"Everyone Is Affected": Why The Implications Of The Intel "Bug" Are Staggering

Earlier today, we reported that according to a press reports, Intel's computer chips were affected by a bug that makes them vulnerable to hacking. Specifically, The Register said the bug lets some software gain access to parts of a computer’s memory that are set aside to protect things like passwords, and making matters worse, all computers with Intel chips from the past 10 years appear to be affected. The news, which sent Intel's stock tumbling, was later confirmed by the company.

In a statement issued on Monday afternoon, Intel said it was working with chipmakers including Advanced Micro Devices Inc. and ARM Holdings, and operating system makers to develop an industrywide approach to resolving the issue that may affect a wide variety of products, adding that it has begun providing software to help mitigate the potential exploits. Computer slowdowns depend on the task being performed and for the average user “should not be significant and will be mitigated over time" the company promised despite much skepticism to the contrary.

As Bloomberg helpfully puts it, Intel's microprocessors "are the fundamental building block of the internet, corporate networks and PCs" and while Intel has added to its designs over the years trying to make computers less vulnerable to attack, arguing that hardware security is typically tougher to crack than software, there now appears to be a fundamental flaw in the design.

In a vain attempt to mitigate the damage, Intel claimed that the “flaw” was not unique to its products.

“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the Santa Clara, California-based company said. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

The extent of the vulnerability is huge

As Bloomberg writes, "the vulnerability may have consequences beyond just computers, and is not the result of a design or testing error." Here's how the bug "works":

All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they’re likely to be asked to run next. By queuing up possible executions in advance, they’re able to crunch data and run software much faster.

The problem in this case is that this predictive loading of instructions allows access to data that’s normally cordoned off securely, Intel Vice President Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.

Security vulnerability aside, the fix may be just as bad: it would result in a significant slowdown of the CPU, and the resultant machine.

Because the exploit takes advantage of a technology intended to accelerate the performance of the processors, the fix slows them, said the person. In devices with the current generation of Intel chips, the impact will be small, but it will be more significant on older processors. Microsoft is still looking at the impact on the speed of cloud services and how it will compensate paying customers, the person said.

"The techniques used to accelerate processors are common to the industry,” said Ian Batten, a computer science lecturer at the University of Birmingham in the U.K. who specializes in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25 percent to 30 percent are “worst case” scenarios.

Intel's troubles will likely spread far beyond just the company: Intel CEO Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue “a couple of months ago.”

Google identified the researcher as Jann Horn, and said it has updated its own systems and products with protections from this kind of attack. Some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the internet giant said.

“Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place,” Krzanich said, explaining how the company responded to the issue.

On the call, Intel’s Smith said the company sees no significant threat to its business from the vulnerability.

“I wouldn’t expect any change in acceptance of our products,” he said. “I wouldn’t expect any concrete financial impact that we would see going forward.”


In response to the bug, Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD. The software maker has also started applying the patches to its cloud services where servers also are affected by the issue.

Meanwhile, Advanced Micro Devices, whose stock surged on news of Intel's misfortune, said “there is near zero risk” to its processors because of differences in the way they are designed and built. "To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," the company said in a statement.

And then there are the questions about revenue and lost profit.

Quoted by Bloomberg, Frank Gillett, an analyst at Forrester Research, said that providers of computing over the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing power and energy to perform the same functions while maintaining security.

“When you’re running billions of servers, a 5 percent hit is huge,” he said.

At the same time, cloud providers will likely have to throttle back the pace of new customers accessing their data centers while they take servers down to fix the problem, and there could be a price spike for servers as demand surges, Gillett said.

* * *

There is another take, and according to this one the implications to both Intel and the entire CPU industry could be dire. What follows is the transcription of the Monday afternoon tweetstorm by Nicole Perlroth - cybersecurity reporter at the NYT - according to whom today's "bug" is "not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market." In fact, according to the cybersecurity expert, one aspect of the bug is extremely troubling simply because there is no fix. Here is the full explanation.

  • 1. Apparently I don't know how to thread, so here goes my second attempt at blasting you with critical news on this "Intel Chip problem" which is not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.
  • 2. Christmas didn't come for the computer security industry this year. A critical design flaw in virtually all microprocessors allows attackers to dump the entire memory contents off of a machine/mobile device/PC/cloud server etc.
  • 3. Our story on the motherlode of all vulnerabilities just posted here: https://www.nytimes.com/2018/01/03/business/computer-flaws.html. More will be post soon.
  • 4. We're dealing with two serious threats. The first is isolated to #IntelChips, has been dubbed Meltdown, and affects virtually all Intel microprocessors. The patch, called KAISER, will slow performance speeds of processors by as much as 30 percent.
  • 5. The second issue is a fundamental flaw in processor design approach, dubbed Spectre, which is more difficult to exploit, but affects virtually ALL PROCESSORS ON THE MARKET (Note here: Intel stock went down today but Spectre affects AMD and ARM too), and has NO FIX.
  • 6. Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
  • 7. The basic issue is the age old security dilemma: Speed vs Security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. (Narrator: They were not)
  • 8. Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals...
  • 9. Data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.
  • 10. Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and
  • 11. Chipmakers like Intel will have to do a full recall-- unclear if there's even manufacturing capacity for this-- OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware.
  • 12. Intel is not surprisingly trying to downplay the threat of these attacks, but proof-of-concept attacks are already popping up online today, and the timeline for a full rollout of the patch is not clear. And that's just for the Meltdown threat. Spectre affects AMD and ARM too.
  • 13. But judging by stock moves today (Intel down, AMD up), investors didn't know that, taken together, Spectre and Meltdown affect all modern microprocessors.
  • 14. Meltdown and Spectre affect most chipmakers including those from AMD, ARM, and Intel, and all the devices and operating systems running them (GOOG, AMZN, MSFT, APPL etc).
  • 15. The flaws were originally discovered last June by a researcher at Google Project Zero (shout out @ Jann Horn) and then separately by Paul Kocher and a crew of highly impressive researchers at Rambus and academic institutions. Originally public disclosure was set for next week
  • 16. But news of Meltdown started to leak out (shout out @TheRegister) yesterday, so the disclosure was moved up a week to right now. The problem with this rushed timeline is that we don't necessarily know when to expect Meltdown patches from tech cos.
  • 7. Google says its systems have been updated to defend against Meltdown security.googleblog.com/2018/01/todays…. Microsoft issued an emergency update today. Amazon said it protected AWS customers running Amazon's tailored Linux version, and would roll out the MSFT patch for other customers 2day

If the above is remotely true, the semi-space which has surged in recent week alongside the broad tech sector meltup, will have a very tough time in the coming weeks.

Comments

bidaskspread svayambhu108 Wed, 01/03/2018 - 22:06 Permalink

These tech firms have been pointing their fingers the last 8 years at other companies about carbon footprints.  I truly hope the energy star and green IT f*ckers get a EPA lawsuit crammed up their ass over this. 

 

Ps. Down voters, I truly hope you enjoy your light bulbs that take 5 minutes to warm up and are draining mercury into the watertable. 

In reply to by svayambhu108

Evil Peanut svayambhu108 Wed, 01/03/2018 - 22:15 Permalink

Wired posted an article on this issue on June 1 2016. They also provide a handy walk through.

https://web.archive.org/web/20160601154818/https://www.wired.com/2016/0…

Only after the “trigger” command is sent many thousands of times does that charge hit a threshold where the cell switches on a logical function in the processor to give a malicious program the full operating system access it wasn’t intended to have.

let the games begin

 

In reply to by svayambhu108

Marge N Call svayambhu108 Thu, 01/04/2018 - 09:13 Permalink

DIdn't see that. Meltdown can be mitigated by deploying KAISER, but Spectre, while being harder to do, has no defense currently. AFAIK Spectre is basically speculative execution, accessing arbitrary memory locations. Thanks for the link.
For those interested, these are both exploits of out-of-order execution in the chip itself. Meltdown is pretty simple to understand conceptually and pretty clever. Follow links with the vid for more info.
Meltdown in action: https://www.youtube.com/watch?v=bReA1dvGJ6Y

In reply to by svayambhu108

Trogdor svayambhu108 Fri, 01/05/2018 - 12:02 Permalink

I'm not so sure AMD should be gloating, nor do I think this exploit is the biggest threat to the average user: Windows 10 is packed with spyware - and you can't shut off the automatic updates which will often UNDO the settings you changed to shut off the "in-your-face" spyware components.

 

I'm just so shocked that Israelis would design something like this into every CPU on the planet ... sooo shocked!  Such trustworthy and honest people .... shocking ... /s

In reply to by svayambhu108

Amicus Curiae Cognitive Dissonance Thu, 01/04/2018 - 07:45 Permalink

exactly! i know i remember reading a warning on dodgy intel chips and the models were named, and that was close to 10yrs ago

at the time they were saying to look at specs and see what chipset was in it and to avoid certain ones

they had "tropical" sort of names like cayman or something

i probably bookmarked it but that was maybe 4 pcs back now;-(

In reply to by Cognitive Dissonance

gladih8r Bes Wed, 01/03/2018 - 20:54 Permalink

Intel better lube-up for the class-action ass-fucking they are about to receive.  I mean, who's to say how these hackers got into Home Depot's credit card database a while ago, etc, etc, etc.....

In reply to by Bes

Lore DeadFred Thu, 01/04/2018 - 02:48 Permalink

I remember that big, aggressive marketing push a few years ago:  "Store all your vital and sensitive shit SECURELY in the CLOUD. It's so bloody SECURE. The cloud is your FRIEND." 

The lesson, once again, when that naggy little voice in the back of your mind is saying something like "TO HELL WITH THAT," is to LISTEN.

In reply to by DeadFred

are we there yet Bes Thu, 01/04/2018 - 02:10 Permalink

One of the best things that the gov could do for its image is fund a 5000 plus person agency to track down identity thieves, scammers, phishes, and malicious code developers and prosecute them aggressively. Such people poison the internet. And such criminals will grow as the internet grows.

In reply to by Bes