Bad news: A Spectre-like flaw will probably happen again

Our devices may never truly be secure, says the CEO of the company that designs the heart of most mobile chips.

Shara Tibken Former managing editor
Shara Tibken was a managing editor at CNET News, overseeing a team covering tech policy, EU tech, mobile and the digital divide. She previously covered mobile as a senior reporter at CNET and also wrote for Dow Jones Newswires and The Wall Street Journal. Shara is a native Midwesterner who still prefers "pop" over "soda."
Shara Tibken
3 min read
SoftBank World 2017

Arm Holdings CEO Simon Segars says of the chip flaws: "Like all discoveries, they're only obvious after the point they're discovered."   

Getty Images

After acknowledging a major security flaw in modern smartphone chips, the head of one of those chip design companies is delivering more grim news.

"The reality is there are probably other things out there like it that have been deemed safe for years," Arm Holdings CEO Simon Segars said in an interview last week at CES 2018 in Las Vegas. "Somebody whose mind is sufficiently warped toward thinking about security threats may find other ways to exploit systems which had otherwise been considered completely safe."

In early January, news broke that newly discovered exploits in most modern processors could make your computer or phone vulnerable to attacks. A design technique used in chips from Intel, Arm and others could allow hackers to access private data from the memory on your device. The problem impacts processors going back more than two decades and could enable hackers to score passwords, encryption keys or sensitive information open in applications.

Watch this: Intel addresses security flaws with company's chips at CES 2018

What's particularly devastating about the flaws, known as Spectre and Meltdown, is they aren't unique to one particular chipmaker or device. Instead, they impact everything from phones to PCs to servers. The computing industry is scrambling to reduce the severity of the problem with updates to operating systems, web browsers, cloud-computing services and other foundations that need to be kept secure.

"It really is mind bending what people have done to exploit this side effect," Segars said. "Nobody thought of it before. Like all discoveries, they're only obvious after the point they're discovered."

6 billion chips

Arm is a UK company whose designs are the basis for most of the world's mobile processors, including those used by Apple and Samsung. Its key place in the industry attracted Japanese telecommunications giant SoftBank, which bought Arm in mid-2016 for nearly $32 billion (£23 billion, AU$40 billion). More than 120 billion Arm chips have shipped since the company was founded nearly three decades ago.

Of those 120 billion chips, 5 percent -- or about 6 billion -- are vulnerable to the Spectre flaw, Segars said. Apple said last week that all of its iOS devices (which use Apple chips based on Arm's processor architecture) and Macs (which use Intel chips) are vulnerable to the flaws.

Qualcomm, another Arm customer, said in a statement that it's aware of the vulnerabilities and is working with Arm and others to assess the problem and develop fixes.

"We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible," Qualcomm said earlier this month, suggesting customers should routinely update their devices.

There's also one Arm-based processor that could be affected by the Meltdown flaw, but "it's so new, it's not shipping in a product yet," Segars said. He didn't elaborate on which chip partner made the processor or which device it's geared for.

A moving target

Back in October at an Arm conference, Segars said that "cybersecurity is a mess" and that something must be done about it as artificial intelligence and the internet of things gain traction. Arm's belief is that devices must be secured through their hardware, not just their software.

As for the design technique that's susceptible to Spectre and Meltdown? Companies won't stop using it in their processors, Segars said last week. The speed boost is just too "significant" to remove it from high-end chips, he said.

Samsung Galaxy A8+ and A8 at CES 2018

See all photos

"But what you'll see is [that] the end system is a combination of software and hardware," Segars said. "How it's written and tested -- all of that will evolve to make sure the risks of using that approach are well understood."

Arm hasn't yet decided how to change its chip architecture or software to prevent similar security risks in the future. But along with making processor tweaks, the company will build up its staff, consider acquisitions and spend more time examining similar potential vulnerabilities, Segars said.  

As for why Arm didn't find the flaw itself, but instead only learned of it from security researchers, Segars said: "What this demonstrates is that the world of security is a moving target. Just when you think you've got things under control, something else comes along."

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

'Alexa, be more human': Inside Amazon's effort to make its voice assistant smarter, chattier and more like you.