When Intel and a group of security researchers revealed the existence of new security flaws in older generations of the company’s microchips in May, the news came with a particularly troubling detail: it took over a year to get a solution for one of the flaws in place.
Researchers say they alerted Intel to the vulnerability, which they dubbed ZombieLoad, in April 2018, yet a fix for it was not rolled out broadly until last month. By comparison, software companies typically take no more than 90 days to issue patches after a vulnerability has been discovered in their code. The longer a flaw remains unaddressed, the greater the chance a hacker will find it.
Daniel Gruss, a professor at Graz University of Technology in Austria and one of the researchers who helped bring ZombieLoad to light, thinks things could move faster. In an email to MIT Technology Review, Gruss says that when he and fellow researchers notified Intel of the vulnerability last April, they provided an independently verified proof of concept to show it was a genuine issue. In May 2018, they provided Intel with further details about the flaw, which could allow hackers to get hold of sensitive data from applications running on machines.
Intel says it couldn’t initially reproduce the security hole researchers had flagged and therefore needed more evidence before taking any action. Earlier this year, it finally established that there was indeed a vulnerability and rolled out the fix.
The tension underlines the challenges of dealing with hardware flaws. These are often far more expensive and difficult to address than software issues, opening a vulnerability window that can affect billions of chips. That puts everything from servers in data centers to tablet computers and mobile phones at risk of being hacked.
Pressure for a faster response has grown since the start of 2018, when details of another set of chip flaws, dubbed Spectre and Meltdown, leaked out prematurely. Chaos ensued as businesses rushed to work out how vulnerable they were to attack, and chip companies scrambled to issue software fixes. The episode gave more prominence to chip vulnerabilities, likely encouraging hackers to search harder for them.
Typically, when researchers find a security flaw in software or hardware, they report it in confidence to the company concerned. The flaw is kept under wraps while the business works on a solution so bad guys aren’t alerted to its existence. Then, once a fix is ready, the company launches a publicity blitz to get people to apply it as quickly as possible.
This process, known as coordinated vulnerability disclosure (CVD), works pretty well for patching software, which typically takes no more than the 90-day industry time frame. But it’s still taking worryingly long for some chip-related risks.
They are admittedly more complex to deal with. A family of chips can contain dozens of versions, each one using operational software known as microcode that’s been tailored for it. Fixing flaws requires updating microcode for all these versions.
Solutions to hardware security holes may also involve updates to things like operating systems, which means chipmakers need to work closely with other businesses in secret to ensure their revised microcode still works in harmony with other software before a fix is rolled out.
Since Spectre and Meltdown, the chip industry has made some welcome improvements to the CVD process. Bryan Jorgensen, Intel’s senior director of product assurance and security, says communications between companies involved in helping address security holes in its chips used to have to all flow via Intel. Now they can often collaborate directly with one another to verify that a patch works with their interconnected systems.
Patches for hardware flaws often require companies to update both microcode and operating system software. These have been separate operations, which drives up the time it takes to get a fix in place. Jorgensen says Intel has now made it possible to bundle the updates together so both can be done simultaneously.
Such changes are welcome, but there are still plenty of other areas where more can be done. They include:
Academics and industry researchers who find and report chip flaws say that chipmakers can still be too secretive about what they are doing to address them. That can breed distrust. Gruss says hardware companies should ideally provide daily updates to researchers. He also suggests perhaps having a neutral third party monitor the handling of cybersecurity incidents.
A recent report from the nonprofit Center for Cybersecurity Policy and Law (CCPL) warns that when a process for fixing hardware flaws takes longer than the norm for patching software, businesses involved in the CVD process could be tempted to take unilateral action to protect their customers and their own interests.
That could lead flaws to be exposed before patches are fully tested. Agreeing to a time frame for dealing with hardware security holes would help. The semiconductor industry could commit now to a schedule for establishing such a CVD deadline.
Developing software fixes is pretty pointless if they don’t get used. “The take-up’s not good for software patches, but for hardware [ones] it’s really bad,” says Ari Schwartz, the executive coordinator of the CCPL and a former senior director of cybersecurity on the staff of the US National Security Council.
Simple things, like getting people to reboot their home routers regularly so chips in them receive software updates, are still a challenge. Intel and other chip companies have launched more programs to educate people about the risks and how to address them, but an even bigger effort will be needed.
The latest generations of chips coming to market from Intel and others are no longer vulnerable to attacks like ZombieLoad and Spectre, thanks to changes in the way they work. But there’s always a risk that new kinds of vulnerabilities will emerge.
To minimize it, chipmakers will have to devote more resources to probing for weaknesses in new generations of silicon chips and into developing more secure designs for their semiconductors. Boosting spending on these areas will be painful for businesses operating in an intensely competitive industry, but now that chips are embedded in more and more devices, from autonomous vehicles to smart speakers in homes, the cost of security failures is rising dramatically.