Anatomy of a Breach

Anatomy of a Breach: Spectre and Meltdown — The CPU Flaws That Proved Hardware Is Not Immune

> series: anatomy_of_a_breach —— part: 109 —— vulnerability: spectre_meltdown —— affected: every_modern_cpu —— duration: 20_years_of_processors<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2018 13 min read
spectre meltdown cpu hardware-vulnerability speculative-execution intel amd series
Breach #109

Every processor. Every computer. Every cloud server. For twenty years. Vulnerable.

On 3 January 2018, security researchers from Google's Project Zero, academic institutions, and independent researchers simultaneously disclosed two classes of hardware vulnerabilities: Meltdown (CVE-2017-5754, primarily affecting Intel processors) and Spectre (CVE-2017-5753 and CVE-2017-5715, affecting Intel, AMD, and ARM processors). The flaws exploited speculative execution — a performance optimisation technique where processors execute instructions before knowing whether they will be needed — to leak data from protected memory areas.

The scope was unprecedented: virtually every modern processor manufactured over the previous two decades was affected. Every desktop, laptop, server, smartphone, and cloud instance running on Intel, AMD, or ARM chips was potentially vulnerable. Unlike Heartbleed (software) or Shellshock (software), Spectre and Meltdown were hardware vulnerabilities that could not be fully patched in software — only mitigated, and at a measurable performance cost. The disclosures prompted emergency patching across every major operating system and cloud provider, and fundamentally changed how the industry thinks about hardware security.

The Impact
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

From silicon to cloud — every layer affected.

Hardware Cannot Be Fully Patched
Software vulnerabilities can be patched completely — the vulnerable code is replaced. Hardware vulnerabilities in CPU architecture can only be mitigated through software workarounds that prevent exploitation but cannot remove the underlying flaw. Complete remediation requires new processor designs. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies systems requiring Spectre/Meltdown mitigations.
Cloud Multi-Tenancy at Risk
In cloud environments where multiple customers share the same physical processor, Spectre-class attacks could theoretically allow one tenant to read another tenant's data from shared CPU caches. This fundamentally challenged the isolation guarantees of cloud computing. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess cloud security including isolation controls.
Performance Impact of Mitigations
The software mitigations for Spectre and Meltdown came with performance penalties — ranging from negligible to 30% depending on workload. Organisations faced a choice between security and performance. <a href="/cyber-essentials">Cyber Essentials</a> mandates that security patches are applied; performance impact does not exempt organisations from patching obligations.
Twenty Years of Vulnerable Processors
The speculative execution techniques exploited by Spectre and Meltdown had been built into processors since the mid-1990s. Like <a href="/blog/anatomy-of-a-breach-shellshock">Shellshock's</a> 25-year latency, the discovery demonstrated that foundational technology assumptions can harbour critical vulnerabilities for decades. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation attempts against known hardware vulnerabilities.
Lessons

Trust no layer. Not even the silicon.

Spectre and Meltdown completed the lesson that Heartbleed (cryptographic libraries), Shellshock (system shells), and KRACK (wireless protocols) had begun: no layer of the technology stack is immune to critical vulnerabilities. Security must be implemented at every layer — hardware, operating system, network, application, and human — because vulnerabilities at any layer can compromise the entire system.

Cyber Essentials mandates patching across all layers. Our vulnerability scanning identifies systems requiring mitigations. Infrastructure testing assesses the effectiveness of applied mitigations. SOC in a Box monitors for exploitation attempts. And UK Cyber Defence provides incident response when hardware-level vulnerabilities are actively exploited.

Every Layer Matters

Spectre and Meltdown proved the silicon is not safe. Have your mitigations been applied and verified?

<a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unmitigated systems. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> verifies mitigations. <a href="/cyber-essentials">Cyber Essentials</a> mandates patching at every layer.

Commission a Vulnerability Assessment Next: Olympic Destroyer
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 January 2026

Anatomy of a Breach: Match Group and Eurail — Dating Platform Intimacy and Passport Data Both Exposed

Breach #205. January 2026 opened with two breaches exposing the most personal categories of data. ShinyHunters claimed the theft of over 10 million records from Match Group — the parent company of Tinder, Hinge, and OkCupid — reportedly accessed via social engineering of Okta SSO access and downstream marketing tools. The leaked data allegedly included user IDs, IP addresses, subscription details, and internal corporate data. Separately, Eurail disclosed that attackers had accessed its environment and copied data including names, contact details, travel companion details, and passport information — numbers and expiry dates — for an undisclosed number of customers. Dating preferences and passport data: two categories of personal information that people expect to remain private.

match-group tinder
13 min read
All Posts Get in Touch