Intel alerted Chinese cloud giants 'before US govt' about CPU bugs
'We certainly would have liked to have been notified of this' says Homeland Security
Intel warned Chinese firms about its infamous Meltdown and Spectre processor vulnerabilities before informing the US government, it has emerged.
Select big customers – including Lenovo and Alibaba – learned of the design blunders some time before Uncle Sam and smaller cloud computing suppliers, The Wall Street Journal reports, citing unnamed people familiar with the matter and some of the companies involved.
The disclosure timeline raises the possibility that elements of the Chinese government may have known about the vulnerabilities before US tech giant Intel disclosed then to the American government and the public.
The Meltdown and Spectre chip flaws were first identified by a member of Google's Project Zero security team shortly before they were independently uncovered and reported by other teams of security researchers. "Intel had planned to make the discovery public on Jan. 9... but sped up its timetable when the news became widely known on Jan. 3, a day after U.K. website The Register wrote about the flaws," the WSJ reports.
Intel worked on addressing the vulnerabilities with security researchers at Google and other teams that uncovered the processor vulnerabilities as well as PC makers – specifically, the larger OEMs – and cloud-computing firms. Those informed included Lenovo, Microsoft, Amazon and Arm.
The WSJ omits any mention of when notification was made to Lenovo et al, but a leaked memo from Intel to computer makers suggests that notification of the problem for at least one group of as-yet unnamed OEMs took place on November 29 via a non-disclosure agreement, as previously reported.
Lenovo was quick out the gate on January 3 with a statement advising customers about the vulnerabilities because of work it had done "ahead of that date with industry processor and operating system partners."
Alibaba Group, China's top provider of cloud services, was also notified ahead of time, according to a "person familiar with the company." An Alibaba spokesperson told the WSJ that the notion the company may have shared threat intelligence with the Chinese government was "speculative and baseless". Lenovo said Intel's information was protected by a non-disclosure agreement.
It is a "near certainty" that Beijing was aware of information exchanged between Intel and its Chinese tech partners because local authorities routinely monitor all such communications, said Jake Williams, president of security firm Rendition Infosec and a former National Security Agency staffer.
An official at the US Department of Homeland Security, which runs US CERT, said it only learned of the processor vulnerabilities from early news reports. "We certainly would have liked to have been notified of this," they added.
Rob Joyce, the White House's top cybersecurity official, publicly claimed the NSA was similarly unaware of what became known as the Meltdown and Spectre flaws.
Because they had early warning, Microsoft, Google and Amazon were able to roll out protections for their cloud-computing customers before details of Meltdown and Spectre became public. This was important because Meltdown – which allows malware to extract passwords and other secrets from an Intel-powered computer's memory – is pretty easy to exploit, and cloud-computing environments were particularly exposed as they allow customers to share servers. Someone renting a virtual machine on a cloud box could snoop on another person using the same host server, via the Meltdown design gaffe.
Smaller cloud service providers were left playing "catch up." Joyent, a US cloud-services provider owned by Samsung Electronics, was among those that may have benefited from a warning but wasn't included in the select group informed ahead of the public reveal.
"Other folks had a six-month head start," Bryan Cantrill, the company's chief technology officer, told the WSJ. "We're scrambling."
"I don't understand why CERT would not be your first stop," Cantrill added.
El Reg asked Intel to comment on its disclosure policy. In a statement, Chipzilla told us it wasn't able to inform all those it had planned to pre-brief – including the US government – because news of the flaws broke before a scheduled 9 January announcement:
The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure. Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition's intended public disclosure date at which point Intel immediately engaged the US government and others.
US CERT acts as a security clearing house. The agency initially advised that the Spectre flaw could only be addressed by swapping out for an unaffected processor before revising its position to advise that applying vendor-supplied patches offered sufficient mitigation.
El Reg asked US CERT for its take on how the disclosure process went down in the case of the Meltdown and Spectre vulnerabilities but we're yet to hear back. We'll update this story as and when more information comes to light. ®
Sponsored: Becoming a Pragmatic Security Leader