Spectre & Meltdown

Introduction

• • Spectre and Meltdown are most egregious in the case of arbitrary third-party code execution, such as in shared-tenancy situations (e.g. cloud service providers like AWS, Microsoft Azure, or Google Cloud) or in desktop operating systems. This, in short, iswhy these vulnerabilities are so scary to companies like Amazon since they execute code written by third parties in shared tenancy.
  • Eagle Eye runs a completely closed server ecosystem — our Bridges and CMVRs act as appliances and run only trusted code, our cloud systems run on dedicated hardware (no shared tenancy), and generally, we are not open to attack in ways that can be exploited specifically by Spectre/Meltdown.
  • We fully acknowledge that no system can ever be completely secure, but we have conscientiously and continuously monitored the security community to ensure that we mitigate or close every vulnerability we can as they are discovered.

Questions & Responses

Do you have a vulnerability in relation to Meltdown or Spectre?

Summary: Some equipment is theoretically vulnerable, but not used in a way such that any vulnerability can be exploited.  Details are listed for each of our components below.
Cameras and Managed Switches: No, the CPUs used are not vulnerable, even theoretically, to these attacks.
Bridges and CMVRs: The CPUs we use here are theoretically vulnerable to both Spectre and Meltdown, but no known exploits exist for them yet. Assuming a future exploit eventually exists, the platforms are not open and cannot be made to run the arbitrary code required for exploitation without an additional (at this point also hypothetical) exploit. In short: They are not known to be vulnerable at this time, and likely never will be, since it would require the combination of Spectre/Meltdown AND another as-yet-undiscovered vulnerability.
Cloud: The CPUs we use here are theoretically vulnerable to Spectre only. However, we have a closed ecosystem and do not share tenancy with third parties. As a result, exploitation would be nearly impossible without some additional (as-yet hypothetical) exploit.

Do you have a patch available and If not what date will the patch be available?

Summary: No patches needed for customer-premises equipment; Eagle Eye’s cloud infrastructure will be patched as a preventative measure in the coming weeks as a patch becomes available. No user action is needed.
Cameras and Managed Switches: No patch needed.
Bridges and CMVRs: No patch available or needed at this time.
Cloud: Currently waiting for a patch from our Operating System vendor as a preventative measure, though it’s likely unneeded.

What version of the product does the patch support?

If a patch is later determined to be needed, customer-premises equipment will be revised as a whole to reflect that patch as part of a normal update process.  No special out-of-band “hotfix” mechanism would be needed.

Is there a process for receiving future patches?

Any future product revisions that contain this (or any other security patch) will be upgraded normally as part of our existing continuous delivery process.  There is no need for customers to explicitly do anything to receive security updates.

Is this your final patch?

As above, we have determined that no patch is needed for customer-premises equipment at this time. We expect that the preventative patch for Eagle Eye cloud systems will be final when deployed in the coming weeks.

Is there a subscription service available to receive updates or do you have a living document available on your site to provide updates?

Updates are included as part of your Eagle Eye subscriptions; no separate action, subscription, or payment is required.

Are there any prerequisites or requirements to ensure your patch functions correctly? Are there any OS dependencies for the patch?

For customer-premises equipment, the OS and functional software are updated together automatically. A future patch, if needed, will automatically upgrade the OS as part of the process.

Are you patches still required if the hardware vendors patches are applied (BIOS Updated)?

Since the nature of any actual vulnerability or potential BIOS-level mitigation is unknown at this time, we cannot say. The BIOS is not user-upgradable on Eagle Eye bridges and CMVRs, however, and any updates would come from our normal update process without user action.

Does your patch protect the application layer residing on the hardware?

Again, any possible future patch needed would cover both the OS and the application layers. Because we have no third-party code running on our hardware, these layers are essentially indistinguishable from a customer perspective.

Any performance impact related to the deployment of the patch?

For Eagle Eye’s cloud services, we expect a minimal impact from the upcoming preventative patch. For customer-premises equipment, if a patch is needed we would expect minimal impact for the vast majority of users given a typical bridge/CMVR workload.

Are we required to reboot when implementing the patch?

If a patch is needed for customer-premises equipment, a reboot will be scheduled automatically as part of the upgrade process and will be required (total downtime of about a minute on most customer premises equipment).

Are there any potential conflicts between your patch and another required patch?

Conflicts of this nature are not possible since Eagle Eye controls all of the code involved.

How do we receive support if the patch fails to deploy successfully?

As part of the normal upgrade process, Eagle Eye technical support monitors all upgrades to customer-premises equipment and generally is able to monitor and proactively fix issues as they occur. Should additional support be required, technical support is available at your disposal for any subscribed customer-premises equipment as normal.

Read More Cyber Security Blogs