Earlier today, we reported that according to a press reports, Intel's computer chips were affected by a bug that makes them vulnerable to hacking. Specifically, The Register said the bug lets some software gain access to parts of a computer’s memory that are set aside to protect things like passwords, and making matters worse, all computers with Intel chips from the past 10 years appear to be affected. The news, which sent Intel's stock tumbling, was later confirmed by the company.
In a statement issued on Monday afternoon, Intel said it was working with chipmakers including Advanced Micro Devices Inc. and ARM Holdings, and operating system makers to develop an industrywide approach to resolving the issue that may affect a wide variety of products, adding that it has begun providing software to help mitigate the potential exploits. Computer slowdowns depend on the task being performed and for the average user “should not be significant and will be mitigated over time" the company promised despite much skepticism to the contrary.
As Bloomberg helpfully puts it, Intel's microprocessors "are the fundamental building block of the internet, corporate networks and PCs" and while Intel has added to its designs over the years trying to make computers less vulnerable to attack, arguing that hardware security is typically tougher to crack than software, there now appears to be a fundamental flaw in the design.
In a vain attempt to mitigate the damage, Intel claimed that the “flaw” was not unique to its products.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the Santa Clara, California-based company said. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
The extent of the vulnerability is huge
As Bloomberg writes, "the vulnerability may have consequences beyond just computers, and is not the result of a design or testing error." Here's how the bug "works":
All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they’re likely to be asked to run next. By queuing up possible executions in advance, they’re able to crunch data and run software much faster.
The problem in this case is that this predictive loading of instructions allows access to data that’s normally cordoned off securely, Intel Vice President Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.
Security vulnerability aside, the fix may be just as bad: it would result in a significant slowdown of the CPU, and the resultant machine.
Because the exploit takes advantage of a technology intended to accelerate the performance of the processors, the fix slows them, said the person. In devices with the current generation of Intel chips, the impact will be small, but it will be more significant on older processors. Microsoft is still looking at the impact on the speed of cloud services and how it will compensate paying customers, the person said.
"The techniques used to accelerate processors are common to the industry,” said Ian Batten, a computer science lecturer at the University of Birmingham in the U.K. who specializes in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25 percent to 30 percent are “worst case” scenarios.
Intel's troubles will likely spread far beyond just the company: Intel CEO Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue “a couple of months ago.”
Google identified the researcher as Jann Horn, and said it has updated its own systems and products with protections from this kind of attack. Some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the internet giant said.
“Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place,” Krzanich said, explaining how the company responded to the issue.
On the call, Intel’s Smith said the company sees no significant threat to its business from the vulnerability.
“I wouldn’t expect any change in acceptance of our products,” he said. “I wouldn’t expect any concrete financial impact that we would see going forward.”
In response to the bug, Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD. The software maker has also started applying the patches to its cloud services where servers also are affected by the issue.
Meanwhile, Advanced Micro Devices, whose stock surged on news of Intel's misfortune, said “there is near zero risk” to its processors because of differences in the way they are designed and built. "To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," the company said in a statement.
And then there are the questions about revenue and lost profit.
Quoted by Bloomberg, Frank Gillett, an analyst at Forrester Research, said that providers of computing over the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing power and energy to perform the same functions while maintaining security.
“When you’re running billions of servers, a 5 percent hit is huge,” he said.
At the same time, cloud providers will likely have to throttle back the pace of new customers accessing their data centers while they take servers down to fix the problem, and there could be a price spike for servers as demand surges, Gillett said.
* * *
There is another take, and according to this one the implications to both Intel and the entire CPU industry could be dire. What follows is the transcription of the Monday afternoon tweetstorm by Nicole Perlroth - cybersecurity reporter at the NYT - according to whom today's "bug" is "not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market." In fact, according to the cybersecurity expert, one aspect of the bug is extremely troubling simply because there is no fix. Here is the full explanation.
- 1. Apparently I don't know how to thread, so here goes my second attempt at blasting you with critical news on this "Intel Chip problem" which is not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.
- 2. Christmas didn't come for the computer security industry this year. A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
- 3. Our story on the motherlode of all vulnerabilities just posted here: https://www.nytimes.com/2018/01/03/business/computer-flaws.html. More will be post soon.
- 4. We're dealing with two serious threats. The first is isolated to #IntelChips, has been dubbed Meltdown, and affects virtually all Intel microprocessors. The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent.
- 5. The second issue is a fundamental flaw in processor design approach, dubbed Spectre, which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET (Note here: Intel stock went down today but Spectre affects AMD and ARM too), and has NO FIX.
- 6. Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
- 7. The basic issue is the age old security dilemma: Speed vs Security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. (Narrator: They were not)
- 8. Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals...
- 9. Data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.
- 10. Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and
- 11. Chipmakers like Intel will have to do a full recall-- unclear if there's even manufacturing capacity for this-- OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware.
- 12. Intel is not surprisingly trying to downplay the threat of these attacks, but proof-of-concept attacks are already popping up online today, and the timeline for a full rollout of the patch is not clear. And that's just for the Meltdown threat. Spectre affects AMD and ARM too.
- 13. But judging by stock moves today (Intel down, AMD up), investors didn't know that, taken together, Spectre and Meltdown affect all modern microprocessors.
- 14. Meltdown and Spectre affect most chipmakers including those from AMD, ARM, and Intel, and all the devices and operating systems running them (GOOG, AMZN, MSFT, APPL etc).
- 15. The flaws were originally discovered last June by a researcher at Google Project Zero (shout out @ Jann Horn) and then separately by Paul Kocher and a crew of highly impressive researchers at Rambus and academic institutions. Originally public disclosure was set for next week
- 16. But news of Meltdown started to leak out (shout out @TheRegister) yesterday, so the disclosure was moved up a week to right now. The problem with this rushed timeline is that we don't necessarily know when to expect Meltdown patches from tech cos.
- 7. Google says its systems have been updated to defend against Meltdown security.googleblog.com/2018/01/todays…. Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon's tailored Linux version, and would roll out the MSFT patch for other customers 2day
If the above is remotely true, the semi-space which has surged in recent week alongside the broad tech sector meltup, will have a very tough time in the coming weeks.
Comments
Oops. Not.
Yup - not a bug.
The way they're designed
In reply to Oops. Not. by peddling-fiction
take a wild ass guess in what cuntry?
In reply to Yup - not a bug… by Pinto Currency
What are the implications for military hardware?
In reply to take a wild ass guess in… by WillyGroper
Houston, we have a problem.
Only one?
In reply to What are the implications… by Billy the Poet
Spectre? Holy shit, call James Bond 007.
In reply to Houston, we have a problem… by peddling-fiction
The funniest part was Intel trying to say AMD had it too and was working with the "industry" to keep users safe and AMD basically saying "Fuck You, we don't have the shitty Indian and Pakistani coders like you do."
In reply to Spectre? Holy shit, call… by Delving Eye
Wake up. Intel chips are designed in Israel.
In reply to The funniest part was Intel… by johngaltfla
It looks like it may be time to go off the grid. At least until it is somewhat safer using Blockchain technology. Scammers seem to be always one step ahead of the curve.
In reply to Wake up. Intel chips are… by flapdoodle
never
fucking
ever
save your
fucking passwords
on the
fucking
device
-------
and never
fucking
ever
sync your
shit
to a fucking cloud
poof!
In reply to It looks like it may be time… by zorba THE GREEK
"No, no, really! It's a feature!"
In reply to never… by Bes
This hardware flaw in no way concerns me when considering the potential dangers of AI.
/sarc
In reply to "No, no, really! It's a… by Theosebes Goodfellow
Meltdown is the shit (and affects just Intel)
Spectre (affects all CPUs but cannot be exploited) was released to distract the plebeian and help Intel to do some fallout management
Linus Trovalds is raging at Intel:
https://lkml.org/lkml/2018/1/3/797
In reply to This hardware flaw in no way… by Cognitive Dissonance
Linus is right.
In reply to Meltdown is the shit… by svayambhu108
Love the tone of the article. THERE'S THIS THING AND IT'S BAD AND IT'S INTEL AND THERE'S THIS OTHER THING AND IT'S REALLY REALLY BAD AND IT'S EVERYTHING EVERYPLACE. IN TECHNICAL TERMS, OMG, OH DEAR LORD JESUS ROCK MY SOUL IN THE BOSOM OF ABRAHAM......
Yup. Keep those quality reporting standards going kids.
In reply to Linus is right. by peddling-fiction
Yup, who in the hell listens to anything from the nyt?
Haven't built a pc with an intel proc since the 450 mhz pentium III.
edit: Still runs btw. I have European Air War on it by Microprose. Fun times.
In reply to Love the tone of the article… by a Smudge by an…
I bet this had nothing to do with it:
https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of…
In reply to Yup, who in the hell listens… by Oliver Klozoff
Intel is Israel's largest private sector employer.
Andy Grove was a Zionist.
http://www.zdnet.com/article/israel-inside-a-history-of-intels-r-d-in-israel/
In reply to I bet this had nothing to do… by eforce
Stickers should say "Mosad inside".
In reply to Intel is Israel's largest… by Pinto Currency
The evil empire weighs in on the technical details:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memor…
In reply to Stickers should say "Mosad… by Secret Weapon
I'm making over $14k a month working part time. I kept hearing other people tell me how much money they can make online so I decided to look into it. Well, it was all true and has totally changed my life. This is what I do... http://disq.us/url?url=http%3A%2F%2Fwww.Jobzon3.com%3Ab8eR_DQLwGRPVGtFv…
In reply to The evil empire weighs in on… by Joe Davola
and Jim Stone's been talking about this for years now
In reply to Linus is right. by peddling-fiction
These tech firms have been pointing their fingers the last 8 years at other companies about carbon footprints. I truly hope the energy star and green IT f*ckers get a EPA lawsuit crammed up their ass over this.
Ps. Down voters, I truly hope you enjoy your light bulbs that take 5 minutes to warm up and are draining mercury into the watertable.
In reply to Meltdown is the shit… by svayambhu108
.
In reply to These tech firms have been… by bidaskspread
Wired posted an article on this issue on June 1 2016. They also provide a handy walk through.
https://web.archive.org/web/20160601154818/https://www.wired.com/2016/0…
Only after the “trigger” command is sent many thousands of times does that charge hit a threshold where the cell switches on a logical function in the processor to give a malicious program the full operating system access it wasn’t intended to have.
let the games begin
In reply to Meltdown is the shit… by svayambhu108
Spectre can be exploited.
It is just harder to exploit.
Still not sure the extent of Spectre on AMD, though, so much noise right now...
In reply to Meltdown is the shit… by svayambhu108
DIdn't see that. Meltdown can be mitigated by deploying KAISER, but Spectre, while being harder to do, has no defense currently. AFAIK Spectre is basically speculative execution, accessing arbitrary memory locations. Thanks for the link.
For those interested, these are both exploits of out-of-order execution in the chip itself. Meltdown is pretty simple to understand conceptually and pretty clever. Follow links with the vid for more info.
Meltdown in action: https://www.youtube.com/watch?v=bReA1dvGJ6Y
In reply to Meltdown is the shit… by svayambhu108
And cryptocurrencies. Don't forget Bitcoin.
;)
In reply to This hardware flaw in no way… by Cognitive Dissonance
Autonomous vehicles comin' at cha!
Should be acronymned MSM's (mobile suicide machines)
In reply to And cryptocurrencies. Don't… by Andre
Cryptos are toast Andre.
Intel will accelerate the inevitable.
In reply to Autonomous vehicles comin'… by Oliver Klozoff
gold is real
In reply to And cryptocurrencies. Don't… by Andre
Ai was a town in the Old Testament.
Nothing new under the sun, for sure!
In reply to This hardware flaw in no way… by Cognitive Dissonance
Stop calling it a "bug". It is a feature. Ask the NSA.
In reply to This hardware flaw in no way… by Cognitive Dissonance
Actually I called it a hardware flaw. But thanks for setting me straight.
And I have no doubt what-so-ever this 'flaw' was well known and well exploited by the 'intelligence' community for a very long time.
In reply to Stop calling it a "bug". It… by Secret Weapon
"Exploited" when you stole it or found it. "Used" when it's something you paid for. In this case, "used."
In reply to Actually I called it a… by Cognitive Dissonance
exactly! i know i remember reading a warning on dodgy intel chips and the models were named, and that was close to 10yrs ago
at the time they were saying to look at specs and see what chipset was in it and to avoid certain ones
they had "tropical" sort of names like cayman or something
i probably bookmarked it but that was maybe 4 pcs back now;-(
In reply to Actually I called it a… by Cognitive Dissonance
Visualize this..
https://diasp.org/uploads/images/scaled_full_d6aa5502061d4094668a.png
In reply to Actually I called it a… by Cognitive Dissonance
I care about it even less, because OMG the fucking BLOCKCHAIN RULES ALL!!!
In reply to This hardware flaw in no way… by Cognitive Dissonance
Somebody's golden key was discovered? Lol
In reply to "No, no, really! It's a… by Theosebes Goodfellow
Now we finally know what the NSA is exploiting.
In reply to "No, no, really! It's a… by Theosebes Goodfellow
Intel better lube-up for the class-action ass-fucking they are about to receive. I mean, who's to say how these hackers got into Home Depot's credit card database a while ago, etc, etc, etc.....
In reply to never… by Bes
Done and done. Some little voice has always told me "bad idea!" whenever someone suggested doing these things to me.
In reply to never… by Bes
I remember that big, aggressive marketing push a few years ago: "Store all your vital and sensitive shit SECURELY in the CLOUD. It's so bloody SECURE. The cloud is your FRIEND."
The lesson, once again, when that naggy little voice in the back of your mind is saying something like "TO HELL WITH THAT," is to LISTEN.
In reply to Done and done. Some little… by DeadFred
All true, but I belueve that in this case Intel is caching them so you have zero control over it.
In reply to never… by Bes
Hello, Mr. President,
we are having a little trouble with our
nuclear command and control systems
In reply to never… by Bes
actually from the lookof the ancient pcs they showed in some pr clips...running windoze 95 or8
then theyd probably be some of the safer mil equipment right now.
who'd a thunk it;-)
In reply to Hello, Mr. President, … by Perimetr
One of the best things that the gov could do for its image is fund a 5000 plus person agency to track down identity thieves, scammers, phishes, and malicious code developers and prosecute them aggressively. Such people poison the internet. And such criminals will grow as the internet grows.
In reply to never… by Bes
While you're at it, get the IPCC to police climate data. /sarc
In reply to One of the best things that… by are we there yet
It's always saved on the device, that's how it knows your password is correct. This exploit allows someone access to register. Not a bit pad file marked "passwerdz".
In reply to never… by Bes
If you can't read the code then you can't prove you're safe.
If you can't keep your computer off the internet then you can't prove you're safe.
But then if you read the code that came in off the internet then you'd program your own computer to bypass all the advertising ...
Point being that your computer is unsafe BECAUSE THE ENTIRE COMPUTER INDUSTRY WANTS IT THAT WAY.
Being unable to build and program your own computer is the cyber-equivalent of relying on the police's guns and having no guns of your own. The best you can hope for is a mediocre outcome IF the external force is on your side.
In reply to never… by Bes
Pagination