Intel's security headache spreads
A German publication says it has developed a software program capable of reading the chip's serial code without a user's knowledge, a new twist in the security controversy.
In the latest installment in the Pentium III saga, a German publication says it has developed a software program capable of reading the processor's serial code without a user's knowledge.
C't, a German technology magazine, reported that one of its engineers was able to write a program which accessed the serial code embedded in the chip without alerting the user, despite Intel's assurances that the code can only be read with a user's agreement.
Intel spokesman Tom Waldrop said that although "we've had an ongoing dialogue with c't for weeks, we're not fully aware of just what they did" to hack the serial code or whether it was a Trojan Horse.
"Can [the serial code] be hacked? The answer is, it can," Waldrop said. "There is virtually no software that can't be hacked--and most anything in a computer can be hacked. We've designed it so that it exists in hardware, which makes it more difficult to hack than if it were able to be turned on easily in software."
Intel is launching the new chip with great fanfare, including at least a $300 million ad campaign, even though it delayed its Super Bowl ads. (See related story.) Intel is touting the chip's enhancements--particularly the improved multimedia aspects--but many analysts say that for ordinary office computer users, the performance improvements will be small.
The chipmaker's decision to include a serial code with each processor has drawn the ire of privacy advocates, concerned about the implications of identification information hard-wired into any computer running on the chip. Intel had argued that it strongly recommends that PC makers ship systems with the serial code turned off, leaving the decision to activate the identification feature in the hands of the PC maker and user.
But users who have turned the serial code on could be tricked into allowing some Web sites to access the information without their knowledge. The serial code, whose purpose is to provide additional levels of security for e-commerce, can only be switched on or off after the computer is reset, according to Intel.
Hackers can write software, disguised as a legitimate applet, that reads the serial code without alerting the user that the information is being accessed, Intel confirmed.
"Potentially, some hack or virus could go into your system," said Linley Gwennap, a processor analyst with MicroDesign Resources, adding that some hackers may eventually be able to turn the serial code on and off through this type of program. "How often does the system crash, and you don't even think about it? A lot," he said.
Theoretically, each Web site that uses the serial number would scramble the information so that the user can only be identified at that particular Web site, but even legitimate Web sites can share that information for marketing purposes. And once a hacker has gained the information, the potential security issues could be grave, said Peter Glaskowsky, another analyst at MicroDesign Resources.
"If they get the processor serial number, they can pretend to be you," Glaskowsky said from Intel's Developer Conference in Palm Springs, California.
For its part, Intel insisted that even if the hack does work, the Pentium III with its serial code still offers better security than a browser with a password.
"The whole purpose of having the feature there in hardware is to try to have stronger security. Software security is very hackable. If the question is 'should people be afraid on the Internet?' The answer is yes," Waldrop said. "We're talking about multiple layers of protection."
"If someone does get in and can put in a Trojan horse and take control of your system and all they do is take your serial number, you may be happy," he added. "Presumably, there is a lot more personal information residing on your system they could access."
Intel is working with c't, Waldrop said, but even if the hack proves genuine, Intel will not delay the official launch of the chip on Friday.
Still, the ongoing privacy controversy and c't's potential exploitation of the serial code, before the chip even officially launches on Friday, raises question about the relative value of the serial code itself.
"It's not clear to me that it's really worth it. The positive aspect is being able to have more secure identity of users, but the problem is that users can be on lots of different machines, and a single machine can have different users. It's not a great way to identify users," Gwennap said. "It's not clear that there's a whole lot of benefit there."
"Moving to more secure forms of encryption and biometrics is the only secure way to identify a user," Gwennap concluded.