top of page

Intel has put us all at risk

If you have been following the news you surely have been reading about Spectr and Meltdown a huge vulnerability in the Intel chipset. Not only are Intel chips vulnerable but also chips used in Apple and AMD products as well.

As you can see nearly every processor is vulnerable to this attack vector

In short this processor flaw has existed for nearly 20 years. Surely Intel and AMD were aware of the issue but have chosen to keep quiet about it. To date all of the fixes rolled out have been met with one of two major effects:

  • Either the fix completely slows the workstation or server to a crawl in performance

  • The fix completely stopped the systems from booting (Ubuntu, Debian and some others)

Intel's first response to the Meltdown and Spectre rumors was an angry blog post that provided few details and claimed "Performance impacts are workload-dependent" and that the fixes should not be sufficient to the average user. The biggest issue with this stance is that some of us in the data science arena (such as Jigsaw Security) rely on processor performance to stay ahead of attacks (farther causing delays in data processing that will cause security issues because we can't process things as fast as the before fix state). In fact our Ubuntu machines had to be reverted back to a kernel version with the fix that still allowed our systems to boot. We have not noticed any slow downs with this version but we suspect when new kernels are released and we have had time to benchmark our systems again that it will be evident.

Intel has since reported that there is a significant performance impact in loading the fix. In short the problem is that this is a hardware issue that these companies are trying to fix with a software fix. This will work temporarily, but the long term impacts will be that as soon as they patch one vector, other attack vectors will be found and we start this never ending patching cycle over again. What Intel needs to do is to replace every CPU in every system with hardware that is not vulnerable to this flaw. That would probably bankrupt the company as these chips are in everything from computers to smart TV's to washers and dryers, wireless routers, phones and other devices.

At this point we are highly concerned for the security of our customers even though Intel says that 90% of processor products introduced in the past five years by the end of this week will be patched against the issue (with a performance hit of course).

What we know to date:

  • The problem was a long standing problem that was more than likely being exploited already

  • The fixes are software patches to fix faulty hardware

  • The fixes are causing processors to slow in performance and computational power

  • I/O intensive systems such as cloud and virtualized environments will be especially affected by the slowdown of the processing

  • Some vendors are recommending not installing the patches on high performance computing environments if they do not run untrusted or externally produced code

It is the stance of Jigsaw Security that we do not have a choice but to patch based on our compliance requirements of DoD and NIST recommendations. Not patching could cause our facilities to fail inspections and that is simply not an option. Patching may cause performance issues that may cause our existing products impact without significant upgrades of hardware to chipsets that are not vulnerable to the flaw. We know that Intel says they were aware of the issue since June of 2017 and it appears as though they may have not expected the issue to be released publicly so they had to scramble to address the issue.

Testing for the Flaw

Those customers running Unix based systems can use the script we have posted to our Github from Stephane Lesimple which test for a variety of conditions.

Windows based users do not have an easy way to test for the flaw and may want to refer to this additional information of interest. In short this is a major issue that will be with us for some time until new chips come out and everybody upgrades. Several lawsuits have already sprung up and we fully expect more as time goes forward.

10 views0 comments
bottom of page