolation between programs. Allowing one program to sneak and steal data from the memory used by another program.
Speculative Execution
Speculative Execution: is a method that lets the CPU execute some tasks ahead of time (before it is actually needed) based on some speculation that this task (e.g. video page translation) will probably be required real soon by one of the other threads.
The result from this speculative execution is stored in some cache (until the other thread requires it, if at all…). This cache is vulnerable to access through a “side channel analysis”. So any spy program with “local access” may obtain any data from that cache. If the data is sensitive (e.g. passwords, or sensitive images) then there is a risk of the sensitive data being leaked.
Most of our customers are using Broadwell class CPUs (such as E5-2620, E5-2690) which are vulnerable.
Some of our more recent customers are using the Skylake class CPUs (such as 3104-Bronze, 4116-Silver, 6152-Gold), which are also vulnerable, although easier to fix.
There are two approaches to protecting from these exploits
1. Software patches
The first approach is to use software patches (e.g. as Windows Updates, or antivirus updates) that will attempt to identify the signature of the exploit, and prevent it from executing. This approach is easy to implement but is not fully efficient as these exploits are difficult to identify.
2. Firmware updates
The second approach is to use hardware changes, in the form of firmware updates that will change the CPU and eliminate its “Speculative Execution” and/or its “side channel access”. This approach is radical, and will solve the problem, but it will create another problem because the CPU will perform with less capabilities, and will lose some of its processing capacity or speed. The differences can be between 5% for recent CPUs and 15-20% in some cases of older CPUs.
Actus recommendation depends on the profile of using our systems (or any video recording systems for this matter, not necessarily only Actus).
As a general rule, for recording servers (by opposition to Web/UI server) we recommend:
- Perform latest Windows Updates that are related to these exploits.
- Do not allow any Firmware Updates (because this will reduce the encoding capacity and the server will be able to encode less channels).
- Apply Actus security recommendations (document: Actus-Security) to prevent any access to the recording server other than from Actus UI-Server.
- Accept the risk that in case of intrusion by an exploit (virus), then the attacker may “see” what you are recording.
For UI servers, the recommendation depends on the type of customers.
For Broadcasters, operators, Media agencies, News agencies, public regulation agencies, with public information recorded, we recommend:
- Perform latest Windows Updates that are related to these exploits.
- Do not allow any Firmware Updates (because this will reduce the database access speed).
- Apply Actus security recommendations (document: Actus-Security) to prevent any access to the UI-Server other than from specific ports.
- Use Active Directory Services (to prevent frequently accessing passwords in the Actus server)
- Accept the risk that in case of intrusion by an exploit (virus), then the attacker may “see” the metadata information, name of clips, and other non critical information.
For governments, parliaments, security agencies, with sensitive information recorded, we recommend:
- Perform latest Windows Updates that are related to these exploits.
- Contact Actus support to discuss Firmware Updates (Actus will perform capacity analysis on your server).
- Apply Actus security recommendations (document: Actus-Security) to prevent any access to the UI-Server other than from specific ports.
- Use Active Directory Services (to prevent frequently accessing passwords in the Actus server).