Chipmakers Scramble to Protect Against Newly Discovered Hardware Security Flaws
Cloud and platform companies are rushing to develop security patches to protect against recently discovered security flaws in chips that run most cellphones and computers. The problem could grow in severity if companies and consumers don’t quickly implement patches and software updates, but some solutions are ready and more are in development, cybersecurity experts told us. What’s significant is the breadth and scale of the vulnerability, and that it affects hardware that isn’t easily repairable.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The problem could either be “apocalyptic or a mosquito bite,” said R Street Senior Fellow Paul Rosenzweig. Hardware flaws typically are difficult to identify and hard to fix but also “very hard to exploit,” he said. “The only way to completely cure this is to replace the chips, which is not feasible -- it will happen on the normal life cycle,” he said: “The best thing you can do right now is make sure software and ad blockers are updated” because the main point of access isn't gained through hardware. The flaw isn't likely to affect every chip.
The flaws, code named Meltdown and Spectre, came to light last week, as experts worked to assess the threat. Intel is “committed to product and customer security and responsible disclosure” after learning the vulnerabilities could allow bad actors to “gather sensitive data from many types of computing devices with different vendors’ processors and operating systems,” it said Wednesday (see 1801030053), and a day later, it said it's issuing updates (see 1801040057).
Arm, which makes chips for most U.S. cellphones, released a security advisory Wednesday. It was based on findings from Google that detected a flaw that “could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed,” the update said. Arm strongly advised users to keep software up to date and avoid suspicious links or downloads, because the security flaw can be triggered only if malware is installed. The chipmaker said most of its processors weren't affected.
“These exploits can all be mitigated through OS and other software updates,” an Arm spokesman told us, advising consumers to install patches as soon as they're available from device makers. “Arm is currently not aware of any malware based on these exploits which is why it’s imperative that everyone apply software or security updates as soon as practical and follow good security practices in general.”
AMD said it “immediately engaged across the ecosystem to address” researchers’ findings that certain functionalities used by multiple chip companies’ products” could be exploited by bad actors. “The described threat has not been seen in the public domain,” AMD said. Apple similarly said the flaw hasn't yet hit customers, though all Mac systems and iOS devices are affected. “Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store,” Apple said, noting it addressed Meltdown in updates to iOS 11.2, macOS 10.13.2, and tvOS 11.2. “Apple Watch is not affected by either Meltdown or Spectre,” Apple said, and an update to Safari is planned “in the coming days” to help defend against Spectre.
Palo Alto Networks saw a “flurry of activity” as hardware and software vendors moved to address the “serious” vulnerabilities. “These vulnerabilities are uniquely broad in scope potentially affecting nearly every computer and device with a modern processor: Microsoft Windows, Google Android, Google ChromeOS, Apple macOS, on Intel and ARM processors,” Palo Alto blogged. The biggest risk is in shared hosting scenarios such as cloud platforms. Ultimately, malicious code or script could enable theft of sensitive information such as usernames, passwords and bank account information, the company said. “Because of the breadth of these vulnerabilities, IoT devices and many mobile devices may never receive fixes to address them.”
Google posted information on mitigation efforts it's using to safeguard servers that support products including Search, Gmail, YouTube and Google Cloud Platform, and reported no performance issues with the fix. Amazon said its customers are protected but it recommends customers patch operating systems to provide further protections. Microsoft said the vulnerabilities haven't been used to attack its Azure customers, and most of its cloud infrastructure "has already been updated to address this vulnerability" with further updates moving forward on an accelerated schedule.