monsitj - Fotolia

Intel to set up new group to focus on hardware security

Chip maker is reportedly planning to form a new group to focus on hardware security as it scrambles to limit the impact of recently discovered security flaws in chip designs

Intel is prioritising hardware security in the wake of discoveries that its chips have design flaws that could be exploited by attackers.

Intel CEO Brian Krzanich sent an internal memo to employees announcing the creation of a new group called Intel Product Assurance and Quality, according to The Oregonian.

“It is critical that we continue to work with the industry, to excel at customer satisfaction, to act with uncompromising integrity, and to achieve the highest standards of excellences,” Krzanich said in the memo. “Simply put, I want to ensure we continue to respond appropriately, diligently, and with a customer-first attitude.”

The memo, sent just hours before Krzanich delivered the opening keynote at CES 2018 in Las Vegas, said the new group will be run by current head of human resources Leslie Culbertson, who joined Intel in 1979 and has previously served as director of its finance organisation and as general manager for systems manufacturing. 

Further underlining the importance Krzanich places on the new group, Culbertson will be joined by Josh Walden, currently senior vice-president and general manager of Intel’s new technology group, and Steve Smith, currently vice-president and general manager of Intel’s datacentre engineering group.

Intel’s chips are not only vulnerable to an Intel-specific exploit dubbed Meltdown, which allows user mode processes to infer the contents of kernel memory, but are also affected by Spectre, an exploit that affects most modern chips, including those made by rivals.

Chip makers and software producers are fast-tracking the release of firmware and operating system updates. The latest of these updates is one from Apple, which the company claims protects its Safari browser and WebKit from Spectre exploits. Apple earlier issued updates to address Meltdown.

The newly released macOS High Sierra 10.13.2 and iOS 11.2.2 updates are designed to block the possibility of the Spectre vulnerability being exploited via a Javascript attack via the Safari browser.

It really is important to keep browsers patched, says independent security consultant Graham Cluley. “Browsers are an obvious route through which an attacker could successfully execute code on your computer,” he wrote in a blog post. “That’s one of the reasons why I am also a strong advocate of users never venturing out onto the web without the added protection of an ad blocker.”

Read more about Spectre and Meltdown

Although Meltdown can be fixed with a software update, Spectre can only be mitigated with microcode updates.

The only true fix for Spectre will be to redesign processors to eliminate the vulnerabilities that it exploits, and the new group at Intel is likely to focus on making sure the new chips are secure.

The processor flaws also endanger the PCs, internet browsers, cloud computing services and other technology that rely on them. The Meltdown and Spectre exploits enable what is known as a side-channel attack that could extract passwords and other sensitive data from the chip’s memory.

“Security is job number one for Intel and our industry,” Krzanich said in his address to the Consumer Electronics Show in Las Vegas.

“Our primary goal has been to keep our customers safe,” he said, adding that although there is no evidence that these exploits have been used to steal data, he recommended that people patch their systems as soon as possible.

Intel says it has issued updates for more than 90% of its microprocessors produced in the past five years and that more updates are coming in the next few weeks.

Initial reports suggested that any fix could slow computer performance significantly. “We expect some workloads may have a larger impact than others,” Krzanich said at CES, adding that Intel would continue to work to mitigate those impacts.

Next Steps

Intel debuts Solutions Marketplace for partner ecosystem

Read more on Hackers and cybercrime prevention