Intel scrambles to upgrade chips
Flaw could allow hackers to see passwords
SAN FRANCISCO – Intel and other tech firms scrambled to upgrade computer code in millions of computers and phones after researchers disclosed a design flaw in chips made by Intel and others that could allow an attacker to view hidden information such as passwords.
The large companies that run the operating systems on most of the world’s computers — Apple, Microsoft and Google — have begun pushing out patches that protect against attacks making use of the flaw.
Intel stock fell 3% on Wednesday as news of the flaw spread and dropped a further 1.8% Thursday. Shares of rival Advanced Micro Devices, which has said its chips are mostly not affected, rose 5% Wednesday and 4.9% Thursday. Semiconductor maker Nvidia shares jumped 7% in the last two days.
The flaw, which Intel dubbed a sidechannel analysis attack, was discovered “months ago,” Intel CEO Brian Krzanich said Wednesday on CNBC. Researchers including Google’s Project Zero security group found the design weakness and reported it to the affected companies.
The flaw affects central processing units, or CPUs, the chips that handle the instructions a computer receives from hardware and software. They are sometimes called the “brain” of the computer.
The design weakness takes advantage of a technique called “speculative execution” used by most modern computer processors to optimize performance. That feature anticipates what information might be needed next — such as a password to a website — and makes it available in a “secure area” of the chip, speeding computing, Intel staff said on a conference call with reporters and analysts Wednesday. Researchers have discovered a flaw that allows hackers to see into the secured portion of the chip, giving them access to key information such as passwords.
There have been no examples of the flaw being exploited that Intel or other researchers are aware of, Steve Smith with Intel’s Data Center Engineering Group said. But the potential for a broad attack was far larger than most security weaknesses hardware makers spot. It could potentially affect almost all computers built in the past two decades. Exactly how difficult such attacks might be to pull off, and how much information could be gained, was not clear.
“An attacker can run code on an affected processor, which leaks information stored in the computer’s memory. This includes things like passwords and cryptographic keys, as well as information needed to more effectively exploit other vulnerabilities,” said Craig Young, a researcher at computer security company Tripwire.
According to Google, the vulnerability affects central processing units made by Advanced Micro Devices, iPhone-supplier ARM and Intel, and therefore the devices and operating systems that run on them. Wednesday, chip-maker Advanced Micro Devices said that due to the design of its chips, it believed there was “near zero risk to AMD products at this time.”
If an attacker were to make use of the flaw, it could slow most computers down by 2%. Operations that require lots of information and instructions to be sent through the CPU could see slowdowns of as much as 30%, Intel officials said.
Intel said it was working with hard- ware and software companies to push out fixes to the problem. The company said new chips will be constructed so that the exploit cannot be used on them, and firmware and software for older CPUs will be updated.