Skip to main content

Meltdown and Spectre: Exposing the Achilles’ Heel of Chips

Posted on January 16, 2018

Aiswarya Baskaran
Aiswarya Baskaran
Analyst, Technology, Media & Telecommunications Research
Syed Moinuddin
Syed Moinuddin
Associate, Technology Media & Telecommunications Research

In January 2018, technology website The Register reported on security flaws in microchips that make a range of devices, from PC computers to servers and smartphones, more susceptible to hacking and could enable unrestricted access to sensitive information, such as passwords. What will this mean for chip manufacturers and how will it affect the broader technology value chain?

The two security vulnerabilities, named Meltdown and Spectre, could compromise certain basic security features, such as the compartmentalization of highly sensitive data and processes. The Meltdown vulnerability primarily affects chips manufactured by Intel, a company that holds approximately 86% of the computer processor market share and about 90% of the server chip market share, and is said to affect devices that have been in use for the past twenty years. Although the Spectre vulnerability is thought to be more difficult to exploit, it affects chips made by Intel as well as AMD and ARM, thus exposing phones and tablets. The vulnerabilities were originally identified by Google’s security researchers, who notified Intel in June 2017. While Intel and other technology companies kept the vulnerability under wraps and developed fixes, three other independent research teams identified the same bug, suggesting a high chance of rediscovery. The good news is that these flaws were identified by security researchers in a controlled, lab environment and until now hackers have not yet acted upon the flaws. However, now that the flaws are publicly disclosed, it is likely that malicious actors will attempt to exploit this vulnerability.

Implications for Semiconductor Companies and the Technology Value Chain

In response to news of these security vulnerabilities, Intel’s stock price declined while its long-time rival AMD saw an uptick. However, the uptrend in AMD stocks was hindered after a software update provided by Microsoft to fix the vulnerability rendered PCs unbootable. Beyond the hit to its credibility, Intel is facing three independent lawsuits seeking class action status, and the news could trigger other legal action and regulatory scrutiny. Compounding these risks is the fact that the company’s CEO is being accused of insider trading for selling stock five months after the security flaw was disclosed to Intel by security researchers. Although, Intel denies this allegation and states the stock sale was previously planned, scheduling a stock sale when Intel was aware of the vulnerability could trigger a probe by the US Securities Exchange Commission. It is unclear how these security flaws will impact Intel’s strong semiconductor market share and whether, moving forward, customers will negotiate cheaper deals with Intel or choose a different vendor.

This security flaw has far reaching implications, beyond Intel, for other companies in the technology value chain, including technology hardware manufacturers (e.g. Apple, Dell), operating system makers (e.g. Microsoft), and cloud and software providers (e.g. Google, Amazon Web Services). Cloud vendors are particularly vulnerable, as users share infrastructure, making it easier for an attacker to gain access.  These parties are working to provide software updates that can secure devices. However, these patches may also slow down the performance of certain devices, such as servers, by up to 30% according to some reports. Intel has released software updates to a majority of its processor products; however, it is unclear how it plans to tackle older products. Complicating matters is the risk that any software patch may not have the necessary adoption rate to mitigate against widespread security vulnerabilities. In addition, software updates can only mitigate security issues to a certain degree, especially for the Spectre vulnerability. Such hardware based security vulnerabilities are particularly difficult to address through remote updates and often require physical changes to chip design.

Internet of Things and the Future of Chip Design

Semiconductor chips are ubiquitous, and they enable critical electronic systems used in healthcare technology, communications systems, defense systems, electoral voting, and cloud infrastructure. As the adoption of Internet of Things (IoT) accelerates and more devices integrate internet enabled chips, we expect the risk of exploiting such vulnerabilities to increase. Chip design is complex and often the culmination of a multi-year development roadmap. Given the importance of secure chips, semiconductor companies need to take into account the evolving nature of cybersecurity threats and strengthen testing and security breach mitigation procedures. The accountability for information security is spread across the technology value chain and begins with the semiconductor chip.

Recent Content

Double Trouble: The Rise of Greenwashing and Climate Litigation for Banks

The fight against greenwashing is being taken to the courts. An analysis of Morningstar Sustainalytics data shows a 12-fold rise in climate-related litigation, including greenwashing claims, against banks over the past three years.

Hamburger, fries and dipping sauces on a red background

Big Food’s Broken Promises: The Data Behind the Food Industry’s Rising Emissions

Using Low Carbon Transition Ratings data, we look at six major food companies and identify where they need to go beyond targets to meet their stated net-zero goals.

CSRD Reporting: Preparing for Mandatory ESG Disclosure Deadlines

The implementation of the EU’s Corporate Sustainability Reporting Directive (CSRD) appears to be a watershed moment with implications for companies both in Europe and beyond.

Aerial photo of clear cutting in Amazon rainforest

Constructing Zero Deforestation Portfolios to Combat Climate Change and Biodiversity Loss

The world’s forests are under threat, putting ecosystem services and global economic wealth in danger. But investors can help to fight deforestation. In this article, learn the reasons why investors should pursue zero deforestation portfolios.