Meltdown and Spectre: Exposing the Achilles’ Heel of Chips

Posted on January 16, 2018

Aiswarya Baskaran
Aiswarya Baskaran
Analyst, Technology, Media & Telecommunications Research
Syed Moinuddin
Syed Moinuddin
Associate, Technology Media & Telecommunications Research

In January 2018, technology website The Register reported on security flaws in microchips that make a range of devices, from PC computers to servers and smartphones, more susceptible to hacking and could enable unrestricted access to sensitive information, such as passwords. What will this mean for chip manufacturers and how will it affect the broader technology value chain?

The two security vulnerabilities, named Meltdown and Spectre, could compromise certain basic security features, such as the compartmentalization of highly sensitive data and processes. The Meltdown vulnerability primarily affects chips manufactured by Intel, a company that holds approximately 86% of the computer processor market share and about 90% of the server chip market share, and is said to affect devices that have been in use for the past twenty years. Although the Spectre vulnerability is thought to be more difficult to exploit, it affects chips made by Intel as well as AMD and ARM, thus exposing phones and tablets. The vulnerabilities were originally identified by Google’s security researchers, who notified Intel in June 2017. While Intel and other technology companies kept the vulnerability under wraps and developed fixes, three other independent research teams identified the same bug, suggesting a high chance of rediscovery. The good news is that these flaws were identified by security researchers in a controlled, lab environment and until now hackers have not yet acted upon the flaws. However, now that the flaws are publicly disclosed, it is likely that malicious actors will attempt to exploit this vulnerability.

Implications for Semiconductor Companies and the Technology Value Chain

In response to news of these security vulnerabilities, Intel’s stock price declined while its long-time rival AMD saw an uptick. However, the uptrend in AMD stocks was hindered after a software update provided by Microsoft to fix the vulnerability rendered PCs unbootable. Beyond the hit to its credibility, Intel is facing three independent lawsuits seeking class action status, and the news could trigger other legal action and regulatory scrutiny. Compounding these risks is the fact that the company’s CEO is being accused of insider trading for selling stock five months after the security flaw was disclosed to Intel by security researchers. Although, Intel denies this allegation and states the stock sale was previously planned, scheduling a stock sale when Intel was aware of the vulnerability could trigger a probe by the US Securities Exchange Commission. It is unclear how these security flaws will impact Intel’s strong semiconductor market share and whether, moving forward, customers will negotiate cheaper deals with Intel or choose a different vendor.

This security flaw has far reaching implications, beyond Intel, for other companies in the technology value chain, including technology hardware manufacturers (e.g. Apple, Dell), operating system makers (e.g. Microsoft), and cloud and software providers (e.g. Google, Amazon Web Services). Cloud vendors are particularly vulnerable, as users share infrastructure, making it easier for an attacker to gain access.  These parties are working to provide software updates that can secure devices. However, these patches may also slow down the performance of certain devices, such as servers, by up to 30% according to some reports. Intel has released software updates to a majority of its processor products; however, it is unclear how it plans to tackle older products. Complicating matters is the risk that any software patch may not have the necessary adoption rate to mitigate against widespread security vulnerabilities. In addition, software updates can only mitigate security issues to a certain degree, especially for the Spectre vulnerability. Such hardware based security vulnerabilities are particularly difficult to address through remote updates and often require physical changes to chip design.

Internet of Things and the Future of Chip Design

Semiconductor chips are ubiquitous, and they enable critical electronic systems used in healthcare technology, communications systems, defense systems, electoral voting, and cloud infrastructure. As the adoption of Internet of Things (IoT) accelerates and more devices integrate internet enabled chips, we expect the risk of exploiting such vulnerabilities to increase. Chip design is complex and often the culmination of a multi-year development roadmap. Given the importance of secure chips, semiconductor companies need to take into account the evolving nature of cybersecurity threats and strengthen testing and security breach mitigation procedures. The accountability for information security is spread across the technology value chain and begins with the semiconductor chip.