Intel, ARM and AMD chip scare: What you need to know

  • Published
Central Processing Unit computer chipImage source, Shutterstock

Nearly all computers worldwide - and many other devices - have been exposed to security flaws which leave them vulnerable to attacks by hackers.

Researchers discovered gaps in security stemming from central processing units - better known as the chip or microchip - which could allow privately stored data in computers and networks to be hacked.

So far no data breaches have been reported. So is it a big deal and what does it mean for you?

What are the bugs?

There are two separate security flaws, known as Meltdown and Spectre.

  • Meltdown affects laptops, desktop computers and internet servers with Intel chips.
  • Spectre potentially has a wider reach. It affects some chips in smartphones, tablets and computers powered by Intel, ARM and AMD.

Bryan Ma, a senior analyst at technology consultancy IDC, says data centres and devices that connect to the cloud are also at risk.

How big is the problem ?

First, let's not panic. The UK's National Cyber Security Centre (NCSC) said there was no evidence that the vulnerability had been exploited.

But now that it has been made public, there's concern the bugs are discoverable and may be taken advantage of.

The BBC understands the tech industry has known about the issue for at least six months - and that everyone involved, from developers and security experts had signed non-disclosure agreements. The plan, it seems was to try to keep things under wraps until the flaws had been fully dealt with.

Consider the figures for personal computers alone: there are 1.5 billion in use today (desktop and laptop combined) and around 90% are powered by Intel chips, IDC estimates. That means exposure to the Meltdown bug is potentially huge.

What information is at risk?

The bugs allow hackers to potentially read information stored on a computer memory and steal information like passwords or credit card data.

Technology analyst Jake Saunders from ABI Research said it was not exactly clear what information might be at risk, but as the security gaps had been exposed "the question is whether other parties can discover and potentially exploit them".

Media caption,

Watch: Chip hacks explained

How do I protect my computer?

Device makers and operating system providers have had time to try to fix this. They are pushing out security updates, or patches, which will protect your computer, tablet or phone against a breach that uses the Meltdown vulnerability. Users should install these updates as soon as they are made available.

Microsoft, Apple and Linux, the three major operating system makers, are all issuing patches.

Apple has said that all Macs, iPhones and iPads are affected by Meltdown, but Macs running the latest version of macOS, numbered 10.13.2, are safe.

The same is true for the latest iOS version 11.2, which is used on iPhones and iPads.

Apple said it will release updates to mitigate against Spectre "in the coming days".

Microsoft released an emergency Meltdown patch for Windows 10 on 4 January via Windows Update. This will subsequently also be applied to Windows 7 and 8 machines.

However, users with third-party anti-virus or security software should also check that this has been updated first, in order for the Windows Update process to install the patch.

Google said Android phones with the most recent security updates are protected, and users of web services like Gmail are also safe. Chromebook users on older versions will need to install an update when it comes. Chrome web browser users are expected to receive a patch on 23 January.

Cloud services for businesses, including Amazon Web Services and Google Cloud Platform, say they have already patched most services, and will fix the rest soon.

Spectre is thought to be much harder to patch and no fix for it has yet been made widely available.

Will the fix slow down my computer?

Some researchers have claimed that any fixes could slow down computer systems, possibly by 30%, but Intel believes these claims are exaggerated. It said any performance impacts were "workload-dependent" and the impact for average computer users "should not be significant".

IDC's Mr Ma agreed that for most regular users - who rely on their computer for web browsing and email - the security fixes were unlikely to slow their computer.

How will the tech industry react?

News about the bugs comes at an awkward time for the industry. Next week, CES, the giant consumer electronics trade show, kicks off in Las Vegas.

Many attendees will be wondering how the new products on display will be affected, and marketing materials detailing speed increases will likely have to be revised.

Experts also think that because Meltdown and Spectre reveal fundamental flaws in how computer chips are designed, there will have to be a serious rethink about how such technology is made in the future.

"It's huge in the geek world," wrote computer security researcher Rob Graham on his blog.

"We'll need to redesign operating systems and how CPUs [central processing units] are made."