Intel has confirmed a report saying that its chips contain a feature that makes them vulnerable to hacking, though it said other companies’ semiconductors are also susceptible.
Intel is working with chip makers including AMD and ARM Holdings, and operating system makers to develop an industry-wide approach to resolving the issue that may affect a wide variety of products, the company said on Wednesday in a statement. Intel said it has begun providing software to help mitigate the potential exploits. Computer slowdowns depend on the task being performed and for the average user “should not be significant and will be mitigated over time”.
The company’s microprocessors are the fundamental building block of the Internet, corporate networks and PCs. Intel has added to its designs over the years trying to make computers less vulnerable to attack, arguing that hardware security is typically tougher to crack than software. Reports about exploits caused by a “bug” or a “flaw” that are unique to its products are incorrect, Intel said.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the Santa Clara, California-based company said. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
On Tuesday, the technology website The Register said a bug lets some software gain access to parts of a computer’s memory that are set aside to protect things like passwords. All computers with Intel chips from the past 10 years appear to be affected, the report said.
The vulnerability may have consequences beyond just computers, and is not the result of a design or testing error. All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they’re likely to be asked to run next. By queuing up possible executions in advance, they’re able to crunch data and run software much faster.
Malicious code
The problem in this case is that this predictive loading of instructions allows access to data that’s normally cordoned off securely, Intel vice president Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.
“The techniques used to accelerate processors are common to the industry,” said Ian Batten, a computer science lecturer at the University of Birmingham in the UK who specialises in computer security. The fix being proposed will definitely result in slower operating times, but reports of slowdowns of 25-30% are “worst case” scenarios, he said.
AMD said “there is near zero risk” to its processors because of differences in the way they are designed and built.
“To be clear, the security research team identified three variants targeting speculative execution. The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants,” the company said in a statement.
Intel CEO Brian Krzanich told CNBC that a researcher at Google made Intel aware of the issue “a couple of months ago”. Google identified the researcher as Jann Horn, and said it has updated its own systems and products with protections from this kind of attack. Some customers of Android devices, Google laptops and its cloud services still need to take steps to patch security holes, the Internet giant said.
“Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place,” Krzanich said, explaining how the company responded to the issue.
On the call, Intel’s Smith said the company sees no significant threat to its business from the vulnerability.
“I wouldn’t expect any change in acceptance of our products,” he said. “I wouldn’t expect any concrete financial impact that we would see going forward.”
Intel’s stock pared earlier losses after the announcement. The shares declined 3.4% to US$45.26 at the close in New York. Competitor AMD, the only other maker of processors for computers, jumped 5.2% to $11.55.
Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD, the company said in a statement. The software maker has also started applying the patches to its cloud services where servers also are affected by the issue.
“We have not received any information to indicate that these vulnerabilities had been used to attack our customers,” Microsoft said in the statement. The fixes were originally planned for release on 9 January but were rushed out Wednesday after a proof of concept for how to exploit the flaw was published, according to a person familiar with the situation. Microsoft had expected the security update to be deployed on about half of its cloud network by 9 January and it’s not clear if that timeline will change, the person said.
Because the exploit takes advantage of a technology intended to accelerate the performance of the processors, the fix slows them, said the person. In devices with the current generation of Intel chips, the impact will be small, but it will be more significant on older processors. Microsoft is still looking at the impact on the speed of cloud services and how it will compensate paying customers, the person said.
Apple didn’t respond to requests for comment about how the chip issue may be affecting the company’s operating systems.
Providers of computing over the Internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing power and energy to perform the same functions while maintaining security, said Frank Gillett, an analyst at Forrester Research.
“When you’re running billions of servers, a 5% hit is huge,” he said.
Cloud providers will likely have to throttle back the pace of new customers accessing their data centres while they take servers down to fix the problem, and there could be a price spike for servers as demand surges, Gillett said. — Reported by Ian King, with assistance from Jeremy Kahn, Dina Bass, Spencer Soper and Alex Webb, (c) 2017 Bloomberg LP