Fri, Jan 12, 2018 - Page 9 News List

Inside the chip industry’s meltdown

Tech titans worked in secrecy for months to fix key flaws, after researchers uncovered security holes they thought were too big to be true

By By Ian King, Jeremy Kahn, Alex Webb and Giles Turner  /  Bloomberg

The team told Intel the next day — about the same time Cyberus informed the chip giant. They heard nothing for more than a week.

“We were amazed — there was no response,” Schwarz said.

On Dec. 13, Intel let Cyberus and the Graz team know that the problems they found had already been reported by Horn and others.

The chipmaker was initially reluctant to let them contribute, but after being pressed, Intel put both groups in touch with the other researchers involved. They all began coordinating a broader response, including releasing updated patches at the same time.

Once inside the secret circle of the large tech companies, the Graz researchers expected they would have the typical 90 days to come up with comprehensive fixes before telling the world.

“They said we know it, but will publish it at the beginning of January,” Schwarz said.

It had been about 180 days since Google unearthed it, and keeping such issues under wraps for more than 90 days is unusual, he said.

A group of 10 researchers coalesced and kept in touch via Skype every two days.

“It was a lot of work on Christmas. There wasn’t a single day where we didn’t work. Holidays were canceled,” Schwarz said.

Their public security updates soon attracted the attention of The Register, a UK-based technology news site, which wrote a story on Tuesday last week saying Intel products were at risk.

Usually, flaws and their fixes are announced at the same time, so hackers do not quickly abuse the vulnerabilities. This time, the details emerged early and patches were not ready. That led to a day and night of frantic activity to arrange what all the companies would say in unison.

Intel put the statement out at 12pm Pacific Time on Wednesday last week and held a conference call two hours later to explain what it said was a problem that could impact the whole industry.

The solidarity was a mirage, though. Rival AMD issued its own statement shortly before Intel’s call began, saying its products were at little or no risk of being exploited.

After more than six months of coordinated work, Intel went into lock-down in the final hours and did not consult with its erstwhile partners to speed up a public statement, according to a person familiar with what happened.

Underlining the panic that spread following the announcement, Intel had to follow up with calming statements. The next day, the company said it had made “significant progress” in deploying updates, adding that by the end of this week 90 percent of processors made in the last five years will have been secured.

Steve Smith and Donald Parker, the two Intel executives questioned on the call, argued things progressed in the measured way that Intel approaches any report of a threat to its technology. The difference this time was that their work ended up “in the spotlight,” Smith said.

They would have preferred to complete the work in secret.

Indeed, Intel’s reticence rankled some outside researchers. The company operates on a need-to-know basis, said Haas, who worked at Intel for about a decade.

“I’m not a huge fan of that,” he said.

“Our first priority has been to have a complete mitigation in place,” Parker said. “We’ve delivered a solution.”

Some in the cybersecurity community are not so sure. Kocher, who helped discover Spectre, thinks this is just the beginning of the industry’s woes. Now that new ways to exploit chips have been exposed, there will be more variations and more flaws that will require more patches and mitigation.

This story has been viewed 3450 times.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top