Intel chip design flaw that could let hackers access passwords prompts industrywide updates

Elizabeth Weise | USA TODAY

Show Caption Hide Caption Intel CEO in hot water: Sells shares before disclosing chip problems Intel is taking heat after it was revealed CEO Brian Krzanich privately learned of two vulnerabilities in its semiconductors before selling millions of dollars in company shares. Veuer's Josh King (@abridgetoland) has more.

SAN FRANCISCO — Intel and other tech companies scrambled to upgrade computer code in millions of computers and phones after researchers disclosed a design flaw in chips made by Intel and others that could allow an attacker to view hidden information such as passwords.

The large companies that run the operating systems on most of the world's computers — Apple, Microsoft and Google — have begun pushing out patches that protect against attacks making use of the flaw.

Intel (INTC) stock fell 3% on Wednesday as news of the flaw spread and dropped a further 1% Thursday. Shares of rival Advanced Micro Devices (AMD), which has said its chips are mostly not affected, rose 5% Wednesday and 4% Thursday. Semiconductor maker Nvidia (NVDA) shares jumped 7% in the last two days.

The flaw, which Intel dubbed a side-channel analysis attack, was discovered "months ago" Intel CEO Brian Krzanich said on CNBC Wednesday. Researchers including Google's Project Zero security group found the design weakness and reported it to the affected companies.

The flaw affects central processing units, or CPUs, the chips that handle the instructions a computer receives from hardware and software. They are sometimes called the "brain" of the computer.

The design weakness takes advantage of a technique called "speculative execution" used by most modern computer processors to optimize performance. That feature anticipates what information might be needed next — such as a password to a website — and makes it available in a "secure area" of the chip, speeding computing, Intel staff said on a conference call with reporters and analysts Wednesday afternoon. Researchers have discovered a flaw that allows hackers to see into the secured portion of the chip, giving them access to key information like passwords.

There have been no examples of the flaw being exploited by hackers that Intel or other researchers are aware of, Steve Smith with Intel’s Data Center Engineering Group, said on the call.

But the potential for a broad attack was far larger than most security weaknesses hardware makers spot. It could potentially affect almost all computers built in the past two decades. Exactly how difficult such attacks might be to pull off, and how much information could be gained, was not clear.

“An attacker can run code on an affected processor, which leaks information stored in the computer’s memory. This includes things like passwords and cryptographic keys, as well as information needed to more effectively exploit other vulnerabilities,” said Craig Young, a researcher at computer security company Tripwire.

According to Google, the vulnerability affects central processing units made by Advanced Micro Devices, iPhone-supplier ARM and Intel, and therefore the devices and operating systems that run on them.

Wednesday afternoon chip-maker Advanced Micro Devices said that due to the design of its chips, it does not believe they are as vulnerable.

AMD said it believed there was "near zero risk to AMD products at this time."

If an attacker were to make use of the flaw, it could slow most computers down by 2%. Operations that require lots of information and instructions to be sent through the CPU could see slowdowns of as much as 30%, Intel officials said on the Wednesday call.

Intel said it was working with hardware and software companies to push out fixes to the problem. The company said new chips it is working on will be constructed so that the exploit cannot be used on them, while firmware and software for older CPUs will be updated.

A group of computer industry firms had been working on the issue for several months and had planned to disclose the flaw on January 9. However a news report by the computer security news site The Register on Tuesday forced companies to speed up their response.