Huge security flaws revealed — and tech companies can barely keep up

Security experts say attacks would be relatively easy to develop and could allow the theft of private information such as passwords, credit card numbers, private corporate data and other information stored in computers or smartphones. Photo / 123RF

Security experts scrambled on Friday to try to reassure computer users worldwide that a newly discovered type of security flaw can be managed — though not eliminated — through the simple act of updating software with patches that technology companies have been frantically developing for months.

But this relatively soothing message comes against a backdrop of alarm within the technology industry, which has been stunned to discover that the microchips powering nearly every computer and smartphone have for years carried fundamental flaws that can be exploited by hackers and yet cannot be entirely fixed.

The flaws, announced this week and dubbed Meltdown and Spectre, flow from designs that allowed computers to operate more quickly and efficiently. Though it's not clear whether hackers have exploited these flaws, security experts say attacks would be relatively easy to develop and could allow the theft of private information such as passwords, credit card numbers, private corporate data and other information stored in computers or smartphones. Such attacks, the experts add, would likely not leave any trace that could be detected.

"This is the most significant security news we've had in the last 10 years," said Avi Rubin, a computer science professor at Johns Hopkins University specializing in health-care security. "Some of the mitigations are going to be extremely expensive. I think this is the real deal."

Though the patches issued in recent days and weeks should largely protect users against Meltdown — which exploits a flaw mainly in Intel microchips — companies have long struggled to successfully distribute such fixes to all of their users. The patches, meanwhile, are likely to cause computers, smartphones and other devices from Apple, Dell and other PC makers to operate more slowly, though it's not clear whether the difference will be noticeable to users.

Experts consider Spectre — which affects AMD, Arm and Intel chips — more difficult for hackers to exploit but also harder to fix through software ­patches.

For both flaws, a total fix will require the redesign, production and distribution of new computer chips — a process that experts say is likely to take many years to complete.

Security experts said it was impossible to know whether hackers had used the two software flaws to steal data, though it's possible given that rumors of the flaws had been circulating for several months within the security community.

"It gave lots of people time to do things with it," said Jake Williams, president of Rendition InfoSec and a former National Security Agency employee. "I'm not worried about NSA. I'm worried about everybody else."

Current and former U.S. officials also said the NSA did not know about or use Meltdown or Spectre to enable electronic surveillance on targets overseas. The agency often uses computer flaws to break into targeted machines, but it also has a mandate to warn companies about particularly dangerous or widespread flaws so that they can be fixed.

Rob Joyce, White House cybersecurity coordinator, said, "NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability."

Joyce, who used to run the NSA's elite hacking division, recently made public the rules by which the government decides to disclose or keep secret software and hardware flaws that can be exploited by hackers, including NSA personnel. He said the vulnerabilities equities process, known as VEP, "is very responsible."

The bigger risk may be criminal hackers. Cybersecurity researcher Matt Tait said he first learned about Meltdown last week. With about a day of work, he was able to develop a functioning example of how the vulnerability could work. He said it's impossible to know whether malicious hackers have deployed Meltdown because the flaw creates no record of the intrusion.

"The reality is we don't know," said Tait, a senior cybersecurity fellow at the Robert S. Strauss Center at the University of Texas at Austin. "Now that the vulnerability has been made public, we should expect this being exploited in the wild in the next few days."

It's common for researchers to withhold public disclosure of a security flaw until companies can create patches to protect users. But the delay for Meltdown and Spectre was unusually long because of the difficulty of trying to remedy hardware problems and the complexity of working across affected companies.

"It's been annoying because the kinds of changes that this all causes for system software are really nasty to write and test . . . So there's a lot of reasons why it's not the 'fun' kind of challenge," said Linus Torvalds, creator of the Linux operating system, in an email reply to questions from The Washington Post.

He added, "For most people, get your system updates and not doing stupid things ('don't run random software from people you don't trust') and you're fine."

Of particular concern, how­ever, are the risks to cloud servers, which often carry the information of multiple customers on a single machine, making them potentially vulnerable to attacks such as Meltdown.

Dozens of large companies have moved volumes of data from company-owned data centers into remote computers that are owned and managed by Amazon.com, Microsoft, Google and other technology companies. Amazon is the largest player in the cloud computing industry. (Amazon's owner, Jeffrey P. Bezos, owns The Washington Post.)

In the last year alone, Costco, Hulu, General Electric, Kohl's and PayPal are among the companies that have signed on with major cloud providers. Google chief executive Sundar Pichai has said growing his company's cloud computing service is among his top priorities.

While companies, particularly banks and health-care institutions, have long expressed concern about letting other companies house their most sensitive data, many have warmed to the idea. Some have said that technology companies are actually better equipped to make major investments in security and in enhancing the performance of data-processing software, but news of major security flaws threatens to make companies reconsider.

Experts say that for ordinary computer and smartphone users, the main priority should be keeping their software updated.

Buying new computers without the hardware flaw is impractical and expensive, even for deep-pocketed­ companies and government agencies.

"The costs alone are insane," said Tony Cole, vice president and global government chief technology officer at FireEye. He estimated that a global overhaul would amount to trillions of dollars in new expenses. "It would be mind-boggling if everyone tried."

Ellen Nakashima contributed to this report.