Meltdown and Spectre: Exposing the Achilles’ Heel of Chips

Posted on January 16, 2018

Aiswarya Baskaran
Aiswarya Baskaran
Analyst, Technology, Media & Telecommunications Research
Syed Moinuddin
Syed Moinuddin
Associate, Technology Media & Telecommunications Research

In January 2018, technology website The Register reported on security flaws in microchips that make a range of devices, from PC computers to servers and smartphones, more susceptible to hacking and could enable unrestricted access to sensitive information, such as passwords. What will this mean for chip manufacturers and how will it affect the broader technology value chain?

The two security vulnerabilities, named Meltdown and Spectre, could compromise certain basic security features, such as the compartmentalization of highly sensitive data and processes. The Meltdown vulnerability primarily affects chips manufactured by Intel, a company that holds approximately 86% of the computer processor market share and about 90% of the server chip market share, and is said to affect devices that have been in use for the past twenty years. Although the Spectre vulnerability is thought to be more difficult to exploit, it affects chips made by Intel as well as AMD and ARM, thus exposing phones and tablets. The vulnerabilities were originally identified by Google’s security researchers, who notified Intel in June 2017. While Intel and other technology companies kept the vulnerability under wraps and developed fixes, three other independent research teams identified the same bug, suggesting a high chance of rediscovery. The good news is that these flaws were identified by security researchers in a controlled, lab environment and until now hackers have not yet acted upon the flaws. However, now that the flaws are publicly disclosed, it is likely that malicious actors will attempt to exploit this vulnerability.

Implications for Semiconductor Companies and the Technology Value Chain

In response to news of these security vulnerabilities, Intel’s stock price declined while its long-time rival AMD saw an uptick. However, the uptrend in AMD stocks was hindered after a software update provided by Microsoft to fix the vulnerability rendered PCs unbootable. Beyond the hit to its credibility, Intel is facing three independent lawsuits seeking class action status, and the news could trigger other legal action and regulatory scrutiny. Compounding these risks is the fact that the company’s CEO is being accused of insider trading for selling stock five months after the security flaw was disclosed to Intel by security researchers. Although, Intel denies this allegation and states the stock sale was previously planned, scheduling a stock sale when Intel was aware of the vulnerability could trigger a probe by the US Securities Exchange Commission. It is unclear how these security flaws will impact Intel’s strong semiconductor market share and whether, moving forward, customers will negotiate cheaper deals with Intel or choose a different vendor.

This security flaw has far reaching implications, beyond Intel, for other companies in the technology value chain, including technology hardware manufacturers (e.g. Apple, Dell), operating system makers (e.g. Microsoft), and cloud and software providers (e.g. Google, Amazon Web Services). Cloud vendors are particularly vulnerable, as users share infrastructure, making it easier for an attacker to gain access.  These parties are working to provide software updates that can secure devices. However, these patches may also slow down the performance of certain devices, such as servers, by up to 30% according to some reports. Intel has released software updates to a majority of its processor products; however, it is unclear how it plans to tackle older products. Complicating matters is the risk that any software patch may not have the necessary adoption rate to mitigate against widespread security vulnerabilities. In addition, software updates can only mitigate security issues to a certain degree, especially for the Spectre vulnerability. Such hardware based security vulnerabilities are particularly difficult to address through remote updates and often require physical changes to chip design.

Internet of Things and the Future of Chip Design

Semiconductor chips are ubiquitous, and they enable critical electronic systems used in healthcare technology, communications systems, defense systems, electoral voting, and cloud infrastructure. As the adoption of Internet of Things (IoT) accelerates and more devices integrate internet enabled chips, we expect the risk of exploiting such vulnerabilities to increase. Chip design is complex and often the culmination of a multi-year development roadmap. Given the importance of secure chips, semiconductor companies need to take into account the evolving nature of cybersecurity threats and strengthen testing and security breach mitigation procedures. The accountability for information security is spread across the technology value chain and begins with the semiconductor chip.

Recent Content

Physical Climate Risks: 6 Things Portfolio Managers Need to Know

The negative physical impacts of climate change are being felt by communities and corporations globally and are likely to get worse in the coming years. The knock-on costs of more frequent “once-in-a-century” climate events on economies are likely to rise. To prepare for this looming threat, investors must forecast the asset-level effects of climate change on companies in a granular and sophisticated way. Here are six things portfolio managers should know to manage and mitigate the physical risks of climate change to their portfolios and meet growing list of climate-focused reporting requirements.

human rights

Applying Business and Human Rights International Standards to Investor Due Diligence

Socially conscious ESG investors are interested in how to implement international business and human rights norms in their portfolios and understand the potential impacts of applying additional screening criteria within their strategy.

wireless users network outage

Telecom Network Outages, the ESG Risks of a Connected World

The telecom industry is exposed to several Material ESG Issues, including Data Privacy and Security, Business Ethics, Human Capital and Product Governance. Product Governance issues in the telecom industry include service quality, maintaining reliable, high-speed networks, and responding to customer billing concerns.

ESG Risk Data Center

ESG Risks Affecting Data Centers: Why Water Resource Use Matters to Investors

Data centers play a critical role for many technology and telecom companies and for their supporting servers, digital storage equipment and network infrastructure for data processing and storage. Data centers require high volumes of water directly for cooling purposes and indirectly, through electricity generation. Morningstar Sustainalytics’ recent activation of the Resource Use Material ESG Issue (MEI) within its ESG Risk Ratings recognizes water risks of data centers.