Critical hardware flaws put almost every smartphone, computer at risk: SingCert

[SINGAPORE] Critical hardware flaws revealed this week suggest that your computer or smartphone could be among the billions worldwide at riskandSingapore's cyber security authority has urgedall users to apply available security software fixes immediately.

Issuing the alert on Thursday evening (Jan 4), the Singapore Computer Emergency Response Team (SingCert) said: "The vulnerabilities enable attackers to steal any data processed by the computer." This includes confidential information, such as passwords, which could allow them to compromise computers or entire server networks, it added.

SingCert is a unit of Singapore's Cyber Security Agency, which coordinates the nation's response to cyber threats and attacks. So far, it has not received any reports of attacks due to the two critical flaws that have been identified. Of these, Meltdown affects computers that use Intel chips, and Spectre affects computers and smartphones built on Advanced Micro Devices (AMD) and ARM processors.

SingCert's advisory follows the release on Wednesday (Jan 3) by global researchers of the full details of these two critical flaws in modern computer chips. Between them, theysubject almost every computing device to snooping and data thefts.

Although billions of computers and devices are vulnerable, security fixes are already being rolled out.

It is not known if hackers had abused the flaws, first discovered by the researchers separately last year (2017). They are from Google's Project Zero, the University of Pennsylvania, Austria's Graz University of Technology, Australia's University of Adelaide and security firms Cyberus Technology, Rambus and Data61.

Both flaws work on the same principle that allows hackers to access the deep recesses of a computer's memory, the researchers wrote on a jointly-created website."A malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs," they wrote. "This might include your passwords stored in a password manager or browser, your personal photos, e-mails, instant messages and even business-critical documents." Noting that Intel has a global market share of 80 per cent, cyber security firm Fortinet's security research director David Maciejak said: "This is a serious vulnerability that will exist for a long time...It will not take long for the security flaw to be exploited in the wild." Urging every user to apply available security patches immediately, Mr Stree Naidu, the Asia-Pacific vice president of cyber security services firm Cato Networks, said: "Not patching the vulnerability does not only put the data in the chip memory at risk, but provides an entry point to critical servers and the entire corporate network." On servers such as those run by Google Cloud Services, Amazon Web Services or Microsoft Azure for corporate customers, hackers could even steal data from multiple customers.

Google, Amazon and Microsoft said they have started rolling out security fixes for their cloud service platforms.

Google and Microsoft have also issued security patches for their Web browsers, computers and smartphones. Customers are advised to apply the security fixes promptly. Android users can accept the automatic security updates provided by device makers and reboot the devices.

A Singapore-based Microsoft spokesman said: "We have not received any information to indicate that these vulnerabilities had been used to attack our customers." Apple, which uses Intel products in its laptops and desktops, has also rolled out fixes for its products running on OS X, said Mr Tony Jarvis, chief strategist at security software firm Check Point Software Technologies. However, Apple has not published any information on the security fixes for its computers and smartphones to date.

Some of the patches are believed to cause slowdowns in a computer's performance by up to 30 per cent, although Intel has reportedly denied it.

THE STRAITS TIMES