photo by Flickr user Laineema
By now you might be eager to read something that is not about a coronavirus, or at least a story where coronavirus lockdowns might protect against something other than, say, dying. If so, I have some excellent news:
Your Intel-based computer might have hackability built in.
Yes, another security flaw has been discovered in the silicon that sits at the heart of most of the world’s laptop and desktop computers. This particular flaw is so deeply embedded in the chips’ digital DNA that it cannot be patched with anything short of a complete swap out, which for practical purposes means getting a whole new computer.
The good news, so to speak, is that exploiting this security hole is not easy. The kid down the street taking a break from playing Fortnite can’t do it. The West African government official who needs your help to move billions of dollars in gold bullion to London can’t do it. Even the long-distance dedicated hacking teams that carry out all sorts of dirty work for their overseers in the Kremlin and in Beijing’s Politburo can’t do it – at least not without local or physical access to your machine.
So that’s the good-news-about-coronavirus angle. As long as you and your computer are physically isolated together, chances are pretty good that nobody is going to be able to hack into your securely encrypted digital files. That is, unless you keep using the same password you used for the bank account where you fell victim to a phishing scam. In that case, nobody can protect you.
The newly identified problem, as reported in the industry publication Engadget, relates to a part of modern Intel processors known as the Converged Security and Management Engine, or CSME. On many devices, the CSME is the first thing that runs when the computer boots up. One of the first things CSME does is protect its own memory. But according to Engadget, researchers have discovered that there is a brief period when the chip is vulnerable before those defenses come online. During that time – if an attacker has physical access, sophisticated hardware and enough know-how – the attacker can essentially hijack those security measures. Any encrypted files entering or leaving the machine could be vulnerable, or a hacker could gain remote control over the entire device. Keyloggers and other malicious code could operate at the hardware level, so antivirus or malware programs would be no defense.
The vulnerability applies to servers that hold files for many users, as well as to individual laptops or desktops. Most Intel chipsets manufactured in the past five years are technically vulnerable, but not every machine containing an Intel chip would be susceptible to an attack. The latest, 10th generation processors do not share this flaw.
Manufacturers of newer machines that run Windows or Linux have had the ability to incorporate features to defend against the bug, although not all have done so. And certain Macs containing the Apple T1 chip (introduced on some laptops beginning in 2016) or T2 chip (on some desktops and notebooks since 2018) are not vulnerable. Those chips boot and implement security before the main Intel processor is activated.
Should you throw away your computer, or replace the hard drive and then give it to your niece so she can watch YouTube Kids videos on it? Maybe, if you happen to work for a secret service, and keep classified details of sources and methods on your machine. Otherwise this seems to be a problem you really don’t need to worry about.
With nationwide lockdowns spreading abroad and regional shutdowns at home; with forced business closures and voluntary social distancing; with a stock market doing loop-the-loops, and a pandemic mortality and morbidity count rising by the hour, a problem we don’t need to worry about seems like a luxury worth sharing. You’re welcome.