Security experts issue dire warning on computer chip flaw

Only way to gain full protection is to replace computer systems, experts say

The computer vulnerability revealed this week stems from serious flaws discovered in chips made by Intel, AMD and Arm. Photograph: Sascha Steinbach/EPA

The computer vulnerability revealed this week stems from serious flaws discovered in chips made by Intel, AMD and Arm. Photograph: Sascha Steinbach/EPA

 

Security experts, including a US government-sponsored group, have warned companies that the only way to fully protect themselves against hackers taking advantage of a newly revealed, pervasive flaw in chip design is to completely replace their computer systems.

The unusual warning has presented companies with an unenviable choice of embarking on an expensive IT overhaul or risking an attack, once hackers learn how to take advantage of the two vulnerabilities, dubbed Meltdown and Spectre.

However, the sheer cost and complexity of replacing so much IT infrastructure leaves big tech users with little choice but to continue with their current systems and rely on incomplete fixes being produced by their tech suppliers, according to computer security experts.

The predicament, revealed this week, stems from serious flaws that have been discovered in chips made by Intel, AMD and Arm, and used in almost all computers, servers and smartphones. The flaws make it possible for a hacker to steal data from a computer’s core memory or from other programmes running on the system.

It results from a common chip design, making it more deeply embedded in IT systems than the usual software bugs that lead to security failures.

A security research group at Carnegie Mellon University, sponsored by the US Department of Homeland Security, wrote that the only way to fully remove the vulnerability was to replace hardware. Some problems can be mitigated by operating system updates, being rushed out by tech companies such as Microsoft and Apple.

Cybersecurity experts have also warned that companies using cloud computing services could be particularly vulnerable. If an attacker bought access to one area of the service, they could access another client’s data. However, the hacker would be unlikely to be able to target their attack.

Tod Breadsley, director of research at Rapid 7, said the flaws were among the most significant hardware vulnerabilities ever discovered, though it was unlikely companies would end up replacing their hardware. “That would bankrupt everyone,” he said.

Katie Moussouris, founder and chief executive of Luta Security, said hackers would already be trying to exploit these new flaws. “I expect to see the weaponisation of this in the organised crime sphere very, very soon,” she said.

“The criminals who were attacking people with ransomware and bitcoin miners will turn to using this to take over computers and steal bitcoin wallets.”

Intel shares fall

Shares in Intel have fallen as much as 7 per cent since the first reports about the flaws came out, while AMD stock has gained 12 per cent. Analysts at RBC Capital Markets said the flaw was unlikely to affect Intel financially.

The vulnerabilities, first discovered by a team of researchers at Google’s Project Zero, allow access to a computer’s memory, exposing data, which could include passwords and credit card details.

The first, named “Meltdown”, allows an intruder to access the central memory of the operating system. It can be repaired with a patch to a systems such as Windows, although the software update significantly slows operations.

But the second, named “Spectre”, does not rely on the operating system and so cannot yet be patched.

It is not known if the vulnerabilities had been uncovered and exploited by hackers before they were discovered in June by Google. But once a flaw is announced, hackers usually flock to exploit it before companies update their systems or are able to detect intrusions.

Ms Moussouris said that even if companies did decide to spend what could be millions of dollars updating their hardware, they would struggle to do so without taking down critical systems. Instead, companies are more likely to rely on cybersecurity companies to come up with new software to at least detect if not prevent the use of this vulnerability, she said.

Despite the seriousness of the vulnerability, Mr Breadsley said hackers would find it easier to exploit the other ways of accessing sensitive data, for example, sending links to malicious software by email, than to use this flaw in hardware. The vulnerability would be most likely to be used by sophisticated nation state hackers for espionage, he said.

“Most people are not targets of the NSA and so most people wouldn’t have to really worry about that,” he said. – The Financial Times Limited 2018