Intel Faces Scrutiny as Questions Swirl Over Chip Security


“We’ve gotten much more mature in our ability to respond,” said Steven L. Smith, an Intel vice president who was closely involved in the Pentium crisis and is now overseeing its handling of the new security issues.

But just how well the proposed fixes work remains a matter of debate, putting Brian Krzanich, Intel’s chief executive, in the hot seat. Mr. Krzanich is scheduled to help kick off the International CES trade show, one of the biggest tech conventions of the year, at a Las Vegas hotel on Monday night. Now he may need to address the chip security problems in addition to topics like artificial intelligence, virtual reality and self-driving cars.

Adding to Intel’s image challenges is that Mr. Krzanich sold about $39 million in Intel shares in late November, after the company learned of the chip security problems. A company spokesman said the sale had been unrelated to the security issues and followed a prearranged annual trading plan. Mr. Krzanich, who reduced his holdings by about 50 percent, “continues to hold shares in line with corporate guidelines,” Intel said.

Meltdown and Spectre were identified by a team at Google, with their work augmented by researchers from other organizations. Meltdown affects only Intel chips. Spectre also affects chip designs from companies such Advanced Micro Devices and ARM Holdings, whose technology is used in most smartphones.

Intel, largely by virtue of its success, has the most at stake. While the Pentium chip underpinned most PCs running Microsoft operating systems in 1994, Intel processors are now also used in all Apple Macintosh systems and more than 95 percent of the chips used by cloud services and data centers run by corporations. Its technological reach means that both Meltdown and Spectre could affect just about anyone who uses the internet.

“We created a microprocessor monoculture,” said Bryan Cantrill, chief technology officer at Joyent, a cloud service owned by Samsung. “There are dangers associated with that.”

Intel’s situation is complicated by history and semantics. The Pentium problem was caused by a design error. But Meltdown and Spectre attacks exploit a common speed-boosting technique in chips called speculative execution that Intel’s Mr. Smith insisted is working as it should. That approach to chip design emerged before researchers developed new ways to spy on such internal operations, using what they call “side-channel” analysis, Mr. Smith said.

As a result, the security issues that were discovered were not flaws or bugs, he said. The features that hackers could exploit are a bit like a door or window in a house, which burglars can exploit but that builders would not consider leaving out.

That hasn’t stopped an uproar from security researchers and tech industry executives. One widely distributed barb came from Linus Torvalds, the creator of the Linux operating system, who posted a testy message last week advising Intel to “take a long hard look” at its chips “and actually admit that they have issues instead of writing P.R. blurbs that say that everything works as designed.”

Major users of Intel chips — including Apple and the cloud computing arms of Google and Amazon — have said they deployed security fixes recommended by Intel and so far they have not reported the sharp performance slowdowns of the sort some experts projected.

But the solutions are far from perfect. While Meltdown’s effects can be mitigated with updated operating systems, countering Spectre requires more complex steps like updating computer code stored in the chips themselves — or in some applications like web browsers, Intel recommends inserting special instructions in places that security professionals said may be hard to identify.

Mr. Smith said Intel and its partners had originally planned to disclose the security problems and their proposed solutions on Jan. 9, before the news was broken last week in The Register, a tech publication. Mr. Smith said the company did not disclose the issues when they were informed of them in June because Intel needed time to analyze the issues and then develop and test remedies.

Many security professionals said they accepted the argument. “This is not a simple ‘we found a bug, here’s a patch and we are done,’” Mr. Schneier said.

Whether Intel’s actions to address Meltdown and Spectre will be enough for the company to sidestep a sizable financial hit is unclear. At least one lawsuit seeking class action status has been filed against Intel, and some industry executives expect more litigation to come. At a minimum, Intel engineers working on future microprocessors now face the additional labor of trying to make them less susceptible to the new kinds of attacks.

Using the software fixes, “we already have the security improvement that we are seeking to get,” Mr. Smith said. But making internal changes to the chips could handle those changes more efficiently, he said.

Continue reading the main story


Please enter your comment!
Please enter your name here