Most Processors Produced Since 1995 Have a Flaw That Could Let Hackers Steal Sensitive Information

Researchers have discovered two security flaws in the vast majority of computer chips produced in recent years, including one that could theoretically affect just about every personal computer, mobile device, and cloud server.

The flaws, nicknamed Meltdown and Spectre, are related to how the chips are designed and are detailed on a site created by the team of researchers from Google, the University of Pennsylvania, the University of Maryland, Graz University of Technology in Austria, the University of Adelaide in Australia, and researchers from cybersecurity companies Cyborgs Technology and Rambus that discovered them.

Their simplest explanation of what the flaws can do:

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

As the group says, and echoed on Google’s own security research blog, and, in a more obfuscated way, on Intel’s website, the flaws could be used by hackers to obtain passwords or other sensitive information without a computer or its owner noticing. The good news is there’s no proof that they have been used by anyone in the wild yet.

According to Google, last year, its Project Zero team “discovered serious security flaws caused by ‘speculative execution,’ a technique used by most modern processors (CPUs) to optimize performance,” which led to further research.

4) Spectre is harder to exploit, but has no easy fix, and is far more pervasive. Researchers say it is highly likely the threat from Spectre will be with us for the decade to come.

— Nicole Perlroth (@nicoleperlroth) January 3, 2018

Intel chips dating back to 1995 are affected, according to ZDNet, and processors made by AMD and Arm (which produces Apple’s chips for mobile devices) are also vulnerable, according to the researchers’ website. “Based on the analysis to date, many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” an Intel representative told Quartz.

According to The New York Times, Microsoft and Apple will be able to send software patches to fix the Meltdown flaw, but researchers have not been able to devise a fix for Spectre, which affects just about every modern processor. “Spectre tricks other applications into accessing arbitrary locations in their memory,” the research group said on its website. “As it is not easy to fix, it will haunt us for quite some time.”

Arm confirmed to Quartz that it’s working with Intel and AMD to address the flaws, and developed mitigations based on recommendations shared by Google’s research team. It’s unclear whether these will fix flaws with Spectre, given that researchers are saying it is not easy to fix. The research group said that work is being done “to harden software against future exploitation of Spectre.”

6. Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.

— Nicole Perlroth (@nicoleperlroth) January 3, 2018

What can I do?

Microsoft is sending out a fix for Meltdown, according to The Verge, which will be applied automatically to Windows 10 devices. Apple is in the process of fixing macOS—all Macs produced since 2005 use Intel chips—according to AppleInsider. Apple wasn’t immediately available to explain how the faults will affect iOS devices. According to The Register, any fixes to Intel-run machines could result in their processors running slower than before, although Intel refutes this on its website.

“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively,” the company said on its website, but as the Times notes, the only way to truly fix this problem will be to swap out all the affected hardware.