Intel Has A Problem and So Do You
Wow! Wow! Wow! What a week it has been for Intel.
It turns out that a massive vulnerability in their CPUs that they have been distributing since 2007. Yes, you heard me right.
It is a security flaw called “Zombieload” and if left unpatched would allow attacks similar to those in the Meltdown and Spectre exploits last year.
Every business uses machines that use Intel processors. Really? Yes, this vulnerability involves every Window Machines (desktops, laptops, tablets from 2007), Apple Macs since 2010 (Desktops and Laptops). Additionally, we use many embedded chipsets in devices, in our cars, Bank ATMs, Asst. Medical devices, navigation systems, commercial business systems, and command and control operations used in critical infrastructure systems.
So far, we have been lucky as the vulnerability does not appear to have been exploited by cybercriminals, yet. It won’t take them long to utilize it now that they know exactly where machines are vulnerable.
A cloud provider saw a raw loss of 25% of CPU performance in the last 18 months. The decline in CPU performance was due to a variety of Common Vulnerabilities and Exposures (CVE) and other CPU related issues and mitigation limiting capacity using microcode. However, in bench tests, Apple found about a forty percent drop in performance.
Security researchers at the Netherlands’ VU University and the Graz University of Technology were the first to discover this vulnerability and shared their findings with Intel last month giving them until May to disclose it publically, or the researcher would publish their conclusions due to the seriousness of the flaw. Intel offered these researchers a $40K bounty plus and $80K gift which they turned down. See Intel’s bug bounty program requirements.
Exploits based on a hardware flaw are often quite severe. Why? They take longer to locate, address, and mitigate yet, in some cases, complete elimination is impossible.
This particular vulnerability exploits a design flaw inherent in Intel’s chip design, thereby allowing cybercriminals the ability to seize to any recently accessed data used by the processor. When a CPU requires help to prevent a crash due to its inability to process a load of data, it is called a Zombie Load. Hence the name was given to this exploit.
Once security researchers notify the company, the company tries to keep the news to themselves while they work to find a patch for the problem. If it hits the newswire pre-maturely, millions of hackers will begin trying to exploit it.
Since independent researchers and not an internal Intel team found this vulnerability, once the news got out, hackers of all varieties began testing the limits of the vulnerability as soon as they were made aware of it.
However, Intel is refusing to create patches for any hardware older than 2011. Since the vulnerability goes back to 2007, those computers will still be vulnerable — so according to Intel — to be protected you must buy new hardware.
Intel is Downplaying its Seriousness.
Researchers believe that Intel is downplaying the severity of the flaw to limit the attention to prevent having to pay the large bug bounty paid to programmers willing to help to solve the problem. When there is a critical threat, a programmer can be paid six figures to help fix it, whereas with a mediocre risk the price is a paltry five grand.
The process of disclosing these vulnerabilities is now under the microscope. While companies must disclose them, they also need to do it in a responsible way, which includes avoiding the nightmare scenario of bad press. Intel is in an awkward position as this is the third hardware-related security threat they have had to respond to since January 2018.
In their disclosure, Intel classified this vulnerability as only a 6.5/10 or moderate threat. But professional security researchers are warning that “Zombieload” is much more dangerous than Intel is letting on. All it will take is a savvy cybercriminal to target the now revealed security holes in the Intel chips to bring about chaos in the critical infrastructure operation, as well as healthcare (hospitals, clinics, and Dr’s offices), all businesses and even our government operations which includes our Military. Current ratings by security researchers this exploit rank it at a vulnerability rating of 9.5/10.
Even though this is a sophisticated vulnerability, it appears to highlight the problems that these chip companies have in their design process, and which issues they are willing to overlook to meet manufacturing deadlines.