ZombieLoad Attack

Watch out! Your processor resurrects your private browsing-history and other sensitive data.

After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows stealing sensitive data and keys while the computer accesses them.

While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.

The attack does not only work on personal computers but can also be exploited in the cloud.

Make sure to get the latest updates for your operating system!

@misc{ZombieLoad2019,
    title = {{ZombieLoad: Cross-Privilege-Boundary Data Sampling}},
    author = {Schwarz, Michael and Lipp, Moritz and Moghimi, Daniel and Van Bulck, Jo and Stecklina, Julian and Prescher, Thomas and Gruss, Daniel},
    year = {2019},
    url = {https://zombieloadattack.com},
}

Who is behind ZombieLoad?

ZombieLoad in Action

In our demo, we show how an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine.

Questions & Answers

If you have an Intel CPU, most certainly, yes.

No. These are bugs in the processor. Software can work around these bugs, which costs performance. Future processors will have integrated fixes.

We do not have any data on this. The exploitation might not leave any traces in traditional log files.

While possible in theory, this is unlikely in practice. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

If your system is affected, our proof-of-concept ZombieLoad exploit can read data that is recently accessed or accessed in parallel on the same processor core.

We don't know.

Yes, there is an academic paper and a blog article.

Desktop, Laptop, and Cloud computers may be affected. More technically, we only verified the ZombieLoad attack on Intel processor generations released from 2011 onwards.

CVE-2018-12130 is the official reference to ZombieLoad. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

The logo is free to use, rights waived via CC0. Logo designed by Natascha Eibl.

LogoLogo (Square)
ZombieLoad PNG   /    SVG PNG   /    SVG
Yes, there is a GitHub repository containing test code for the ZombieLoad attack.

Acknowledgements

We would like to thank Intel for working with us during the responsible disclosure.

This work was supported in part by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402).

This work has been supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET – Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia.

The Graz University of Technology team would also like to thank Intel for providing a generous gift prior to the start of this research project, funding part of this research.

This research was partially supported by the Research Fund KU Leuven. Jo Van Bulck is supported by a grant of the Research Foundation - Flanders (FWO).