Government, health services at risk from Intel chip weakness

  • TECH
  • Friday, 05 Jan 2018

Members of clinical staff work at computers in the Accident and Emergency department of the 'Royal Albert Edward Infirmary' in Wigan, north west England on April 2, 2015. British Prime Minister David Cameron kicked off his re-election campaign Saturday, March 28, 2015, for May's tight poll by echoing his main rival with a new promise to improve the state-run National Health Service (NHS). Polling by Ipsos MORI indicates that the NHS, which provides across-the-board care for Britons and is mostly free, is the most important issue for voters. AFP PHOTO / OLI SCARFF

Highly regulated sectors, such as government offices and public health institutions, are most at risk of compromise as a result of the security flaw present in modern microprocessors from Intel Corp, Advanced Micro Devices Inc and other manufacturers, according to security experts. 

Widespread use of old computers and legacy components means software-based fixes being developed by companies like Microsoft Corp may slow down already-aging systems. 

“This will adversely affect highly regulated sectors, such as the NHS,” said Michela Menting, digital security research director at ABI Research. “There’s a whole chain of authority that needs to run before machines can be altered. In addition to this wait time, once the patches are run, they are likely to slow down processing speeds.” 

Cedric Thellier, chief technical officer at French cybersecurity advising firm Akerva, isolated health-care institutions, as well as industrial players, as those that may be at a greater risk. He said it may simply prove too difficult to update some operationally sensitive systems these businesses rely on. 

Reports emerged Tuesday that a feature used by billions of computer microprocessors had a vulnerability that hackers could exploit to gain access to private system data. A fix could be issued, but some computers may see a performance drag. The hardware-based nature of the underlying problem also means recall and replacement is almost certainly no option. 

Large companies running database servers could see some of the biggest impact from any slowdowns, said Ian Batten, a computer science lecturer at the University of Birmingham. 

“I imagine that all over the Square Mile very subtle discussions are being held between database people, security people, compliance people and datacentre managers as they juggle the risk-to-performance trade-off from the patch,” he said, referring to London’s financial centre. 

“Industries where servers need to operate continuously,” such as those that power cloud computing, “could feel an impact,” said Ido Naor, senior security researcher at Kaspersky Lab. Inc, the biggest cloud-computing provider, previously said most of its affected AWS servers have already been secured. Microsoft said the majority of its Azure cloud infrastructure has been updated with the fix and most customers won’t see a noticeable slowdown with the update. 

While Intel has said there are no known incidents of this vulnerability being exploited so far, the company also said it may take weeks to fully protect systems running on its chips, and estimates of the degree of slowdowns the fixes may cause are based on simulations. 

Peter Zaitsev, the co-founder and chief executive officer of Percona, a Raleigh, North Carolina-based company that helps businesses set and manage large computer databases, said that firms running such databases might see a 10% to 20% slowdown in performance from the patches being issued. He said this was not enough to cause major disruptions for most applications. He also said that subsequent versions of the patch would likely further reduce any performance impacts. 

He also said that in cases where a company has a server completely dedicated to a single application there was likely no need to implement the patch as these machines are not susceptible to the attacks researchers have discovered. 

Still, computers used by institutions like the UK’s National Health Service are already slow compared with the newest machines today. “Add to that an incremental slowdown,” Menting said, referring to the proposed software patches, “and we’re looking at a significant reduction in productivity.” 

“We are aware of this issue and are continuing to work with stakeholders to ensure the risk is minimized,” said an NHS spokesman. “There is no evidence to suggest this vulnerability has been exploited across health. We are constantly monitoring and continue to work closely with NCSC.” 

Cybercriminals are likely to already be looking for ways to exploit the vulnerabilities, aware that not everyone will install the patches, said Naor. 

Google said in a blog post that it privately informed Intel, ARM Holdings Plc and AMD of these issues on June 1 last year to give them time to find remedies before the vulnerabilities became public. While the companies were working on fixes, the same vulnerabilities were independently discovered by a team of researchers affiliated with several academic institutions and computer-security firms. 

Intel, responding to the reports, said the chip weakness doesn’t mean hackers could corrupt, modify or delete data, and the current solutions to the vulnerability “provide the best possible security for its customers.” There should be no impact on the company’s business, and performance slowdowns “should not be significant and will be mitigated over time,” the company said Jan 3. 

Still, investor concern has put pressure on the stock. Intel shares dropped 2.2% to US$44.25 (RM176.76) at 1.10pm in New York, after declining 3.4% on Jan 3. 

“This is a big blow for Intel,” Menting said. “AMD and ARM have been better with their responses, even if they are trying to allay fears of how long their products will remain vulnerable.” 

The company’s server chips have more than 99% market share. Those computers are at the heart of networks and are vital to the functioning of the internet and corporations. — Bloomberg

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3

Next In Tech News

Facebook to launch new audio products
Italy court orders Vivendi to pay Mediaset 1.7 million euros, rejecting multi-billion damage claim
Microsoft to test Xbox cloud gaming on PCs, Apple mobile devices
Russian competition watchdog opens case against Google over YouTube curbs
Amazon gets 9 ULA satellite launch vehicles for broadband internet program
Apple to bring Parler back to its App Store
U.S. agencies probe fatal Tesla crash believed to be driverless
EV maker Polestar in talks on new fund raising -CEO
Zoom launches $100 million fund to invest in apps using its technology
Mastercard to buy digital ID verification firm Ekata in $850 million deal

Stories You'll Enjoy