California Lawmaker Sounds Alarm On Computer Chip Security Flaws
SANTA CLARA (CBS SF) -- Growing concerns over recently-discovered widespread computer chip vulnerabilities, that may allow programs to steal consumers' data, has prompted a California congressman to demand answers from three semiconductor industry heavyweights.
Rep. Jerry McNerney (D-Antioch) has asked Intel, Arm and AMD to not only explain which products contain chips with the so-called Spectre and Meltdown vulnerabilities, but also what the companies are doing to protect consumers -- which include many government offices and private businesses.
"Should the vulnerabilities be exploited, the effects on consumers' privacy and our nation's economy and security would be absolutely devastating," said Rep. McNerney in a letter requesting briefings from the three companies.
Intel, Arm, and AMD processors are all affected by the vulnerabilities and almost all consumers have been impacted. The firms have already begun releasing fixes to the public.
In a letter to the companies, McNerney pointed to research showing that these vulnerabilities can be used to leak personal information, passwords, bank accounts, emails and photos, as generally undermine security systems.
McNerney is a former engineer and current member of the House Committee on Science, Space, & Technology. His youngest son, Greg, is an Intel employee, McNerney's office said.
A spokesperson from McNerney's office told CBS San Francisco that they have heard back from all three companies and are in the process of scheduling briefings. The office did not say whether the hearings would be public or private.
The public was made aware of the chip vulnerabilities earlier this month by a team of Google security researchers who discovered the flaws.
The congressman's request for briefings comes after four class-action lawsuits were filed against Intel for these flaws and two were filed against AMD. Apple has also been sued by consumers alleging the company knowingly sold devices with the security flaws.
On Thursday, Cornell University computer scientist Andrew Myers compared the current state of the computer security industry to a town built only of wooden buildings, and yet despite having many fires occur, the town continues to construct more buildings out of wood instead of switching to newer technologies such as concrete and steel.
"And even the firehouse is still made out of wood," Myers wrote on his blog Jif Fabric.
"The Meltdown/Spectre attacks are a flashing warning sign that our existing science of security and correctness is not quite up to the task," wrote Myers.
Santa Clara-based Intel Corporation did not immediately respond to a request for comment and did not say how many chips are impacted, but the company acknowledged in a blog post the potential for attackers to use these flaws "to improperly gather sensitive data from many types of computing devices with many different vendors' processors and operating systems."
Navin Shenoy, the executive vice president and general manager of the Data Center Group at Intel, said this week that their company has issued updates for 90 percent of the processors they introduced in the last five years.
Arm, a UK-based company with North American headquarters in San Jose, told CBS San Francisco that they have been in touch with McNerney and share his goal of creating more secure devices.
Phil Hughes, director of public relations at Arm, told CBS SF, "The number of Arm-based chips impacted by Spectre is around 5 percent of the 120+ billion chips Arm's silicon partners have shipped since 1991. The percentage of Arm-based chips impacted by Meltdown is significantly lower."
Still, that's around six billion chips impacted.
Hughes said Arm, Intel and AMD were all notified of the flaws by security researchers at Google in June 2017 and are now deploying software mitigation options.
Hughes stressed the importance of mobile users avoiding suspicious links or downloads and keeping their software current.
"To date," Hughes said, "Arm is not aware of any evidence of these exploits being executed in real-world environments. As previously mentioned, these exploits are dependent on malware running locally and Arm is not aware of any such malware currently tied to the Spectre or Meltdown exploits."
Intel has also said that it is not aware of any malware based on these exploits.
Sunnyvale-based AMD said they have been in contact with Rep. McNerney.
AMD's Senior Vice President and Chief Technology Officer Mark Papermaster wrote in a blog post last week that the security issues identified by Google researchers "has brought to the forefront the constant vigilance needed to protect and secure data."
By Hannah Albarazi - Follow her on Twitter: @hannahalbarazi.