The Meltdown and Spectre CPU vulnerabilities hung like a shadow over the festivities of CES. What's typically a celebration of consumer electronics was instead a stark reminder of just how far-reaching these issues are. And that's especially the case for Intel and AMD, both of whom unveiled fast new processors that are still vulnerable to future Spectre exploits. They each had statements about what they're doing to secure their hardware, but there was no escaping that the threat of Spectre is the new normal. That's particularly troubling when tech companies are hoping to launch smart home solutions that seep into every aspect of ours lives.
Intel faced the brunt of the early criticism, when initial reports pegged the potential exploits as something that affected only its chips. It turns out that's not the whole story. The Meltdown vulnerability is specifically aimed at Intel's hardware, but Spectre will be an ongoing issue for every modern CPU. All the same, no massive security hole was going to put a stop to Intel CEO Brian Krzanich's opening CES keynote -- not when its big-budget show was being held at a giant music venue at the Monte Carlo hotel.
After an opening act that featured virtual instruments and a virtuoso child dancer, Krzanich went into crisis response mode almost immediately. "The collaboration among so many companies to address this industry-wide issue across several different processor architectures has been truly remarkable," he said, praising the unusual way competitors rallied together. "Security is job number one for Intel and our industry. So the primary focus of our decisions and discussions have been to keep our customers' data safe."
Krzanich went on to assure the audience that Intel hasn't heard about anyone using these exploits to steal customer data. And he also gave us more clarity about the company's response, noting that it plans to fully patch its product line from the past five years by the end of the month. As for reports of fixes slowing down processors, he reiterated Intel's line about the impact being "highly workload dependent." Microsoft gave us a bit more insight into what that means the next day -- basically, you can expect noticeable slowdowns with Intel's chips from 2015 and earlier.
As for AMD, its CTO, Mark Papermaster, told press and analysts that it still believes there is "near zero risk" for its users. Thanks to architectural differences from Intel, the Meltdown (aka "Rogue Data Cache Load") vulnerability doesn't affect AMD's chips. When it comes to the two Spectre vulnerabilities, he said Variant 1, otherwise known as "Bounds check bypass," will be fixed through OS and software patches.
Papermaster reiterated that there's "near zero risk" for its architecture to Variant 2, or "branch target injection." Specifically, he noted, "vulnerability to Variant 2 has not been demonstrated on AMD processors to date." That carefully worded statement leaves room for the possibility that hackers could come up with new exploits that take advantage of that flaw.
This CES was a particularly ill-timed launch for one of the strangest collaborations in the tech industry: Intel's new 8th-generation Core CPU with AMD's RX Vega GPU. When we first heard about the chip, we were intrigued by the possibilities. It finally gives computer makers the flexibility to make ultraportables with solid gaming chops. But now, with the threat of Spectre, the chip's luster is ruined a bit. Similarly, it's just tough to get too excited about AMD's upcoming Ryzen desktop CPUs. Even its promising Radeon Mobile GPU, which could bring even faster performance to laptops than its Intel collaboration, is still tainted by its connection with AMD's affected processors.
In an interview with Engadget, Jim Anderson, AMD's Radeon head, said, "Regardless of Spectre and Meltdown, we are always focused on continuing to improve our security. ... It's key for two very important markets for us, both data center and the commercial PC market." As for any potential performance hits, Anderson said the impact should be "negligible." Since our chat with AMD, Microsoft has halted patches for Windows systems running the company's chips. It turns out the update ended up bricking some machines. Microsoft blamed AMD's documentation for not conforming with earlier instructions, and it's unclear when the patches will resume.
It'd be bad enough if Spectre affected only individual devices, but this year at CES, tech companies also doubled down on connected platforms built on user data. LG has its ThinQ AI, and Samsung is bringing Bixby and SmartThings to more products. And on a similar front, we're also seeing more companies integrating with smart assistants like Alexa and Google Assistant. It'll be more important than ever to ensure that smart home platforms are secure locally in your home, and that the servers powering all of the assistants are also as secure as possible. (Google, Amazon and Microsoft all say they've patched their servers against known exploits.)
The worry isn't that a hacker could discover your Netflix guilty-watch queue. Instead, there's the potential for them to tap into smart home platforms to track your location, use your home cameras to peep on your family and access the microphones spread throughout your home. Indeed, we've already seen how vulnerable connected baby monitors were, which allowed people to spy on kids and potentially communicate with them. As gadgets reach deeper into our lives, so does the potential for serious attacks.
Tim Alessi, LG's director of product marketing for home entertainment, assured us that the company has "always had a history of making our devices as secure as possible." And when it comes to the widespread data collection that LG's ThinQ smart devices will employ, he noted, "We're not just collecting data for data's sake. It's to help people get the most out of their TVs. And, during setup, it's very clear during the opt-in process to make their own decision."
Image credit: Steve Marcus / Reuters
Going into CES this year, we knew the Meltdown and Spectre vulnerabilities would be something every major tech company would be thinking about. And their response was what you'd expect: They're working hard to fix the immediate issues, and they'll keep an extra eye on security in the future. Intel, which initially deflected blame, vowed to be more transparent with the public.
Spectre (esp v1) is most useful for untargeted watering hole style attacks, very often used by nation states. That one is a big danger.
Meltdown (v3) is a privilege escalator, the sort of which we will see get found twice a year at minimum.
Other major chipmakers, like NVIDIA and Qualcomm, aren't worried about the implication of Spectre. The former claims that its GPUs are entirely immune, while Qualcomm's CEO, Cristiano Amon, seems confident that the company's December patches were enough to mitigate any major issues. He also pointed out that mobile users download software from app stores, which are far more secure than desktops and servers that can run software from just about anywhere.
Until we start to explore entirely new processor designs, we won't be entirely free from the dangers of Spectre. And that's not an easy feat. The x86 CPU architecture powers nearly every desktop, notebook and server. And Spectre remains a flaw in ARM-based mobile processors. While there's a chance that chip makers might be able to tweak their existing designs, that could have unintended consequences. Up until now, the main push for chip companies has been to shrink their existing technology down to smaller fabrication techniques. But, more than ever, there's a need for whole new architectures, which could take years and untold amounts of R&D funding to develop.
Click here to catch up on the latest news from CES 2018.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.