Spectre and Meltdown are just the beginning

843 reads

There’s never just one or two isolated, one-off flaws in complex computing products. Especially with a product as complex and widely used as Intel CPUs, once one security vulnerability is exposed, many more will soon follow.

Throughout the 1990s and into the 2000s, Microsoft spent years playing whackamole in an arms race against malware. At the time, security was seen by most software companies as a step in the pre-release quality assurance process, if that. When problems were found after a release, they were fixed in subsequent updates, as part of a scheduled release cycle.

That strategy failed Microsoft in the 1990s. Facing mounting concerns from consumers and a possible rebellion among its business customers, Microsoft and other firms trained their engineers with new skills, redesigned their products with security-focused frameworks, enacted transparency policies to keep users informed, and developed infrastructure to quickly roll-out fixes. Today, while malware attacks are more clever and pernicious than ever, Microsoft has mostly stemmed the tide of newly infected Windows computers.

With Windows computers becoming harder and harder to penetrate, hackers have reason to seek new targets. Low-level hardware has been long overlooked as a ripe attack surface for intruders — a mistake Internet criminals will soon correct.

The good news is, chips from Intel and its competitors are far more carefully engineered than Windows ever was. Regrettably, that’s the extent of the good news.

Intel does not appear to have a healthy culture around security. Even if it did, at a technical level, any hardware manufacturer faces unavoidable challenges guaranteeing the ongoing safety of its products once problems are found.

As software giants evolved to defend their customers against a treacherous Internet, a few best practices emerged for responding to security vulnerabilities and incidents. Tenants of accountability, transparency, and continuous improvement have been part of the culture shift toward dealing with security effectively and fairly.

On the transparency front, Intel published (at my last count) three separate press releases filled with misdirection and half-truths. Do check out Tom Warren of The Verge’s devastating indictment of Intel’s PR. Intel has not come clean about either the seriousness or long-term consequences of Spectre in particular, in contravention of industry norms.

Rather than holding itself accountable, Intel has been vague about whether we can even expect future hardware sufficiently re-engineered to address Spectre. Linus Torvalds, the creator of Linux who is arguably in charge of working around Intel’s mistakes within software, was emotive on the Linux kernel mailing list:

I think somebody inside of Intel needs to really take a long hard look

at their CPU’s, and actually admit that they have issues instead of

writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be

written with “not all CPU’s are crap” in mind.

Or is Intel basically saying “we are committed to selling you shit

forever and ever, and never fixing anything”?

Intel, in other words, has publicly articulated no specific plans to improve the security of its future products.

Through its lack of transparency, accountability, or commitment to fix future products, Intel is behaving very much like a company unaccustomed to dealing with security vulnerabilities in its products.

Even if Intel reformed overnight, change would come slowly. And unlike software companies, Intel and its competitors will never be able to properly fix pervasive problems in computers already manufactured — the silicon of a microchip cannot be magically rearranged from afar. Some bugs, like Meltdown, will require awkward software workarounds with unwanted side-effects. Others, like Spectre, will have no immediate or comprehensive solution, despite Intel’s assertions to the contrary.

Insofar as hardware engineering mistakes can be remedied through firmware updates, those updates must be delivered to end-users through OEM cooperation. If you have a Dell with a vulnerable Intel component, your update will come from Dell. Mac users will receive updates from Apple, and so on. As Google learned from servicing Android, persuading cut-rate hardware partners to deliver timely updates to critical components is a fool’s errand. Consumers who purchased off-brand PCs from manufacturers no longer in business may remain nakedly vulnerable with no solution other than a new computer.

While I do believe Intel, AMD, ARM, and other hardware powerhouses will get better at responding to problems as they emerge, I’m not of the opinion we should consider complex CPUs “secure” in the near future — certainly not ones from Intel. Most are developed in secret, tested behind closed doors, and not transparently reviewed by outside, independent experts.

Where there is one bug visible, many more lurk in the black boxes of silicon that power our devices. What has changed is that now, hackers know where to look. This is only the beginning.

Tags