Researchers have found a design flaw in microprocessors that could jeopardize enormous amounts of personal data stored on devices from smartphones to server systems. DW has the essentials.
What is this security threat about?
Two major vulnerabilities were found that seem to affect all major microprocessors, including Intel, AMD and ARM brand products. These weaknesses can be exploited by hackers to gain access to personal data reaching from passwords to credit card information stored from online transactions. A security team at Google has labeled the two flaws as “Spectre” and “Meltdown.”
How do “Spectre” and “Meltdown” operate?
“Meltdown” reportedly affects Intel chips only and could allow hackers to bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. Intel microprocessors from the past ten years could all be at risk.
“Spectre” has a potentially larger reach, affecting chips from Intel, AMD and ARM and could allow hackers to trick otherwise error-free applications into giving up secret information like passwords or credit card data.
How big is the problem?
Daniel Gruss, a researcher at Graz University of Technology, called it “probably one of the worst CPU (central processing unit) bugs ever found.”
Since a whole range of products from mobile phones to personal computers all use such processors, the potential spread of an attack could be immense.
Intel said it was working with its rivals AMD and ARM and “to develop an industry-wide approach to resolve this issue promptly and constructively.”
How is this flaw different?
The researchers that discovered the problems explained that as opposed to viruses, which have to be introduced externally into the infrastructure of a computer, the current vulnerability presented “a way to use existing architecture and get into protected areas of computer memory” to read potentially sensitive data.
Has anyone been hacked this way yet?
Microsoft said in a statement that it had no information suggesting any compromised data. An AMD spokesman meanwhile explained that because of the differences in AMD processor architecture, “we believe there is near zero risk to AMD products at this time.” ARM meanwhile said it was “working together with Intel and AMD” to address potential issues “in certain high-end processors, including some of our Cortex-A processors.”
How can I protect my computer?
All computing platforms are expected to release updates to patch up the security flaw within days. You will need to make sure that you download the latest updates and keep checking for further updates in the coming days and weeks. Some researchers have said, however, that these fixes could slow down computer systems – possibly by 30 percent or more.
Devices using Microsoft are particularly vulnerable, but first patches for “Meltdown” have already been developed, according to researchers at Google. Microsoft itself said that it was immediately “releasing security updates … to protect Windows customers against vulnerabilities.” The company added that a “majority” of its Azure cloud services used by businesses had already been patched and protected and that it was promptly issuing a Windows security update.
Apple did not comment on whether its iOS operating system, which also powers iPhones and iPads, was at risk. However, Google said that Apple had patches ready for desktop computers affected by Meltdown.
Google meanwhile said that Android phones running the latest security updates were protected, as were its own Nexus and Pixel phones with the latest security updates. Users of Google’s Chromebook laptops, Chrome web browser and its Google Cloud services were advised to install updates.
The open-source Linux operating system is apparently affected, with a fix to be released soon.
What’s going to happen to my computer if I do nothing?
If you fail to install the latest updates, you might expose your data to serious threat, Dan Guido, chief executive of cyber security consulting firm Trail of Bits, said he expected hackers to quickly develop code they could use to launch attacks to exploit these vulnerabilities.