Intel Discloses Spectre & Meltdown Details
Just this past week, Intel released its 10K annual report. The following comes from page 66 of their 2017 Annual 10K released February 15th, 2018.
Intel is now subject to more than 30 lawsuits, including many class action and investor related lawsuits. The Spectre and Meltdown vulnerabilities are chip level vulnerabilities that impact most computing systems running the Intel microchip platform. Most people do not know that Intel began embedding 3G cellular radio into the Intel Chips that can be used to secretly dial in and control Intel based computers while the end user is sleeping. Only recently in the last month or two have there been patches available to mitigate some of these vulnerabilities. Intel clearly failed to take timely action to help their customers and has been holding back much of what they know from the public. Their CEO didn’t waste any time in unloading most of his stock and options back in November of 2017. I am sure the SEC will conduct a rigorous investigation on the sale of stock by key executives before the stock price tanked. Anyone who has been data breached may want to consider investigating if the Intel chip related vulnerabilities were partially to blame. My guess is most data breaches that have occured could be linked to using vulnerable Intel micro chips. Intel’s complete 10K disclosure report can be found at https://www.intc.com/investor-relations/financials-and-filings/sec-filings/sec-filings-details/default.aspx?FilingId=12559970
I spoke about some of the secret Intel back doors almost a year ago at the Forensecure IIT 2017 Cyber Conference. If you wish to see that presentation, check out my blog at http://glforensics.wpengine.com/nation-state-malware-forensecure-2017-presentation/
Congress needs to wake up to the problems created when our U.S. intelligence agencies slip secret back doors onto micro chips with manufacturers consent and no public transparency. Once those secret doors and vulnerabilities get compromised (which happened with the NSA & CIA), those secrets become weaponized against our own citizens, governmental organizations and companies. Despite all of the fallout over leaked U.S. Cyber weapons, we still have the FBI wanting a single key back door option to defeat encryption. What we need is a real dialogue that includes security professionals from the private sector, along with representatives from congress and law enforcement agencies to come together and come up with something that accomplishes the goals of legal surveillance, without having master keys floating around which can be easily compromised. A multi-key solution using second factor one time passwords generated from distinctly different organizations could help accomplish such a goal.
In the meantime, everyone needs to patch again and hope that the manufacturers and software makers are starting to get their stuff together. We need more leadership from our elected officials in bringing together the private sector security professionals, with the computer makers, law enforcement agencies, intelligence collection agencies and legislatures.
(Please note, these opinions are mine and mine alone)