What must change in wake of Spectre and Meltdown scandal

When Intel CEO Brian Krzanich took to the stage at CES in Las Vegas, he could have been forgiven for wanting to be anywhere else in the world. Just days before the world’s biggest tech show got underway, it was revealed that almost all PCs, Macs and mobile devices were at risk of being hacked due to a pair of vulnerabilities that existed in a alarming number of Intel, AMD and ARM-produced chips.

The discovery of the vulnerabilities, Spectre and Meltdown, would have been bad news at any time of the year, but coming just days before CES was nothing short of a disaster for the chip manufacturers. Yet as Sod’s Law would have it, Krzanich was faced with the daunting task of addressing his industry peers in the midst of the worst chip scandal in 20 years. Not since the Pentium FDIV Bug of the 1990s has the chip industry taken such a knock (and that cost Intel around $475 million).

“Before we start I want to take a moment to thank the industry for coming together,” he told attendees, as he took to the main stage. “Security is job number one for Intel and our industry, so the primary focus of our decisions and discussions have been to keep our customer’s data safe.”

It was a noble attempt at staring the problem in the face, but even now not all devices are secure. From the get-go patches were reportedly going to affect performance, with Intel initialling suggesting that bug fixes could affect performance by some 30 per cent. Microsoft was then forced to pull its initial Meltdown patch after some AMD-powered devices were left completely crocked after users had installed the fix.

And the fallout has already begun. While Intel share prices took a hit, slumping by 2 per cent in the immediate aftermath, a full autopsy is being demanded by industry analysts, security experts and the chip manufacturers themselves. Lawsuits are already being discussed and a costly bill is expected to hit the manufacturers at fault.

Looking forwards, Phil Hughes, director of Public Relations at ARM, said that ‘all future processor designs’ will have to be re-evaluated. “I can confirm that we plan to address Spectre in future processor designs, but there also will need to be an ongoing discipline in the design of secure systems, which needs to be addressed through both software and hardware,” he said. “In the meantime, we continue to encourage users to follow good security practices and ensure their software is up-to-date. All future ARM Cortex processors will be resilient to this style of attack or allow mitigation through kernel patches.”

And it will no doubt be a similar story at Intel and AMD as another bug of this magnitude cannot be allowed to happen. Intel has already made significant moves (at least publicly) to ensure that a similar vulnerability never comes to head again. Establishing an internal security group, the Intel Product Assurance and Security (IPAS) team will be led by resources chief Leslie Culbertson who will report directly to Krzanich.

The need for greater focus on security is one theme that is being echoed within the wings of security firms. Derek Weeks, VP and DevOps advocate at Sonatype said that security has been overlooked for too long by manufacturers. “A flaw in the architecture of Intel and other chipmakers’ products highlights the urgent need for security vigilance when designing technology,” he said. “Time and time again, we see how failure to design in security from the beginning, whether into software, hardware, or firmware, puts our data, our health and our privacy at risk. GDPR-like ‘security by design’ has not been the default position to date and we must take steps to make it so. It is therefore imperative that organisations make targeted investments in people, process and technology, to ensure we truly are secure.”

Likewise, Paul Lipman, CEO at cybersecurity company BullGuard, believes that the ‘shocking and alarming’ flaws in chips are an inevitability of the industry’s blasé attitude towards security. “Chip manufacturers have been central to driving the technology revolution and we wouldn’t be where we are today without them and their leveraging of Moore’s law,” he said. “But only last year it was discovered that Intel’s Active Management Technology had harboured a security flaw for seven years that could be exploited to remotely control and infect systems with spyware.

He added: “There will always be flaws in systems due to inherent complexity. But what is frightening is that 40 years after desktop computing became commonplace the fundamental importance and need for security by design hasn’t yet been grasped.Security by design should be a fundamental priority. Ironically, the cost of fixing these security issues in the after-market phase is significantly higher than the investment required for implementing security by design.”

Thankfully no real damage has been done (yet) by the Spectre and Meltdown vulnerabilities. Some systems may have taken a hit in terms of performance and a handful of devices may have bricked due to patches being rushed out, but the reality is that no significant harm appears to have been done. Hopefully manufacturers will heed the warnings of the security experts as they may not get off so lightly next time around. 

Check Also

Norton data reveals victims of holiday shopping scams in the UK lose over £200 on average  

A new survey from Norton has revealed that last year, some UK holiday shoppers lost …