The technology industry has been hit by a huge new security issue. This flaw allows malicious software, known as malware, to obtain your confidential information from the chip's memory, including usernames, passwords, financial accounts and more. In normal circumstances, this memory should be hidden away and unreadable.
Originally, this was thought to affect CPUs manufactured by Intel, the biggest provider of smartphone and computer chips in the world. However, in the days since the announcement, it has since come to light that this problem could be even more widespread than originally thought, even affecting Apple products.
Security Flaw Explained
To understand the issue, we need to understand how CPUs work. To keep these chips busy, data that gives the computer instructions flows through a pipeline, being processed and eventually executed. This data is often re-prioritised for efficiency and importance, and can sometimes result in unfinished, unexecuted commands being left in the pipeline.
When this old data has made changes to the CPU chip's internal caches (storage), footprints can be left, indicating what was being processed. Using clever malware and the right timings, it’s possible to see what was being stored in the cache. Access control does not happen until an order or command has been fully processed by the chip, so by intercepting the caches at this unfinished stage, malware can discover exactly what information was being processed.
When Was the Flaw Discovered?
Google has a team known as Google Project Zero, a group of security analysts responsible for finding vulnerabilities. It was in June 2017 that the Project Zero team originally discovered these vulnerabilities. However, an agreed coordinated disclosure date was set for the 8th January 2018. In situations as widespread as this, companies will often agree to a coordinated disclosure to the public. This helps to mitigate against the release of incorrect information and avoid any panic amongst consumers, whilst providing the manufacturers time to find and provide a fix. It also avoids handing any tips to criminals who may try to use the vulnerability to their advantage.
What Devices are Affected?
The following devices use one of the many affected CPU chips and could therefore potentially be affected by the vulnerabilities. Though some more inexpensive, foreign handsets are affected, these devices are the more commonly used:
- Huawei phones, including the 970, Mate 10 and Mate 10 Pro;
- Samsung phones including the Galaxy S6 Series;
- Sony Xperia X;
- iPhone 4S, iPhone 4, iPhone 3GS;
Thankfully, the majority of these handsets are old enough to have mostly left active circulation. Though some users will still have one or more of them, they are slowly being replaced by newer models that don’t have the same CPUs.
How to Mitigate the Issue
It’s not worth going into great deal on how somebody could personally avoid the issue themselves. It’s an extremely technical process that involves modifications at the core of a computer’s operating system. What’s more, the time that has elapsed since the problem was announced means that the fixes provided by companies like Google and Intel will already provide sufficient protection for the public.
Given that the issues were discovered several months ago, Google have already had chance to prepare a resolution to them. They have already communicated that Android devices will be protected against the security vulnerabilities, providing that they have the latest security update.
Intel have published a press release regarding the security vulnerabilities, though the company doesn’t go into too much detail about the specific vulnerabilities. Though they’ve begun patching the security flaws, they weren’t overly happy that the industry has chosen to announce the flaws to the public early.
There’s more information available on the vulnerabilities affecting these CPU chips, but most of it involves the technical nature of the problem and how it will be fixed by manufacturers. If you have any general questions for Wise Guys, then you can call us on 0808 123 2820.