image

Cybersecurity

Meltdown and Spectre chip security flaws leave billions of smart devices and computers at risk

Huawei’s Mate 10 and Mate 10 Pro could potentially be affected, as well as Xiaomi devices such as the Xiaomi Redmi Pro

PUBLISHED : Friday, 05 January, 2018, 1:27pm
UPDATED : Friday, 05 January, 2018, 11:14pm

Smart devices globally, including those from China’s Huawei and Xiaomi, could be affected by major security flaws discovered by Google’s security researchers this week.

The security flaws, dubbed Meltdown and Spectre, affect almost all devices running Intel, ARM and AMD processors, according to the researchers who revealed their findings. Malicious programmes could exploit these flaws “to get hold of secrets stored in the memory of other running programmes”, the researchers said.

The issues affect billions of devices worldwide, and Spectre is particularly difficult to mitigate, according to the researchers. Experts believe that fixing the Spectre flaw could require an entire overhaul of how processors and chips are designed.

Meltdown affects any computer or laptop running an Intel processor released since 1995, according to the findings, whereas Spectre would affect smartphones as well as computers and cloud servers that run Intel, ARM and AMD processors.

Devices like Huawei’s Mate 10 and Mate 10 Pro, which run on Kirin processors based on chip cores from ARM, could potentially be affected, as could Xiaomi devices such as the Xiaomi Redmi Pro.

Huawei issued a statement saying it has started an “analysis and investigation” of the situation and has communicated with the related suppliers. Xiaomi could not be immediately reached for comment.

Intel said in a statement on Wednesday that it believes the flaws “do not have the potential to corrupt, modify or delete data”.

Intel said by the end of next week it expects to have issued updates for more than 90 per cent of processor products introduced within the past five years.

ARM said in a public statement that the “majority of ARM processors are not impacted”, while AMD reassured users that the “described threat has not been seen in the public domain”.

Both ARM and AMD have released updates to its vendors and manufacturers to mitigate the flaws, but users of affected Chinese smartphones will have to wait until the respective companies push out the updates to their devices.

However, there are currently no known attacks that have exploited these flaws, according to the Google researchers.

Anatomy of an iPhone: what’s in it and where the parts come from

Mo Jia, a Shanghai-based analyst with industry consultancy Canalys, said Android-based Chinese smartphones are mostly affected by Spectre, a security flaw that is more difficult for hackers to exploit but is also more challenging to fix.

“Deep down, it is a hardware flaw that exists in modern processors with an ARM structure. It is still too early to tell how many devices or which particular models will be affected most as the security issues were only discovered days ago,” Jia said. “Hackers could take advantage of the flaw to obtain consumers’ passwords. Of course, smartphone vendors can update software to fix the problem, but the move is expected to dent the performance of devices.”

Users of mid-range smartphones from brands such as Oppo and Vivo may not be at risk if they are using devices that run on the Cortex A53 processor, which is unaffected by the vulnerability, according to ARM.

Apple on Thursday released a statement saying that all of its Mac and iOS devices are affected by the flaws. It has released patches against possible Meltdown attacks for both iOS, Mac and Apple TV, and will be releasing updates for the Safari browser on its devices “in the coming days” to mitigate Spectre.

The company reminded users to only download software from “trusted sources such as its App Store”, since exploiting the flaws would require having a malicious app loaded onto the device.

Separately, Alibaba Group, owner of the South China Morning Post, said it would complete an update of its cloud computing systems next week to handle potential chip security issues. Rival Tencent Holdings said it was in contact with Intel regarding possible fixes but wasn’t aware of any attempted attacks so far, according to Bloomberg.

Intel chief executive Brian Krzanich sold some US$39 million worth of stock and options in November, several months after Intel said it was notified by Google’s security researchers of the security flaws affecting the company’s chips.

According to Intel, Krzanich’s divestments were unrelated to the security flaws.