Lessons From a Falling Sky

Our take on Spectre & Meltdown discovery

Chris Howell, Wickr CTO

Last week, a group of researchers, including Wickr’s Advisor Paul Kocher, announced major security vulnerabilities named Meltdown and Spectre affecting virtually every computer in use today. As a go-to platform for security professionals, we’ve been closely following the developments around the processor design flaws so we can ensure our users’ communications remain protected.

During the embargo period, I used Wickr — it has been a critical tool for discussing sensitive computer security issues.
— Paul Kocher, Cryptographer, Wickr Advisor

The sheer breadth of impact and the uncertainty of feeling the computing pillars cracking under our feet have indeed kept countless security teams and technology providers working around the clock. The discovery of these bugs is about as close to a falling infosec sky as it gets given that some of the underlying hardware design issues will take a while to fix.

Security teams around the world are monitoring vendor announcements for the release of security updates and applying them. Clearly, companies with strong patch management standards are a step ahead.

Wickr has been keeping an eye out for patches for the systems that make up our backend infrastructure to apply the updates as soon as they become available. To that end, per AWS, their core infrastructure is patched, mitigating the risk of potential impact to Wickr systems. The team has also been applying patches to our internal systems as soon as they are released.

I hope that many security teams are not only looking into how these threats impact their operations, products and customers today, but are also considering what can be done to avoid similar risks to the extent possible in the future. Products with strong security architecture and well-thought out threat models will remain far better off against vulnerabilities like the ones revealed last week. It is especially important for providers of core hardware and critical infrastructure components to think long and hard about designing security into the products that people use to run businesses, share critical data, and power global networks and devices. Minimal viable products that abuse user information or prioritize performance above all else are no longer viable.

The server-side attack vector is well understood in the Wickr threat model. Servers are treated by Wickr as untrusted so issues impacting the infrastructure are addressed by the architecture. Wickr is designed to provide peer-to-peer security with servers having no access to user content.

As Wickr relies on client security, we strongly recommend that all our users keep their devices (end user systems that run Wickr client software) up to date and apply security patches to their mobile and desktop operating systems as soon as vendors release them. (Here is a handy list of references to vendor updates)

Finally, I’m sure that many of us recognize that security review and testing is what has led to finding these critical bugs, but it clearly has not been a priority for the components in question for quite some time. The underlying flaws that caused this issue have apparently existed in computer hardware for not weeks or even months, but decades.

The magnitude of the clean up ahead of us rises to the level of a global wake-up call. There will be more lessons learned from this; the first one is to start building comprehensive security testing into all our technologies from the get-go to prioritize security, rather than leaving it as an afterthought to get to someday, when it’s likely too late.

While no one expects that better security design and testing will become priorities overnight for everyone, it is a must for critical technology providers to rethink their approach and prioritize the security of user information and systems.