Back when models of Jeep were determined vulnerable to cyberattack in 2015, Fiat Chrysler announced a recall of 1.4 million cars. Should the same happen for computers when vulnerabilities aren’t entirely fixable with software updates alone?
This is the question being asked after the Meltdown and Spectre vulnerabilities were revealed, affecting almost every modern computer in existence, in particular those based on Intel, AMD and ARM processors. Whilst software patches are coming and should do much to mitigate real-world attacks, the U.S.-government-sponsored Computer Emergency Response Team (CERT) running out of Carnegie Mellon stated Wednesday that the true, long-term solution was simply to replace the vulnerable computer chips entirely. “The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” the body wrote.
Could recalls be necessary? While it may be technically accurate to say a completely redesigned chip is the ultimate solution, it’s hugely unlikely customers are going to get free fresh devices. Vendors haven’t mentioned anything of the sort. And, some say, large-scale hardware replacements would amount to a needless, over-the-top reaction.
Don’t expect a free new PC
The more concerning issue from a long-term perspective is Spectre, which tricks applications into coughing up pieces of their memory. As the researchers noted yesterday, it’s harder to exploit, but trickier to effectively patch with software. Not to mention there aren’t any fixes currently available for the specific issue, whilst many patches are coming for Meltdown.
But consumers shouldn’t expect their PC maker to replace the chips in their computer or supply a new machine because of the startling revelations Wednesday; most security researchers believe that, for now, software updates should be enough to prevent real-world attacks over Meltdown and Spectre. And as cybersecurity practitioner Kevin Beaumont told me on Twitter, the US CERT gave the bugs low scores in terms of the risk posed to users.
And Martijn Grooten, editor at Virus Bulletin, was critical of anyone suggesting a full-scale recall:
Ultimately, chip makers like Intel will now be ensuring future chips won’t have the same problems, so it’s possible those running highly critical systems where information leakage is unacceptable will want to replace their own hardware. Cybersecurity expert Rob Graham said that upgrading to newer Intel processors from older ones could also prevent loss of performance, an issue that the chip maker admitted could affect certain computer speeds, depending on the workload.
All that isn’t to say consumers don’t deserve better from their tech providers, said Matthew Hickey, director of cybersecurity company Hacker House. “CPU bugs have never resulted in a recall before as they get patched with microcode … This is a good case for arguing that we should have better protections as consumers for our technology. We would recall cars if they weren’t safe, why not faulty hardware?” (As an alert reader pointed out, there has been a CPU recall before, in 1994 when a bug was uncovered in an Intel Pentium processor).
For concerned users, see this list of the available fixes for Meltdown and Spectre from major tech manufacturers.
UPDATE After publication, the CERT changed its guidance from suggesting replacement of CPUs to recommending updates. It wrote the following: “Operating system and some application updates mitigate these attacks.”
The official US government CERT (US-CERT) run out of the Department of Homeland Security still warned: “Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases.”