Critical hardware flaws put almost every smartphone, computer at risk: SingCert

SingCert has issued an advisory urging computer and smartphone users to apply security software fixes immediately, after global researchers reported two critical flaws in modern computer chips.
SingCert has issued an advisory urging computer and smartphone users to apply security software fixes immediately, after global researchers reported two critical flaws in modern computer chips. PHOTO: ST FILE

SINGAPORE - Critical hardware flaws revealed this week are putting billions of computers and smartphones at security risk, and Singapore's cyber security authority has urged all users to apply available security software fixes immediately.

Issuing the alert on Thursday evening (Jan 4), the Singapore Computer Emergency Response Team (SingCert) said: "The vulnerabilities enable attackers to steal any data processed by the computer."

This includes confidential information, such as passwords, which could allow them to compromise computers or entire server networks, it added.

SingCert is a unit of Singapore's Cyber Security Agency, which coordinates the nation's response to cyberthreats and attacks.

So far, it has not received any reports of attacks due to the two critical flaws that have been identified. Of these, Meltdown affects computers that use Intel chips, and Spectre affects computers and smartphones built on Advanced Micro Devices (AMD) and ARM processors.

SingCert's advisory follows the release on Wednesday by global researchers of the full details of these two critical flaws in modern computer chips. Between them, they subject almost every computing device to snooping and data thefts.

Although billions of computers and devices are vulnerable, security fixes are already being rolled out.

It is not known if hackers have abused the flaws, first discovered by the researchers separately last year. They are from Google's Project Zero, the University of Pennsylvania, Austria's Graz University of Technology, Australia's University of Adelaide and security firms Cyberus Technology, Rambus and Data61.

 
 

Both flaws work on the same principle that allows hackers to access the deep recesses of a computer's memory, the researchers wrote on a jointly created website.

"A malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs," they wrote. "This might include your passwords stored in a password manager or browser, your personal photos, e-mails, instant messages and even business-critical documents."

Noting that Intel dominates the global chip market for computers, cyber security firm Fortinet's security research director David Maciejak said: "This is a serious vulnerability that will exist for a long time... It will not take long for the security flaw to be exploited in the wild."

AMD and ARM dominate the rest of the computer chip market, although Samsung now leads in chip making for mobile devices such as smartphones and tablets.

Urging every user to apply available security patches immediately, Mr Stree Naidu, the Asia-Pacific vice-president of cyber security services firm Cato Networks, said: "Not patching the vulnerability not only puts the data in the chip memory at risk, but also provides an entry point to critical servers and the entire corporate network."

On servers such as those run by Google Cloud Services, Amazon Web Services or Microsoft Azure for corporate customers, hackers can even steal data from multiple customers.

Google, Amazon and Microsoft said they have started rolling out security fixes for their cloud service platforms.

Google and Microsoft have also issued security patches for their Web browsers, computers and smartphones. Customers are advised to apply the security fixes promptly. Android users can accept the automatic security updates provided by device makers and reboot the devices.

A Singapore-based Microsoft spokesman said: "We have not received any information to indicate that these vulnerabilities had been used to attack our customers."

Apple, which uses Intel products in its laptops and desktops, has also rolled out fixes for its products running on OS X, said Mr Tony Jarvis, chief strategist at security software firm Check Point Software Technologies. However, Apple has not published any information on the security fixes for its computers and smartphones to date.

Some of the patches are believed to cause slowdowns in a computer's performance by up to 30 per cent, although Intel has reportedly denied it.