Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Remote Spectre Attack Allows Data Theft Over Network

A team of researchers from the Graz University of Technology in Austria has demonstrated that Spectre attacks can be launched remotely without the need to execute code on the targeted machine.

A team of researchers from the Graz University of Technology in Austria has demonstrated that Spectre attacks can be launched remotely without the need to execute code on the targeted machine.

The researchers, some of which were also involved in the discovery of the original Meltdown and Spectre vulnerabilities, have dubbed the new attack NetSpectre as it allows a remote attacker to read arbitrary memory data over the network.

NetSpectre attacks have been successfully conducted by the experts both in a local area network (LAN) and between virtual machines in Google Cloud.

While NetSpectre attacks can in theory pose a significant risk, data can only be leaked very slowly. Researchers achieved an exfiltration rate of 15 bits per hour over a local network, and 60 bits per hour by using a new AVX-based covert channel instead of a cache covert channel. This is the first Spectre attack that does not use a cache covert channel.NetSpectre - Spectre attacks can be launched remotely

In experiments conducted using Google Cloud, researchers managed to leak data from an independent virtual machine at a rate of 3 bits per hour.

The Spectre and Meltdown speculative execution vulnerabilities impact processors from Intel, AMD, ARM and other companies, and they allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. There are several variants of each flaw, but the original vulnerabilities are Spectre (Variant 1 and Variant 2) and Meltdown (Variant 3).

Exploitation of these flaws has required executing arbitrary code on the targeted system, but NetSpectre, which is related to Variant 1, shows that remote attacks are possible without executing code on the victim’s device.

Researchers also demonstrated that this remote attack method can also be used to break the address-space layout randomization (ASLR) mitigation even if no data is leaked.

Fortunately, NetSpectre attacks can be prevented using the mitigations recommended for the original Spectre. In addition, since this is a network-based attack, network-layer countermeasures can also be efficient in blocking threats.

“A trivial NetSpectre attack can easily be detected by a DDoS protection, as multiple thousand identical packets are sent from the same source,” researchers explained. “However, an attacker can choose any trade-off between packets per second and leaked bits per second. Thus, the speed at which bits are leaked can simply be reduced below the threshold that the DDoS monitoring can detect. This is true for any monitoring which tries to detect ongoing attacks, e.g., intrusion detection systems. Although the attack is theoretically not prevented, at some point the attack becomes infeasible, as the time required to leak a bit increases drastically.”

However, experts warned that new methods may be found in the future that bypass current protections and mitigations.

Intel has updated its whitepaper titled “Analyzing potential bounds check bypass vulnerabilities” to include NetSpectre attacks.

Jon Masters, Chief Arm Architect and Computer Microarchitecture Lead at Red Hat, says his company has “not identified any viable userspace spectre gadget attacks but are actively auditing all of the daemons that listen over the network and the rest of the stack.”

Related: Oracle Patches New Spectre, Meltdown Vulnerabilities

Related: Tech Firms Coordinate Disclosure of New Meltdown, Spectre Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.