It has been revealed that US authorities found out about the Spectre and Meltdown chip flaws from media reports rather than being informed directly by US computer chip manufacturer Intel.
What Chip Flaws?
Back in January, researchers from Google's Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, discovered that two major security flaws are present in nearly all modern processors / microchips. The hardware flaws were dubbed ‘Spectre’ and ‘Meltdown’.
Meltdown affects all Intel, ARM and most other processors on the modern market. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013. The flaw could, for example, leave passwords and personal data vulnerable to attacks.
Found Out Via The Media
In this latest revelation, news has emerged that Intel didn’t inform US cyber-security officials about the flaw in its processors until after the news had been leaked to the media.
Google’s parent company Alphabet has said it informed Intel, AMD and ARM about the chip flaws in June 2017, and the three semiconductor / chip manufacturers were given 90 days to fix the flaws before disclosing the discovery of the flaws and the fix to the public. According to Alphabet, and in keeping with ‘standard practice’, it had left it up to the companies to decide whether they should inform government officials about the security flaws.
In response, Intel gives a slightly different version of events. According to Intel, Google Project Zero had chosen to extend the 90-day timeframe to 9 January 2018, and Intel had agreed to keep the information confidential until that date.
No Exploits Anyway
Even though there is general agreement that the security flaws are now present in nearly all modern devices, including all iPhones, iPads and Macs, Intel has been quick to stress that there have been no known exploits to date.
What Does This Mean For Your Business?
It is worrying that ‘standard practice’ in the industry is to be allowed to keep quiet about a security problem for 3 months from government cyber-security officials, and from the public. It is also worrying that it took journalists to uncover the problem, particularly when you consider the sheer scale of the flaws i.e. that they’re present in almost all modern processors.
There have been far too many stories of large, well-known companies choosing to keep quiet as long as possible about cyber / data security risks or breaches, and these episodes all serve to undermine confidence that companies will act responsibly themselves, without the threat of new regulations and huge fines (such as those that GDPR will bring).
The best advice to businesses is now to install all available patches for the flaws without delay, and to make sure that you are receiving updates for all your systems, software and devices.
Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.