(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.
Intel dropped the ball on Meltdown and Spectre. Or it might be more accurate to say Intel saw the ball, caught it, and then buried it under some shrubs hoping you wouldn’t notice. For everyday customers, that’s a problem without an easy solution. Now, it’s poised to profit off of its decision to sell critically flawed products to an unwitting populace.
If you’re unfamiliar, Meltdown and Spectre are exploits which affect your computer’s processor. They’re two different, but related, exploits which take advantage of ‘speculative execution’ an optimization method used on essentially every computer processor manufactured in the last 20 years. Yes, that means almost every processor sold in the last two decades is vulnerable to these exploits — including the one in your smartphone, the one in your desktop, and the one in that old student laptop you used in college.
It’s a big deal. The Meltdown and Spectre exploits were discovered in early 2017, and they were first disclosed to Intel, AMD, and ARM on June 1, 2017 by Google Project Zero researcher Jann Horn. Following the disclosure, each company started reaching out to its corporate customers and notifying them of the vulnerabilities. Everyone was scrambling to both find a fix and to keep it secret, because as long as the vulnerabilities remained private they were less dangerous to the public. That meant more time to find a fix.
The vulnerabilities weren’t disclosed to the public until January 3, 2018, though there were some rumors swirling a bit earlier than that because of all the sneaky security patches flying around.
To sell or not to sell
Why does that mean Intel dropped the ball? Simple. This timeline means Intel — and to be fair, AMD and ARM — spent around seven months of 2017 marketing, advertising, and selling products they knew to be critically flawed. They also knew that the only way to fix these products meant cutting down their performance.
If you bought a processor, desktop, or laptop in the last year it is now slower than it was when you bought it because of these security patches. That means it’s not living up to its promised performance, and Intel, AMD, and ARM know that. They knew it last year with every device they sold.
Every Intel processor currently humming away in a personal computer, enterprise server, or government workstation is slower and less secure than these upcoming Intel processors, these processors designed to overcome a huge security flaw. With one hand Intel sold products it knew were flawed, and with the other started making a product that would mitigate those flaws.
Intel spent around seven months marketing, advertising, and selling products it knew to be critically flawed.
That’s like buying a car, finding out the locks don’t work, and that the only fix is cutting your fuel efficiency by as much as 31 percent. Oh, and then discovering the guy who sold you the car knew and didn’t tell you. But don’t worry, he’s got a brand-new model that fixes all those problems for one low, low price.
These upcoming processors could very likely be Intel’s best-selling products to date, they’ll not only be faster than their predecessors, but they’ll be more secure. Intel stands to make potentially billions of dollars off of a fix to a problem it helped create.
Naturally, not everyone with an affected processor is going to run out and buy a new one, but you know who will? Enterprise customers, government agencies, anyone for whom security is not optional. Upgrades are no longer going to be a matter of speed for these customers, but security.
How many computers are currently in use by the U.S. State Department, or Department of Defense? The U.S. alone has dozens of agencies which will see these upgrading to these new processors as a matter of national security. Add on to that the number of similar agencies which exist in every other country in the world and you can start to get some idea of what kind of windfall Intel stands to gain. And if Intel is the first company to roll out chips with hardware-level fixes to Meltdown and Spectre without any performance loss? This year’s market share losses could very well be reversed, and that’s not good news for AMD or ARM.
Speaking of which
Is it fair to pick on Intel when AMD and ARM also continued to sell products they knew were flawed? That’s a good point, AMD and ARM both continued to sell products they knew were flawed after they were told about the exploits. There are a couple key differences which make Intel a fair target over its smaller competitors.
It’s disappointing that these companies are poised to make a killing off of a problem they helped perpetuate.
Intel’s handling of Meltdown and Spectre has been troubling — as the number of lawsuits currently pending against the microprocessor giant can attest. First, we have the issue we’ve already harped on quite a bit, Intel continued to sell processors it knew were flawed, but there’s more.
Intel didn’t disclose the Meltdown and Spectre exploits to customers in the U.S. government, like the National Security Agency or Department of Homeland Security. Both of these agencies found out about Meltdown and Spectre the same way you and I did, through news reports on or after January 3, 2018. Granted neither AMD nor ARM reached out to government agencies either, so they’re almost as culpable here. Almost. How many of those government desktops, laptops, and servers are running AMD processors? Precious few. Intel’s share of the CPU market is around 80 percent, AMD is closer to 20 percent.
AMD, ARM, and Intel may not have reached out to government agencies but you know who Intel did inform of the exploits though? A handful of private companies, including Lenovo and Alibaba which are based in China. Geopolitical concerns aside, failing to warn government agencies — not just U.S. government agencies — of a potentially catastrophic security exploit is problematic at best, especially when your company represents nearly 80 percent of the CPU market.
Jake-No nuance to my answer. No lawyerly caveats. NSA did not know about these flaws, nor did they exploit them. I don’t put my good name on the line lightly. I understand you are disinclined to believe, 1/2.
— Rob Joyce (@RobJoyce45) January 13, 2018
Another brow-raising facet of Intel’s Meltdown and Spectre response, Intel CEO Brian Krzanich initiated an unusually large stock sale after learning of the exploits in June. He claims the sales were pre-scheduled and unrelated, but Bloomberg’s reporting on the matter suggests that may not be the case. Krzanich changed his automated stock-sale habits in 2017, and sold a much larger share of his Intel stock than he had in past years.
What can we do?
The disclosure that new processors are on their way, insulated against the exploits, should be good news but it feels wrong. AMD and ARM have yet to announce whether or not their upcoming processors will feature hardware-level fixes to the Meltdown and Spectre exploits, but they likely will in the next year or so, if not this year.
It’s disappointing that these companies are poised to make a killing off of a problem they helped perpetuate. You almost want to vote with your wallet right? Well, it’s hard to take your money elsewhere when these companies are the only game in town.
- Intel’s 9th-generation ‘Ice Lake’ CPUs will have fixes for Meltdown, Spectre
- How Google’s ‘Project Zero’ task force races hackers to snuff out bugs
- Intel CEO reveals hardware plans for addressing Meltdown, Spectre exploits
- Intel warned Chinese tech firms of security flaws before telling U.S. government
- Nowhere is safe now that AMD has suffered its own Meltdown