Article:

V-OS Protection against CPU vulnerabilities

Er Chiang Kai - Chief Technology Officer

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities.

Overview of the CPU and its functions

The CPU is most often described as the “brain” of any computing device. It is a hardware chip that executes the step-by-step instructions laid out in any computer program that is running on the device and orchestrates the rest of the hardware in the device to achieve the intent of the program. The operating system and applications that run on it are all computer programs that depend on the CPU to carry out their instructions. The CPU is also depended on to provide the separation necessary to ensure that an application (that may be rogue) cannot steal data from the operating system kernel or other applications.

It is like putting each application into its own container with opaque walls, so that a misbehaving application is not able to “see” or affect what other applications are doing. Should such a separation be broken down, malware can then read the memory contents of the operating system or other applications and can potentially get access to critical data such as encryption keys, passwords, and transaction information. Going back to the container analogy, it is like having peepholes in the separation walls, allowing a rogue application to observe what other applications are doing, and thereby obtaining information that it is not supposed to have.

CPU vulnerabilities “Meltdown” and “Spectre”

The first vulnerability, Meltdown, breaks down the memory barrier between the operating system and the applications that run on it. This enables malware to access data from the operating system memory, including sensitive data from other applications. As Meltdown affects Intel chips released since 2010, millions of PCs, laptops, cloud servers, and smartphones are vulnerable to it.

Spectre includes two different vulnerabilities that make use of a CPU optimization technique called speculative execution. Almost all modern CPUs use speculative execution to achieve higher performance. As a result, Spectre has a wider impact than Meltdown. Intel, AMD, and ARM chips are known to be affected by it. This pretty much covers the entire population of computing devices in the world. Although Spectre is technically different from Meltdown, the effect is similar – memory isolation between applications is broken down, allowing malware to access data that is leaked from other applications.

So far, although there have been no known cases of criminals making use of these CPU vulnerabilities, it does not mean that we are safe because the nature of the vulnerabilities makes it difficult to detect such attacks. Another thing to note is that these vulnerabilities, in the context of a cloud service provider, can allow malware affecting one cloud customer to gain access to data of other cloud customers, as long as the cloud instances are served by the same underlying CPU.

Security Tips for readers

SingCERT, like many other similar organizations around the world, has recommended that software updates be applied to mitigate the CPU vulnerabilities. These software patches can come in three levels. The first is the CPU or processor level, which can come in the form of a firmware update from CPU vendors such as Intel. The second is the operating system level, which can be a Windows patch for laptops or an Android upgrade for smartphones. The third is the application level, for applications and browsers. So, for best protection against the vulnerabilities, users and companies should apply all the patches as they are released.

However, there is a downside to applying these patches as the effectiveness of the CPU optimizations may then be reduced, resulting in computer slowdowns of 5% to 30%. The actual amount of performance degradation will depend on the processor and other characteristics of the machine, as well as the operating system and applications.

The importance of a virtual secure element

How the virtual secure element technology is protecting millions of customers in Singapore against such CPU vulnerabilities

Do these mean that consumers should refrain from performing banking or payment transactions while waiting for software updates to be made available by the respective vendors? Fortunately, consumers in Singapore can be re-assured that cutting-edge technology is securing most of their critical banking, payment, and government applications against such attacks.

Many of these apps already have critical personal data and encryption keys stored and processed within a virtual vault that is also known as a “virtual secure element”. Within the context of the application container analogy, this is like introducing a safe within each application, so that critical data can be kept in the safe, without worrying that other applications can observe the data through peepholes.

As an example, some mobile banking apps today have the ability to generate one-time passwords (OTPs) for two-factor authentication, doing away with the need to send OTPs via SMS or to key in the OTP displayed on a hardware token. These apps make use of the virtual secure element to securely store the secret key that is used for OTP generation. The virtual secure element ensures that this secret key will not be leaked to any malware exploiting the Meltdown or Spectre vulnerabilities.
The same virtual secure element technology is also used by mobile banking apps to store secret keys and confidential data for payment transactions. When payments are made, the most critical processing is done within the virtual secure element, which makes it secure regardless of whether there are vulnerabilities in the underlying operating system or CPU.

As a result, many mobile banking apps in Singapore like DBS digibank and UOB Mighty already enjoy strong security with the virtual secure element technology provided by V-Key that stands up to the most malicious hacks. Besides the secret key for OTP generation, other sensitive data and cryptographic keys for payments are also similarly protected. Users can safely perform banking transactions as usual without fear of critical data being stolen by malware, as long as they continue to be vigilant about social engineering attacks such as phishing and baiting.

Conclusion

Traditionally, security vulnerabilities were mostly found in software, creating a wrong impression that hardware is more secure than software. These latest vulnerability disclosures show that hardware can be vulnerable too, and the impact is immeasurable. Most security practitioners advocate multi-layered security defence. Security vulnerabilities will continue to be discovered and patched at all levels. With the use of novel technologies such as virtual secure element, anti-tampering, and obfuscation, users and organizations do not have to totally rely on the security of the underlying operating system or hardware processor and can remain protected against single points of weaknesses.

Other articles:
Article
Beyond OTPs: The Shift to Passwordless Authentication in Banking

The Bangko Sentral ng Pilipinas (BSP) is considering phasing out one-time passwords (OTPs) for digital banking transactions, citing the growing vulnerabilities of this method. BSP Deputy Governor Elmore Capule emphasized that the agency is exploring stronger security measures to make digital banking more resilient, with biometric authentication and other advanced technologies being evaluated as secure alternatives to OTPs.

Article
V-Key Continues to Expand in Australia to Strengthen Digital Identity and Authentication

V-Key strengthens its presence in Australia by participating in the FIDO Alliance events in Melbourne, reinforcing its commitment to digital identity and authentication. With discussions on passkeys, step-up authentication, and regulatory updates, V-Key highlighted how V-Key ID enhances security and trust. As digital transformation accelerates in Australia, V-Key continues to support enterprises in financial services, payment gateways, and government with innovative mobile security solutions. Expanding its local team, V-Key is dedicated to enabling seamless and secure digital interactions through advanced authentication technologies.

Article
Why Passwordless Authentication is the Future of Security

Managing passwords can be challenging. They can be difficult to remember, and often, people reuse them across multiple sites, which makes them a target for cybercriminals. In fact, according to the 2023 Verizon Data Breach Investigations Report (DBIR), over 50% of data breaches are linked to stolen or compromised credentials. This exposes sensitive data, whether it’s banking details, emails, or personal information, to potential risks. 

Article
Protect Your Business All Year with V-Key ID and FIDO2

Lunar New Year is a time for celebration for many people around the world, but it’s also a good opportunity for scammers who are always trying to entice victims to grab the next cheap online shopping deal. A common technique that scammers use is to lure a victim into installing a malware app that can then be used to phish user’s credentials, capture SMS OTPs, or even remotely control the phone to perform banking transactions. 

Article
V-Key’s 2024 Journey in Advancing Digital Security and Empowering Seamless Digital Experiences

As we reflect on 2024, V-Key is proud of the milestones we’ve achieved and the innovations we’ve introduced in the field of digital identity and mobile security. This year, we have remained steadfast in our mission to protect digital experiences and empower businesses with advanced solutions. From key industry events to groundbreaking technological advancements, we’ve continually strived to meet the evolving needs across various sectors.  

Article
5 Simple and Effective Ways to Secure Your Mobile App with V-OS App Shield

For businesses, especially those handling sensitive data or financial transactions, ensuring app security is no longer optional. The risk is real: attacks on mobile apps can lead to reputational damage, regulatory fines, and the loss of user trust.  

V-OS App Shield is a reliable solution designed to safeguard mobile applications. Beyond the basics of security, it offers a cost-effective approach that combines robust protection with ease of use. Here are 5 ways V-OS App Shield can enhance your mobile app security and deliver real-world benefits. 

Article
Securing Mobile Apps and Why It’s Critical for Businesses

Mobile devices continue to become indispensable, with the average smartphone user spending around 88% of their day interacting with apps. This surge in mobile usage highlights an escalating need for businesses to ensure their apps are secure, as the stakes of app security have never been higher. From retail businesses to e-commerce platforms, mobile apps handle sensitive user data and provide access to essential business systems. The consequences of a breach can be devastating, both for businesses and their users. 

Article
Introducing V-OS App Shield: Connect, Deploy and Protect your App in Minutes

Mobile applications are key to daily business operations, customer engagement, and overall functionality. According to Google, the average smartphone user interacting with nearly 10 apps daily and spending about 88% of their time on mobile, the need for strong mobile app protection has never been more pressing. Introducing V-OS App Shield, a revolutionary solution designed to secure your mobile apps fast and easy.

Article
V-Key partners with Bridge Alliance to build a Safer Digital Ecosystem

V-Key, renowned for its advanced security solutions has proudly joined Bridge Alliance as their technology Partner,  solidifying their commitment to innovation and excellence in mobile security. This partnership opens doors to explore new avenues for enhancing authentication experiences and mitigating cybersecurity risks.

Article
Making 2FA/MFA robust against smishing and related attacks

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.

Article
How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. However, most mobile apps today are nowhere near as secure as we would like them to be.

Article
Is the detection of jailbroken/rooted phone sufficient against threats?

Functions that detect jailbroken/rooted devices are most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.

Article
Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

Article
V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Article
Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Article
Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Article
Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Article
How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Article
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Article
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Article
Mobile Security that works for everyone

Safe, convenient and simple.

Article
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.