Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

Meltdown and Spectre processor flaws

Any word from Flex if the Meltdown and Spectre processor flaws affect their hardware or software? 

Answers

  • Wayne
    Wayne Member ✭✭
    edited June 2018
    From the explanation on the internet ALL related processors are affected that use ARM, Intel and one other one so if any of these processors are used in flex products then they are also affected. It is a chip manufacturing related issue when the chips are created at the various factories which has been discovered so all processors listed from the chip manufacturer will be affected. Just like a data breach there is no free pass.
  • Rhett Aultman
    Rhett Aultman Member ✭✭
    edited January 2018
    Of course, it's best for Flex to get out their own formal announcement, but seeing as I've been going through this with my own products, exposure to this really depends on what kinds of vectors for installing unwanted software on a Flex there are.  Meltdown and Spectre are both attacks that allows Program 1 to exploit hardware features that let it peek in on memory in the kernel or from Program 2.  So, a practical attack for a "close appliance" like Flex would be to install a program which then uses an attack based on Meltdown or Spectre to steal privileged information from the system.

    This is obviously a problematic attack vector for a PC or smartphone (ARM processors are impacted, too, BTW), where the attack can hide in plain sight in an otherwise normal-seeming application, but it's less of a concern for a Flex, where the product security model should already be preventing access to the device to install software other than that which Flex approves of.

    I actually can't see what CPU models the Flex-6000 family uses.  Does anyone know?
  • Steve K9ZW
    Steve K9ZW Member ✭✭✭
    edited January 2018

    Believe the radios internally use unaffected processors and a different system.

    The Maestro and 6400M/6600M would have the processors and software systems that contain potential Meltdown & Spectre exploits, while being FRS configured to be very restrictive for exploitable software introduction by design in their embedded usage. 

    Would think the processors in a lot, if not most, "SmartSDR for Windows" and "SmartSDR for iOS" platforms are in the list of potentially exploitable hardware/software situations.

    These exploits are very interesting, as one would imagine there are a lot - HUGE LOT - of potentially exploitable parts of the IOT.  Will your car be affected, especially as many basically contain one or more cellphone-type setups on board?  Or that pad being used as Flight Navigation by the pilot flying your charter plan? 

    73

    Steve K9ZW

  • Rhett Aultman
    Rhett Aultman Member ✭✭
    edited January 2018
    Thanks, Steve.  For what it's worth, I've been going through this with my own product today (which uses Cortex A9).
  • Steve-N5AC
    Steve-N5AC Community Manager admin
    edited January 2018
    Many of my friends are also.  I feel especially bad for the ones at data centers who MUST patch and consequently may need to buy more hardware to solve the performance reduction.
  • Rhett Aultman
    Rhett Aultman Member ✭✭
    edited January 2018
    IOT does make it worse.  The really good news is a lot of common IOT processors weren't impacted today.  Aside from that, this particular attack is for uncovering privileged information, which is to say for many IOT things it only becomes an easy attack if you have another attack to get in in the first place.  Far more unnerving to me was the Blueborne exploit from earlier this year, which can give root access to a number of devices through the Bluetooth pairing system.
  • Peter K1PGV
    Peter K1PGV Member ✭✭✭
    edited June 2020
     If this is something you are personally concerned about, just don't install waveform modules at all.  
    This.

    While I realize Steve has made the definitive comment on this already, I still wanted to follow-up.

    Meltdown and Spectre don't have any practical implication for Flex radios themselves. In addition to the fact that you'd have to run unvetted 3rd party code on your radio that attempted to exploit these vulnerabilities (just don't do that), these are "information disclosure" vulnerabilities. You're not storing password or cryptographic keys on your radio... there just isn't much significant "information" on your radio that you have to be concerned about "disclosing."

    Given that we therefore don't care about these vulnerabilities on the radio itself, we all certainly *do* care about these vulnerabilities on the Windows system that runs SmartSDR for your radio. My understanding is that updates for Windows to counteract at least part of these vulnerabilities are being pushed starting today. Yet another reason to never disable Windows updates, right?

    These vulnerabilities are quite complex and subtle to exploit, and folks have been working on compensations for them for about six months. While the real-world impacts are currently difficult to assess, I'd recommend being sure you update the OS software (regardless of vendor) on any general purpose computer.  Given the type of exploit, I am personally far less concerned about this thread on IoT devices.

    I hope that's helpful,

    Peter
    K1PGV
     
  • Scott Russell - N1SER
    Scott Russell - N1SER Member ✭✭
    edited January 2018
    Thanks Steve for the details reply and yes... I'm in the later in that I work in a large IT organization on the Windows server side... it's been a fun day and I'm sure many more to come. As for Flex and the processor flaw, it was the performance hit that initially concerned me.
  • Scott Russell - N1SER
    Scott Russell - N1SER Member ✭✭
    edited January 2018
    Yes, very good info Peter. Also, this is a hardware flaw as well and expect possible firmware updates to your computer systems as well as software is only have the fix.
  • Martin AA6E
    Martin AA6E Member ✭✭✭
    edited June 2020
    Steve has gone well beyond the call of duty with this info, but I appreciate that.

    From my reading, the most likely vulnerability the typical user would have would come from web sites that can run JavaScript attacks.  If you get onto such a site, you're pretty much defenseless.

    So update your OS as soon as you can.  The Windows 10 update is supposed to go live in about 30 minutes! Alas, we will have to live with some performance hits.

    73 Martin AA6E
  • Michael Coslo
    Michael Coslo Member ✭✭
    edited January 2018
    Hope this update goes better than the last one. My new laptop became destabilized and the update didn't install properly. The cure as dictated by Microsoft was to disable the firewall and virus checker and try downloading and updating again. 8 hours of the laptop sitting **** on the internet. Yikes!
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited January 2018
    You don't use a border firewall at your Internet ingress point?
  • Rick W7YP
    Rick W7YP Member ✭✭
    edited January 2018
    Spot on, Steve!  Apparently AMD's processors aren't vulnerable to Meltdown but are to Spectre.  There may be an AMD Ryzen-based PC in my future.
  • Rick W7YP
    Rick W7YP Member ✭✭
    edited January 2018
    My Windows 10 PC just did the update.  The biggest hit I've seen so far is on SSD 4K reads.  Almost a 25% performance hit.  I'll have to run some other benchmarks when I get the time in order to get a broader assessment.
  • Mark  K1LSB
    Mark K1LSB Member ✭✭
    edited January 2018
    Same here, on SSD 4K reads I'm seeing a tad over 25% performance hit.
  • Jd Dupuy
    Jd Dupuy Member ✭✭
    edited January 2018
    I wish I had not read Steve's whole explanation. Now I realize how dumb I am when it comes to what is inside the magic black box that brings so much joy. Building houses is easier as long as you get Part A and B joined together correctly. Lol
  • Martin AA6E
    Martin AA6E Member ✭✭✭
    edited January 2018
    I see ~50% slowdown on SSD reads, but my SSD is blinding fast even so.  Running Passmark, I see an overall change under 1%.  This is on a  i5-7260U CPU @ 2.20GHz (a NUC).  Older CPUs are supposed to have worse results.
  • Rick W7YP
    Rick W7YP Member ✭✭
    edited January 2018
    Mine is an i7-5930K @ 3.5 GHz.  Being a Haswell CPU, it's supposed to be less affected than some others.  I'll see if the other benchmarks back that up.

  • Ross - K9COX
    Ross - K9COX Member ✭✭
    edited January 2018
    With all due respect Flex radios are not exactly a priority for the evildoers.
  • Peter K1PGV
    Peter K1PGV Member ✭✭✭
    edited January 2018
    The larger number of transitions that there are between user-mode and kernel-mode, the more impact you'll see.  So, while disk I/O speed itself is not affected, the overhead of processing disk I/Os will be.

    I haven't done any actual measurements yet, but I bet you'll see more slowdown the smaller the I/O operations you perform.  That is, if you read/write 1GB in 64K chunks, it'll be slower (as a percentage) than if you read/write 1GB in 1MB chunks.

    Every time you switch in to and out of the operating system (such as when you do a Create, Close, Read, or Write), you're going to pay a performance penalty.  After Intel does their CPU firmware update (mentioned by Scott Russel, above) that penalty should be slightly smaller as well.  But, I have to admit, I don't yet understand some of the "branch prediction poisoning/invalidation" mitigation code fully.

    Peter
    K1PGV
  • David H Hickman
    edited March 2019
    That was a great response.  I have been answer some form of that question all week for clients actually affected by the issue.

    The simple response is that the flexradio does not run local user installed apps or have a common method to log into the radio. Like the Maestro, I hope it never allows third party apps. This kind of stuff is the reason why third party apps on a closed platform can be a bad thing.

    Next the radio is hard to detect in the first place as a Linux box. For it to be detected and possibly compromised, your local network and computer has to already have been penetrated. If that is the case you have other things to worry about.

    The only thing that could happen to the Flex is if you leave it on and someone could play with it. Most of the people in the world who have any clue on how to abuse this are probably on this forum and are licensed hams in the first place, thus it is more likely a bad actor will use your computer to be in a botnet of some kind that play with your radio or sniff for passwords, and other interesting data.


Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.