Microchip bugs that open door to hackers ‘worse than thought’
A FLAW in a microchip that leaves computers vulnerable to hackers is much worse than first feared and potentially affects billions of devices, including mobile phones.
Researchers who first discovered the Meltdown and Spectre bugs are now discovering the full extent of the problem after reports emerged that computers running Intel chips could have passwords and data stolen.
The second bug, Spectre, “could haunt us for some time,” they warn. In addition to Intel, it affects chips designed by Arm Holdings, a British company whose designs are used in most smartphones and tablets, and AMD, another chipmaker.
The researchers believe there is no software update that could fix the Spectre bug, meaning that computers will remain vulnerable for the foreseeable future. In comparison, Meltdown is easier to cure with a software update.
Both bugs allow malicious software, such as computer viruses, to steal passwords, emails, personal photographs and sensitive information.
Brian Krzanich, Intel’s chief executive officer, this week stated that he had been made aware of the vulnerabilities “a couple of months ago”.
He said: “Our process is, if we know the process is difficult to go in and exploit, and we can come up with a fix, we think we’re better off to get the fix in place.”
The US government warned that the only way to fully fix the problem would be to replace the main processor in a computer or phone.
“The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” US-CERT, the computer safety division of Homeland Security in America, said.
To date all Intel chips on the market dating back to 1995 are vulnerable and software from Apple, Google and Microsoft is also affected. Google said Android phones with the latest security updates were protected, and Microsoft said updated it had released an update for Windows 10, with older versions due to be updated next week. Apple has not yet made any announcement.
Fixing the issue will probably slow computer performance, particularly on servers used by companies, experts said, which could significantly increase IT costs. It is unclear to what extent the changes will affect personal computers.
Both bugs involve computer programs being able to access part of a computer system’s memory, and the patches to guard against them create barriers that slow down how the programs carry out tasks, stopping them from being able to stack up functions, making it longer for an application to run.
The National Cyber Security Centre, an arm of GCHQ, has said there is no evidence that the bug has been used by cybercriminals. However, researchers at Google who helped discover Meltdown and Spectre have said they were able to create software that exploited the flaw.
“For example, an unauthorised party may read information in the system’s memory, such as passwords, encryption keys, or sensitive information open in applications,” Google said.
‘An unauthorised party may read information, such as passwords, encryption keys, or sensitive information’