How do the Meltdown/Spectre exploits affect Exodus?
On January 3rd, 2018, two closely related exploits were published which affect nearly all computers in the world, from desktop computers to smartphones to embedded computers in smart TV's. They are called Meltdown and Spectre. This article summarizes and simplifies their underlying mechanics, as our primary intention is to inform you, the Exodus customer, on how you can protect yourself against them.
For those who want the short & sweet version, there is a summary of recommended action at the bottom above the sources.
Meltdown is a vulnerability which allows a malicious program to bypass the restrictions between programs’ allocated memory. Normally, distinct programs running on the same computer have sections of memory allocated to them, outside of which they cannot read. It is a sneaky workaround to bypass these restrictions, allowing a piece of malicious code to read data that is stored in working memory. This could include cryptographic keys, passwords, or even private key data from Exodus, or any other wallet for that matter.
This is a general threat which applies not only to Exodus but to every program down to the very lowest levels of a computer. Any system running an Intel or ARM processor should be considered vulnerable. It is of foremost concern for server providers, hosting services, and large cloud based infrastructure companies. AMD claims to be immune to this particular exploit.
One especially dangerous consequence of Meltdown is that malware could be run on your machine which, through this exploit, could gain access to memory belonging to other running programs. This includes access to Exodus-allocated memory, which could contain private key data. It is patchable however, and the patches will be available for all major operating systems on January 9th, 2018.
Your goal should be to upgrade your operating system (Windows, macOS or Linux) when the patches are made available by your operating system vendor on January 9th, 2018.
Spectre is a more complicated and targeted attack which would require that an attackers trick the victim application (Exodus) into performing a certain type of code execution called "Speculative Execution". The vulnerability requires a piece of malicious code be carefully crafted for the intended target application (Exodus). It is harder to do, but is ubiquitous: nearly every CPU manufactured after 1995 is vulnerable to Spectre by their very design.
If this can be accomplished correctly, it could expose the contents of the victim application's memory used in the execution.
Spectre has been proven to allow a web application running in one window of your browser to read the memory contents of other processes on your system. For example, the online store you’re shopping through could run code allowing it to read passwords in Exodus-allocated memory, which could contain private key data. This is the #1 concern for you. This vulnerability is patchable, however, and like with Meltdown, fixes will be made available for all major operating systems on January 9th, 2018.
To be safe, do not run Exodus at the same time as your web browser until you have patched your browser(s) and operating system!
Keep in mind that both of these exploits:
- are read only - they cannot take control of your computer or escalate an attacker's access to your system.
- have been tested and proven to be possible, but have not been seen used in the real world to attack anyone or steal information. If this has occurred, it happened unknowingly or was simply not reported.
- would require Exodus to be open and unlocked to have any access to its memory.
What You Can Do Right Now
Upgrade your web browser to the latest versions immediately!
- For Firefox users, make sure you've upgraded to the latest version: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
- Google will be issuing an update on January 23rd 2018 for the Google Chrome browser. Until then, an interim fix is be to turn on "Strict site isolation" by pasting this link into your browser:
chrome://flags/#enable-site-per-processand clicking "Enable":
- For Microsoft IE and Edge users, make sure you've installed the latest updates for Windows: https://support.microsoft.com/en-us/help/4056890/windows-10-update-kb4056890
- For more technically minded people, another option is to install a script blocker like NoScrips for Firefox, or ScriptSafe for Chrome.
- Stay tuned to your operating systems manufacturer's update system and install all recommended security updates.
- Don't store large amounts of crypto assets on your computer! Either in Exodus, another wallet, or even an online exchange. We highly recommend getting a hardware wallet and offload your funds there (or create a paper wallet). Even in the most secure times, this is still sage advice.
Our Commitment to Security
At Exodus, we are 100% committed to the security of our customers' wallets, and we are going to stay on top of this as it unfolds and we learn more information. To the end of improving and enhancing wallet security, expect to see that future versions of Exodus will:
- proactively remove seeds and keys from memory after an elapsed period of time
- enable 2FA support in our wallet
- support hardware wallet integration
...all to add extra layers of security for your peace of mind. The safety and security of your funds is top priority here at Exodus, and we won't sleep until we've rolled out every bug fix, feature, and enhancement possible to that end.
Meltdown and Spectre vulnerabilities most likely will affect you, regardless of what computer/OS/smartphone you own. Our recommendations are to:
- Upgrade your operating system as soon as new patches become available. Particularly the big release on January 9th, 2018.
- Upgrade any web browsers you use, as soon as possible.
- Until your system is patched, avoid surfing the web with Exodus open at the same time, especially when visiting unfamiliar websites. Check and double check to make sure the domain you are browsing to is spelled right.
For reference, the respective CVE (Common Vulnerabilities and Exposures) are:
- CVE-2017-5754 (Meltdown) is the most immediately severe of the three. This exploit uses speculative cache loading to enable a local attacker to read the contents of memory. This issue is corrected with kernel patches.
- CVE-2017-5753 (Spectre) is a Bounds-checking exploit during branching. This issue is corrected with a kernel patch.
- CVE-2017-5715 (Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.