Why You Can Trust CNET Major Intel, Arm chip security flaw puts your PCs, phones at risk
Security researchers say a common processor design used by Intel and mobile chip tech designer Arm may leave the door open to exposing sensitive system data.
A newly discovered exploit in most modern processors could make your computer or phone vulnerable to attacks. But chipmakers say they've got fixes ready to go.
Several researchers, including a member of Google's Project Zero team, found that a design technique used in chips from Intel, Arm and others could allow hackers to access data from the memory on your device. The problem impacts processors going back more than two decades and could let hackers access passwords, encryption keys or sensitive information open in applications.
The flaws, known by the names Spectre and Meltdown, aren't unique to one particular chipmaker or device. Instead, they impact everything from phones to PCs and servers.
"It's not really one vendor's problem," Steve Smith, head of Intel's data center engineering operations, said during a conference call Wednesday. "It's not an issue with our product. It's not an issue with someone else's product." It's a general design issue that impacts most modern chips, he said.
But you shouldn't panic or worry that hackers will access your 5-year-old laptop or brand new Pixel phone. Intel has been working with Arm, PC chip rival AMD and others to investigate the exploit and come up with a fix.
The New York Times reported one flaw, Spectre, could require a processor redesign. But Intel and Arm say both exploits can be patched with software updates from them and operating system makers over the coming days and weeks.
They also plan to design their future chip architecture to prevent the exploits. In the case of Intel's fix, it could slow the performance of some devices by 30 percent or more. Most users, though, won't see much of an impact, likely only as much as 2 percent, Smith said.
Intel and Arm noted that no one's device has actually been hacked through this exploit and that a hacker would need to have malware running locally on the device to access data. Intel also said it believes the exploits can't corrupt, modify or delete data.
"We quickly realized this applies to most modern microprocessors that are high performance and utilize speculative techniques to gain the performance advantage," Smith said. "That has gotten us to [work on fixes] in a more industry collaborative way."
Chips at risk
The issue likely impacts most Intel computers sold for the past two decades. It's unclear how many mobile devices could potentially be at risk. The vast majority of the world's smartphones and tablets run on chips based on Arm technology. That includes Apple, Samsung, Qualcomm and others.
Intel explains a newly discovered exploit impacting chips.
Arm said certain high-end processors based on its Cortex-A and other technology are at risk, but it noted that "the majority" of its chips are not impacted. Chips based on the Cortex-A architecture go into mobile devices, networking infrastructure, home and consumer devices, automotive in-vehicle infotainment and driver automation systems, and embedded designs. The company's Cortex-M processors, which are used in low-power, connected internet of things devices, aren't impacted.
"We are in the process of informing our silicon partners and encouraging them to implement the software mitigations developed if their chips are impacted," Arm said. It also published a support page with more information.
AMD, Intel's chief rival in supplying processors for computers and data centers, said the exploit has little impact on its processors. One possible exploit could be resolved with software and operating system updates with "negligible performance impact," AMD said, while the other two don't affect AMD chips because of differences in its architecture.
"The threat and the response to the three variants differ by microprocessor company, and AMD is not susceptible to all three variants," the company said in a statement. "Due to differences in AMD's architecture, we believe there is a near zero risk to AMD processors at this time."
For more on how the exploit works, see ZDnet's report.
Finding a fix
Google said in its blog post about the exploit that the issue has been mitigated in many products or wasn't a vulnerability in the first place. But in some cases, users may need to take steps to make sure they're using a protected version of a product. In the Chrome browser, for instance, you have to enable something called "Site Isolation," which isolates websites into separate address spaces. An upcoming browser update, Chrome 64, will provide protections against the exploits when it's available Jan. 23.
Apple didn't respond to requests for comment.
Along with impacting personal computing devices, the exploit also hurts servers in data centers, like Amazon's cloud service. Amazon Web Services said "all but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications."
Microsoft said that it has been working closely with chipmakers to release fixes for its customers.
"We are in the process of deploying mitigations to cloud services and are releasing security updates [Wednesday] to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, Arm and Intel," the company said in a statement. "We have not received any information to indicate that these vulnerabilities had been used to attack our customers."
The flaws initially were discovered in the middle of 2017 but not made public until this week. Technology site The Register on Tuesday reported news about the exploit, causing Intel and the security researchers to publish their findings sooner than planned -- before fixes were in place.
CNET's Dan Ackerman contributed to this report.
First published Jan. 3 at 8:50 a.m. PT.
Update, 12:47 p.m. PT: Adds Intel's comments.
Update, 2:15 p.m. PT: Adds comments from ARM and AMD.
Update, 4:30 p.m. PT: Rewrite and updates with additional information throughout.
Update, 5:55 p.m. PT: Updates with Microsoft comment and other background information.
Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.
Special Reports: CNET's in-depth features in one place.