Design flaws in processors made by major chip-makers could let attackers access sensitive information. How could that happen, and can it be fixed?
Processors: They’re vital to running all our computerized devices, even if we hardly ever think about them. That’s why it’s a big deal that they have major vulnerabilities — called Spectre and Meltdown — which leave them open to hacking attacks.
As part of running all the essential processes on your computer, these silicon chips handle extremely sensitive data. That includes passwords and encryption keys, the fundamental tools for keeping your computer secure.
The vulnerabilities, revealed Wednesday, could let an attacker capture information from chips they shouldn’t be able to access, including those passwords and keys. That’s why an attack on a computer chip can turn into a major security concern.
So how did this happen, and what will chip manufacturers like Intel, ARM and AMD (and the companies that put those chips in their products) do to fix the problem? Here’s everything you need to know:
Researchers found two major weaknesses in processors that could let attackers read sensitive information that should never leave the central processing unit. Both issues allow attackers to read secret information the processor temporarily makes available outside of the chip.
To make computer processes run faster, a chip will essentially guess what information the computer needs to perform its next function. That’s called speculative execution. As it guesses, that sensitive information is momentarily easier to access.
The first flaw, Spectre, would let attackers trick the processor into starting the speculative execution process. Then attackers could read the secret data the chip makes available as it tries to guess what function the computer will carry out next.
The second flaw, Meltdown, lets attackers access the secret information through a computer’s operating system, such as Microsoft Windows or Apple’s High Sierra. Microsoft said it will patch its Windows operating systems on Wednesday. Apple didn’t respond to a request for comment.
Security experts call these side-channel attacks, because they access information as it’s being used by a legitimate process on the computer.
Different chips manufactured by Intel, ARM and AMD are susceptible to one or more variants of the attacks. Chips from multiple companies are affected because they share a similar structure. The chips are used in devices made by Apple, Google, Microsoft, Amazon and others.
What’s more, the flaws don’t just affect computers — Meltdown also affects servers, the backbone of all major cloud services. That means that services like Amazon Web Services and Google Cloud are susceptible to the problem, too. Google said it has secured all its affected products, and Amazon said it will finish securing all affected products on Wednesday.
Researchers at Google’s Project Zero, as well as a separate team of academic researchers, discovered the problems in 2017, but the issue has existed on chips for a long time — perhaps more than 20 years.
That’s because the issue doesn’t result from a badly written computer code. Instead, the problem comes down to the way the chips are intentionally designed.
Processors are supposed to make the secret information easier to access as they gear up to run the next process on a computer. As the programming quip goes, this is a feature, not a bug.
Researchers, chip-makers and computer companies all say there are no known examples of hackers using these weaknesses to attack a computer. However, now that the details of the design flaws and how to exploit them are publicly available, the chances of hackers using them are much higher.
The good news is that hackers need to install malicious software on your computer in order to take advantage of these flaws. That means they need to select their targets and hack each one of them before running a sophisticated attack to steal a computer’s sensitive information.
As chip-makers and computer companies roll out software updates, you should install them. What’s more, since hackers need to install malicious software on your computer before they can take advantage of these flaws, you should do your best to make that harder for them.
That means you should keep all your other software updated, including your web browsers, Flash (if you’re still using it) and all the other programs on your computer. Then, run security software to make sure you don’t have any malicious software on your computer right now.
Finally, look out for phishing emails. Emails that trick you into clicking on a link and downloading malicious software are still the number one way for hackers to get a foothold on your computer.
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
iHate: CNET looks at how intolerance is taking over the internet.
