At the University of Technology in Graz in Austria researchers have been able to prove that Spectre attacks can be launched remotely without the need to execute arbitrary code on the targeted machine.
The researchers, some of which were also involved in the discovery of the original Meltdown and Spectre vulnerabilities, have dubbed the new attack NetSpectre as it allows a remote attacker to read arbitrary memory data over the network.
NetSpectre attacks have been successfully conducted by the experts both in a local area network (LAN) and between virtual machines in Google Cloud.
While NetSpectre attacks can in theory pose a significant risk, data can only be leaked very slowly. Researchers achieved an exfiltration rate of 15 bits per hour over a local network, and 60 bits per hour by using a new AVX-based covert channel instead of a cache covert channel. This is the first Spectre attack that does not use a cache covert channel.
In experiments conducted using Google Cloud, researchers managed to leak data from an independent virtual machine at a rate of 3 bits per hour.