You may have heard about two serious security vulnerabilities that researchers have found in most of the world’s computer chips. But what should you do about it?
A group of researchers, including some from academia, as well as major tech companies including Google
discovered two major security vulnerabilities on microprocessors, or “chips,” inside many computers and mobile devices.
A group of researchers, including some from academia, as well as major tech companies including Google, discovered two major security flaws on microprocessors, or ‘chips,’ inside many computers and mobile devices.
The researchers are calling the two vulnerabilities “Meltdown” and “Spectre.” “Meltdown” only impacts Intel chips. Google’s security team said “Spectre” affects devices that use chips from the companies AMD and ARM as well.
“Meltdown” uses a process called “out-of-order execution,” allowing hackers to get access to parts of a computer’s memory, according to Wired. “Spectre” uses a process called “speculative execution,” which induces certain actions on the device that allow hackers to access data from programs the computer interacts with.
On Thursday evening, Apple acknowledged its devices were impacted. “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time,” a post on Apple’s support forum said. The company said recent updates to its operating systems would help mitigate the impact.
How was this computer chip flaw discovered?
On Wednesday, Intel Corp.
one of the world’s largest chip makers, acknowledged the vulnerabilities, which could potentially affect all systems with its microprocessors that were designed in the past decade or more. If hackers were to use the vulnerability for “malicious purposes,” Intel said, they could steal sensitive personal data from computer devices.
“Someone has figured out a way to exploit the architecture that is built into all modern computer systems,” said Steve Smith, Intel’s engineering lead, who is investigating the issues.
The company pointed out that Intel is not the only chip maker that is impacted by the discovery and insisted it is not correct to call it a “flaw” or “bug” unique to their product. “Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits,” it said.
Has anyone been hacked yet?
Intel said there are no known examples of hackers actually using these vulnerabilities to access information on consumers’ devices. But it’s also possible that a foreign government could have been using it, said Al Pascual, a senior vice president and research director at the security firm Javelin.
What’s more, now that the vulnerabilities have been made public, hackers may become more emboldened and try to exploit them, said Adam Levin, a consumer advocate and chairman of security firm CyberScout. “They get very interested,” he said. But for these particular vulnerabilities, hacking would be done device-by-device. “That’s not such an easy deal,” he said.
Which devices are at risk?
Any devices that use chips from Intel, AMD or ARM are at risk, experts said.
That includes many devices and services, such as the majority of Google’s Android phones and Windows PCs. Apple’s
computer products are affected because they have used Intel chips for about a decade, Pascual said. (Google said Android devices are “difficult” to exploit.)
Intel and the companies that produce the products have said they will release ’patches’ to fix the vulnerabilities, and that consumers should update their devices’ software in order to get those patches when they become available.
Even Web browsers, including Mozilla Firefox and Google Chrome, are at risk. Mozilla said its internal experiments have confirmed that it’s possible to use techniques that are similar to Meltdown and Spectre on web content. The company needs to do more research, but it’s releasing a short-term fix that should help.
Intel and the companies that produce the products have said they will release “patches” to fix the vulnerabilities, and that consumers should update their devices’ software in order to get those patches when they become available. The tech website CNET has released a list of instructions for each device. Microsoft has reportedly released an emergency fix for the issues already.
Consumers should update the latest versions of their devices’ software to get the patches, as they become available, experts said. But because the vulnerabilities are so widespread, and some patches aren’t out yet, staying safe will be difficult for consumers, Pascual said. “This is really tough and wholly unfair,” he said.
What kind of information could be hacked or exploited?
There is a wide variety of hackable information, Levin said, including passwords, encryption keys and any sensitive financial information or data stored on the device itself. “Anyone can define what they think sensitive data is” on their own device, Levin said.
It may also be possible for the hackers to use the data they find to access servers, which would open up even more potential data to hack. “Meltdown” and “Spectre” attacks can even give hackers access to computer programs that run on their devices, such as games and email programs and financial spreadsheets, Pascual said.
For that reason, he added, it’s “impractical for consumers to fully immunize themselves.”
What can you do to safeguard yourself?
Security experts have suggested downloading the “patch” updates when they become available and changing passwords to accounts that contain sensitive personal information.
But proceed with caution. Do not click on any links or attachments in emails that claim to be those updates, Pascual and Levin said. Hackers often try “phishing” schemes after major security flaws are revealed, and they send malicious messages to consumers who are trying to protect themselves. Anything sent in an email is not a legitimate update, Levin said.
Devices may update automatically if consumers have opted in to that option on their device’s settings. They can also download patches directly from their device manufacturer, such as HP or Dell. Consumers should continue to use good “hygiene” when surfing the Internet or downloading apps, Pascual said. That means not visiting websites or downloading applications or attachments from sources they don’t trust.
Is it true that devices that receive the “patch” will run slower?
Intel has said that the “patches” could slow down devices, anywhere from 3% to 30%. The amount will depend on the type and age of the device, Levin said. There is virtually nothing consumers can do about that, Pascual said.
Consumers can choose to either download the patches or not download them, but they won’t be able to control for those speed changes. Certain applications may show more of a slowdown in performance, including those that use processors more intensely, like graphic design or gaming applications, Pascual added.