Banks, telcos in Singapore working to mitigate 'Meltdown' and 'Spectre' chip flaws

Banks and telcos in Singapore are applying security software fixes to mitigate the two major flaws that are affecting almost all computers and smartphones. PHOTO: AFP

SINGAPORE - Essential-services sectors in Singapore are working furiously to mitigate cyber security risks linked to two critical hardware flaws discovered last year but made public only last week.

Major banks here and telcos Singtel, StarHub and M1 told The Straits Times they are applying available security software fixes to mitigate "Meltdown" and "Spectre", the two major flaws affecting almost all computers and smartphones. Some companies have also issued alerts to customers to do the same.

"As a responsible Internet service provider, we always ensure that our network equipment runs the latest software patches," said StarHub, urging customers to update the software for all their Internet-facing devices.

A Singtel spokesman said: "We advise our customers to monitor the websites of product vendors and device manufacturers for software patches and immediately update their devices with these patches when they are available."

Billions of computers and smartphones are compromised as they were built using the same processors designed by Intel, Advanced Micro Devices (AMD) and ARM, where the two flaws were discovered.

Major banks such as DBS Bank, OCBC Bank and UOB said they are installing the software fixes as part of their routine risk management process.

ST understands that banks generally use a mixture of Linux and Windows systems for banking operations, and these systems run mostly on Intel processors. For certain critical tasks, some banks use expensive Unix systems that are not affected by the chip flaws.

The alert was given after the Singapore Computer Emergency Response Team (SingCert) issued an advisory on the flaws which, combined, affect practically all computers and smartphones.

The vulnerabilities allow hackers to access the deep recesses of a computer's memory and steal data, including passwords and confidential documents, said SingCert.

The United States government-sponsored Computer Emergency Response Team initially said the only way to fix the vulnerabilities was to replace the defective processor. It later withdrew the recommendation, instead saying that those affected should install updates.

SingCert - a unit of Singapore's Cyber Security Agency that coordinates the nation's response to cyber threats and attacks - did not recommend hardware replacement. Its advisory contains only instructions to update system software.

ST understands there is no commonly available, affordable hardware alternative - all affordable processors are based on Intel, AMD and ARM designs. Unix systems sold only to large corporations cost at least 10 times more than Linux and Windows systems, according to experts.

Security experts said a hardware-level redesign could take years, and hardware replacement will cost companies dearly.

Meanwhile, many vendors, including Intel, Google, Microsoft and Amazon, have started rolling out software patches to help mitigate the risk of a cyber attack, which is not known to have been launched so far.

The latest to issue an advisory on the flaws is Apple. On Thursday, Apple said Meltdown has the most potential to be exploited. Security updates were issued last month in the iOS 11.2 operating system for smartphones, macOS 10.13.2 for computers, and tvOS 11.2 for media players. It also said its watchOS for smartwatches did not require mitigation.

Spectre is harder to exploit than Meltdown but also harder to fix, said experts.

Join ST's Telegram channel and get the latest breaking news delivered to you.