I believe the new bugs mentioned only allow access to data and are not means to take control of a PC. If you have a BOINC task that is mining instead of crunching I'd say it was more likely that the BOINC project was hacked and a new app version was replaced with a miner and automatically sent out to many people at once. Heck some project admins rarely visit the forums/project to even notice.

1. Spectre & Meltdown can give you access to some computer, but so does any other vulnerability out there!
2. If there's BOINC on PC, it's easy job to "hijack" the BOINC by changing credentials in BOINC itself.
3. For running BOINC, you don't even need an install. To heck, you don't even need to be admin or power user on Win PC. So just need to copy the BOINC into dir & run it.
3.a) That also goes for BOINC apps.

So yes, it's possible. But is it OK to do?
Not so much. Many of us would not condone such an act.

That's great news seippel that science apps are digitally signed. It'd be extra hardcore if the app supported key pinning, but that's a pain.

Dennis Charles, I bet there are easier exploits than Spectre and Meltdown when attacking BOINC, honestly. We just don't know about them. Not sure if there has been a concerted effort to pen test BOINC client/server infrastructure or thoroughly audit the source code.

Best practice suggest running the BOINC client under an unprivileged account. This is done automatically during Windows installation only if it's installed as a service. Otherwise BOINC will run as the current user, and hopefully the current user is at least *not* a local admin on that machine but just a standard user.

Linux installs of BOINC using a package manager will create a "boinc" user for the purpose of running the BOINC client and locks down quite a bit of the processes, making it harder to attack BOINC for the purpose of privilege escalation.

Now that you mention cryptocurrency mining Dennis Charles, maybe the best way to "attack" BOINC is through "soft" hacking such as social engineering. All we would have to do is pose as a humanitarian research organization or university. We would then pitch our project to WCG (or start our own project and submit directly to BOINC and bypass WCG altogether), and we could say we are... fighting cancer or searching for prime numbers or ET but instead be mining Monero, Dogecoin, Ethereum, etc.

Send me an e-mail if you wish to partner up. This is a great idea!

(joke)

Hi Dan L, and welcome to the forum.

This issue is discussed elsewhere, in this thread. But it looks like the effect on crunching is generally very small indeed as there are few system calls in the science apps and hence almost no context switching.