New products, from computers and phones to productivity-increasing software and trendy applications, are constantly released to consumers. The risks posed by these constant technological advancements, paired with the massive 2017 Equifax breach and other recent security breakdowns, should put cybersecurity on the mind of every individual.
In 2018, researchers discovered two massive computer flaws. Dubbed “Spectre” and “Meltdown,” both vulnerabilities are security holes that stem from flaws in processor designs that are within millions of computers. Meltdown alone affects every computer created since 1995 built with an Intel processor.
Although the scope and sheer number of affected users are causes for concern, the real issue revealed by these flaws is how long companies knew about them and the disorganized attempts by those companies to publish patches and updates.
Ultimately, companies like Intel, Apple, Google and Microsoft endanger consumers when they fail to be transparent and communicative — both to purchasers and one another — about discovered vulnerabilities.
Understanding Spectre and Meltdown requires an understanding of how computers perform tasks efficiently. Many processors conduct “speculative execution,” meaning the processor guesses what type of information to use for a given task. If it guesses correctly, it stores the correct guess while discarding the incorrect ones. In short, the processor allows the computer to run more effectively.
The Spectre vulnerability allows would-be attackers to trick processors into running speculative execution at will, causing the computer to summon sensitive data and thereby creating an opening to extract information. Meltdown is different in that it allows intruders to access data through a computer’s operating system directly, giving hackers an opportunity to exploit a flaw in computer security that is commonly trusted to protect data.
Meltdown is a more serious issue than Spectre because of this breakdown in data separation that is supposed to be a security standard for modern computer systems. Meltdown affects nearly all computers with Intel processors, and since Intel controls nearly 80 percent of the total processor market, millions of computers are vulnerable.
Yet Intel and Google knew about this vulnerability for over seven months before going public. Researchers at a Google cybersecurity branch sent emails to chipmakers Advanced Micro Devices and Intel detailing the discovery in June 2017. Instead of addressing the problem, companies tried to hide the findings. Intel and ARM — along with partners like Microsoft, Google and Amazon Web Services — also shunned productive cooperation and maintained as much secrecy as possible in their attempts to rectify the situation.
It is understandable why a company might be reluctant to disclose information related to a vulnerability: If the company publicly acknowledged a flaw before a proper fix and update, hackers could seize the opportunity.
However, the processor companies and tech firms tried as quietly as they could to publish fixes without tipping off consumers. Microsoft sent out patches in November, while Amazon notified enterprise users of reboots that could disrupt their systems in January, none of which ever referenced Spectre, Meltdown or the problems with speculative execution. Consumers were left in the dark when they should have been notified of both the vulnerabilities and how they were being addressed.
Finally, through the combined efforts of researchers, computer scientists, engineers and reporters investigating the updates, The Register, an online technology news outlet, published one of the first reports outlining the flaws Jan. 2.
A cascade of rushed patches and updates soon followed, leading to significant performance hits and crashes: Microsoft had to halt patches entirely after reports of unbootable computers; Apple released patches only a week ago; and a cybersecurity division of Homeland Security was only alerted of these flaws on the same day research from Intel and Google became public in early January. Even users of Amazon Web Services experienced significant performance drops.
The ongoing saga of Spectre and Meltdown exemplifies how consumers suffer when communication and transparency break down. We will never live in a world free of technological flaws and vulnerabilities — the faster technology is being developed, the greater the chance of bugs and exploits. Yet, as Spectre and Meltdown show, opportunities to mitigate these technical threats are ever-present in collective action and transparent publishing.
The question then becomes how companies that control hardware and software alike will approach flaws going forward. If they decide to take great care and due diligence in sharing their findings, consumers can be better served. However, if they take the same path as in recent months, we are doomed to experience another Spectre and Meltdown saga in the future.
Humza Moinuddin is a senior in the School of Foreign Service. Ones and Zeros appears online every other Wednesday.