KRWG

Nearly Every Computer Could Be Impacted By New Security Flaws

Jan 5, 2018
Originally published on January 5, 2018 6:26 am
Copyright 2018 NPR. To see more, visit http://www.npr.org/.

STEVE INSKEEP, HOST:

If you own an iPhone or a Mac or pretty much any smartphone or computer, chances are you have a security problem, a problem with the chips that power those devices. Researchers discovered they are vulnerable to hackers and have been for years. The names given to these defects are not exactly comforting - Meltdown, Spectre. Matt Tait's going to discuss this with us. He's a cybersecurity fellow at the University of Texas at Austin. Good morning, sir.

MATT TAIT: Good morning. Thanks for having me.

INSKEEP: OK. So I'm holding a smartphone. Is this defect essentially a door that's left open to my supposedly secure device?

TAIT: Basically, yes. What's happened is there's two of these vulnerabilities, which affect basically all computer processes which exist in your phone, in your laptop, in cloud computing environments, as well. And the problem is that this defect affects the hardware itself, which means that, unlike software, where we can just ship an ordinary software update to fix these defects, we can't just ship it.

INSKEEP: And the defect means that a hacker could get into that phone, get into that computer, get the information out?

TAIT: So what the defect allows is for malware to steal the computer memory of a different process that's running. And that's particularly dangerous in the context of cloud computing, where, of course, lots of different people are using the same computers. And you don't want some people to steal the memory from other customers' devices.

INSKEEP: Do you have any sense of how much this defect has been exploited?

TAIT: So we can't tell whether or not it's been exploited. It's completely invisible. But what we have been able to see is that, although we can't fix the hardware itself, we've been able to invent new bits of computer science in order to make operating systems safe in order to protect against this particular defect from being exploited.

INSKEEP: How so?

TAIT: So in the event that you install your software updates - and, you know, Microsoft and Linux and Apple have all issued software updates that will protect the operating system against this defect being exploited - then hackers can't use this vulnerability in order to attack other processes and steal their computer.

INSKEEP: So your argument is that it's - well, their argument is that it's OK now, so long as you've taken whatever updates you've been offered.

TAIT: So for people at home, yes. The takeaway is that you need to install your security updates. And then you'll be able to protect yourself against a lot of these defects. And, really, the interesting thing about this vulnerability is the sheer amount of work that's had to be put in by operating system developers, people that make web browsers, by people that work in cloud computing companies in order to find completely novel ways of protecting against this vulnerability from being exploited.

INSKEEP: You know, I got to ask - sometimes, when there's a disaster in the physical world - you know, the dam breaks, the bridge collapses - there's somebody who warned that there was a problem that was overlooked. Is there any evidence that chip makers and computer companies had some kind of warning that there was a problem here and went ahead and sold millions and millions of devices?

TAIT: So we don't know whether or not they knew that this was going to be a defect in advance. But what we do know is that this vulnerability has been worked on for months and months and months by a very large amount of people in the U.S. technology community because it's such a weird vulnerability that required completely new parts of computer science to be invented in order to find ways to protect against it.

INSKEEP: And they were doing this in secret, in effect, to avoid word of the vulnerability spreading too far?

TAIT: Yes. So this was completely secret. We started to get word that this vulnerability might exist. And people were able to reverse engineer what that vulnerability was in the final days of the embargo. But, yes, this was all being done in secret by lots of very big computer technology companies.

INSKEEP: OK. Matt Tait, thanks very much. Really appreciate it.

TAIT: Thanks so much for having me.

INSKEEP: He's senior cybersecurity fellow at the University of Texas at Austin. Transcript provided by NPR, Copyright NPR.