Digital Security Meltdown

February 2, 2018

Computers have entrenched themselves in American life. The United States Census Bureau confirmed this assumption in 2015 when it found that 78% of American households own a laptop or desktop computer. Americans also carry around portable computers every day in the form of either a smart phone, tablet, or other handheld wireless devices. Constantly having an internet connection makes accessing and sending information extremely easy, but it also raises digital privacy concerns. Americans can create passwords, encrypt files, and surf the internet with an anonymous browser like Tor, but digital information will never be absolutely secure.
Last year, digital security researchers at Google and various universities discovered two central processing unit bugs that could compromise sensitive data in a massive number of computers. Intel and other manufacturers released the information to the public just this month. The bugs, referred to as “Meltdown” and “Spectre,” affect “virtually every modern computer,” including smartphones, tablets, and personal computers. No operating systems are safe either. Both bugs are present in various Intel processing units and the Spectre bug also affects processors made by AMD and Arm Holdings. Daniel Gruss, one of the researchers that discovered the flaw, called it “probably one of the worst CPU bugs ever found.” A small amount of Intel’s modern processors, including Itanium and Atom versions produced prior to 2013, are Meltdown-free. Unfortunately, Meltdown still affects almost all other Intel processors and Spectre affects most modern processors designed by major manufacturers.
Meltdown “break[s] through the barrier that prevents applications from accessing arbitrary locations in kernel memory.” A “kernel” is a program that “constitutes the central core of a computer operating system.” Essentially, the kernel program allows an operating system to startup run a variety of operations and programs at one time. Additionally, kernels separate computer memory spaces from one another to stop applications from accidentally interfering with one another and to prevent “malicious software” from modifying existing memory. By breaking the kernel barrier, Meltdown allows malicious software circumvent a fundamental digital security mechanism and modify all of a computer’s programs. Luckily for all American computer owners, Meltdown can be fixed with a patch that strengthens kernel security. However, the fix comes at the steep price of anywhere from 5 to 30% of the Intel processor’s performance.
Spectre works differently than Meltdown does. Put succinctly, Spectre “tricks applications into accidentally disclosing information that would normally be inaccessible.” Meltdown is easier to exploit than Spectre, but since tricking applications is an “established practice in multiple chip architectures,” the latter will be tougher to fix. Even though Microsoft has released an update for Windows aimed at curbing Spectre and Arm Holdings has released a mitigation guide for the bug, there is currently no way to completely eliminate the issue. Completely squashing Spectre would require processing unit manufacturers to totally redesign the architecture of their products. For now, users concerned about Spectre can only download updates, follow mitigation instructions, and hope that those procedures work.
In response to the discovery and publication of these two bugs, consumers have filed class-action lawsuits against Intel in three states: California, Indiana, and Oregon. Chris Cantrell, an attorney at San Diego mass tort firm Doyle APC, “fully expect[s] there to be additional filings” on top of first three. The existing filings base their claims on the “security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June.” Bill Doyle, also of Doyle APC and the lead attorney representing the plaintiffs from California, even stated that

“this may be one of the largest security flaws ever facing the American public.”

Media outlets are even speculating that “big cloud service providers,” like Amazon and Microsoft, will seek “some form of compensation” from CPU designers like Intel. Litigation surrounding Meltdown and Spectre is only beginning, but it is clear that there is more legal trouble on the horizon for Intel and other CPU designers.