It’s been a rocky start to 2018 for the computer security industry.
On Tuesday, it was revealed that there were two major security flaws — called Meltdown and Spectre — inside the microprocessors of nearly all of the world’s computers and mobile devices. The Meltdown flaw affects microprocessors made by Intel, which produces computer chips for 90 percent of the world’s laptops, while the Spectre flaw affects nearly all types of microprocessors on the marketplace.
To simplify things, a microprocessor is basically the brain of a computer. Also known as the CPU (Central Processing Unit), it carries out the instructions that a computer program tells it to do. It’s what enables you to visit Facebook, watch a movie on Netflix, or stream a Spotify song on your phone.
What makes these newly-discovered flaws so dangerous is that they could allow hackers access to the fundamental architecture inside computers, smartphones and the servers that help keep the internet running. Passwords, encryption keys and sensitive information would all be vulnerable.
A patch has been developed for the Meltdown flaw, but there’s a crucial catch: the fix could potentially slow down computers by as much as 30 percent, crippling download speeds for your favorite internet services.
The Spectre flaw, on the other hand — which affects more processors — requires a fundamental redesign of microchips.
“The threats posed will be use for an entire hardware lifecycle, likely the next decade,” tweeted Nicole Perlroth, cybersecurity reporter with The New York Times.
8. Meltdown and Spectre show that it is possible for attackers to exploit these design flaws to access the entire memory contents of a machine. The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals…
— Nicole Perlroth (@nicoleperlroth) January 3, 2018
Intel, naturally, has since sought to downplay the incident.
“Intel and other companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed,” the company said in a statement. “Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
The company has already taken a hit on the stock market, regardless. On Wednesday, Intel’s stock plunged 3.5 percent while shares in rival AMD rose sharply.
As of yet, there have not been any reports of these vulnerabilities being exploited, but revelations about the problem have left tech companies in an dangerous situation. The problem was initially discovered by Google Project Zero researchers several months ago, but it was kept under wraps so hackers couldn’t exploit it until a fix was created. On January 2, despite researchers’ best efforts, news of the flaw began to leak through several technology websites, including The Register.
“This leaves the company [Intel] in an uncomfortable situation,” said Chris Foxx, the BBC’s technology reporter. “[They have] a widely publicized problem before the fix is ready to go.”
The flaws are unlikely to hit the average American in the same way that incidents like the Equifax data breach did. In that instance, some 143 million people found that their names, social security numbers, addresses and drivers license had been exposed to hackers. The Spectre and Meltdown breaches instead pose more long-term vulnerability issues to consumer-owned computers and operating systems across the world, especially as more and more Americans allow their smartphones to access their personal data.
“We’ve really screwed up,” Paul Kocher, one of the researchers who helped discover the flaw, told the Times. “This will be a festering problem over hardware life cycles. It’s not going to change tomorrow or the day after.”