US Congressman looking for answers about Spectre and Meltdown
A California congressman is seeking answers to the recently disclosed Spectre and Meltdown vulnerabilities found in many microprocessors, and has written letters to the CEOs of Intel, AMD and ARM, reports Security Now (FinTech Futures’ sister publication).
In his letter, Rep. Jerry McNerney (D-Calif.), who sits on the House Energy and Commerce Committee, asked the CEOs to provide answers about the Spectre and Meltdown flaws and the wide-ranging effects these vulnerabilities could have regarding any number of PCs, servers or other devices, such as smartphones.
McNerry also raised concerns about cybersecurity issues.
“Analysis by security researchers suggests that nefarious actors could use Spectre and Meltdown to access and steal users’ personal information, including passwords, online bank accounts, emails, and photos,” according to the letter. “They could also take advantage of these security flaws to access and steal critical documents held by businesses and government agencies. Should the vulnerabilities be exploited, the effects on consumers’ privacy and our nation’s economy and security would be absolutely devastating.”
After the disclosure of Spectre and Meltdown earlier this year, it was Intel that took the biggest hit since it’s the world’s largest producer of x86 chips. At CES, CEO Brian Krzanich laid out the company’s plans to be more forthcoming with these types of security concerns.
However, Intel is not the only chip maker susceptible to these two flaws, and in addition to Krzanich, letters were also sent to Lisa Su, the CEO of Advanced Micro Devices, and Simon Segars, the CEO of ARM, which is owned by Softbank.
In addition to questions about the scope of Spectre and Meltdown, as well as how consumers are affected, McNerry is asking for a timeframe of when the companies knew about the vulnerabilities and when notifications went out, as well as what is being done to fix these issues in future chip designs.
“In recent years, we witnessed the largest global ransomware attack in history and the largest distributed-denial-of-service attack of its kind in history,” McNerry wrote. “The warning signs keep piling on, yet cybersecurity practices continue to lag far behind.”
Although these types of vulnerabilities have been known for close to 20 years, Spectre and Meltdown came to wide public attention earlier this month thanks to a paper published by researchers at Graz University of Technology in Austria.
The research found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory. The security is that this flaw can allow a hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.
McNerry, who holds a PhD in mathematics, has recently introduced a bill called Securing IoT Act, which would require cybersecurity standards and certifications for wireless devices used in the internet of things (IoT).
