LAS VEGAS—Brian Krzanich’s opening keynote address at the massive tech tradeshow CES Monday night was timely. The CEO of Intel didn’t plan to tell the world about the massive vulnerabilities his company introduced into almost every computer in the world until Tuesday.
But instead, last week a story broke in the tech news site the Register detailing two massive security holes in Intel chips, Spectre and Meltdown, that could allow hackers to siphon memory off of computers and open the doors to new attacks. The problem might not have been so widespread if not for the near-ubiquity of Intel chips, which can be found not only within personal devices like Macs and iPhones but also inside nearly every data center and cloud service in the world. The chipmakers Arm and AMD were also affected by the same holes.
On stage at the Monte Carlo Resort and Casino Monday night, Krzanich began his speech by addressing the recent news. “As of now, we have not received any information that these exploits have been used to obtain customer data,” he told a packed house, as the screen behind him displayed quotes from major tech companies like Google, Apple, and Amazon stating that the vulnerability has largely been patched and hasn’t seriously impacted the security of their products. Krzanich went on to say that for Intel products introduced over the last five years, the company expects to issue updates for more than 90 percent of them within the next week and the rest by the end of January.
Apple, Microsoft, Amazon and other major tech companies have all issued patches for Meltdown, and Intel released a fix for its processors for Meltdown, too. But the other security flaw, Spectre, is much more difficult to fix, though browsers like Chrome, Firefox, and Safari have issued updates to protect against the flaw. Intel was actually alerted to the security problems in its chips in June, but held off on disclosing them so the company could attempt to issue fixes for the vulnerabilities first.
The company has pushed back against some of the language used to describe Spectre and Meltodwn. “Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect,” the company said in a statement. Rather, Intel calls them exploits, meaning its technology has vulnerabilities that can be exploited, which Intel says doesn’t necessarily mean there’s a design flaw. Intel says its tech works as it should, and that the exploits prey on a performance-improving technique that was created before the method that found one could take advantage of the exploit was developed, reported the New York Times. Some experts have projected that the fixes are bound to introduce serious downgrades in performance of machines affected by the vulnerabilities by up to 30 percent, though Apple, Google, Microsoft, and Amazon have all reported that the impact on performance of their products has been negligible—a happy development that’s certainly in the interest of the tech companies that would probably prefer this major security nightmare quietly disappear than continue to make headlines.
Security researchers have pushed back against Intel’s attempt to assuage fears about the massive scale of its chips’ security problems. One of the sharpest critics of Intel’s response to the vulnerability has come from the celebrated Linux developer Linus Torvalds, who wrote a scathing email to a Linux list last week, charging that Intel was knowingly selling faulty products to the public.
“I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed,” wrote Torvalds.
On top of the double-decker security holes Intel is dealing with, it was also reported last week that Krzanich sold $39 million worth of stock—the most he was allowed to sell under corporate bylaws—months after he learned about the problems his company was soon to face. The U.S. Securities and Exchange Commission could be prompted to take a look at the unusually timed sale, which according to the Wall Street Journal a spokesman for Intel denied had anything to do with the chip issues.
There’s one thing Krzanich didn’t do in his opening keynote: apologize for any of this. Rather, he acknowledged that “the industry” has been collaborating to fix the issues. The problem with such rhetoric, of course, is that Intel dominates the microprocessor industry, and even if other tech firms that rely on its products have been working with Intel to patch these holes, it was primarily Intel that appears to have overlooked some serious vulnerabilities in its quest to improve the speed of its processors.
The co-founder of Intel, Gordon Moore, is perhaps best known for Moore’s Law, a prediction he made in 1965 that posited that computing power would dramatically increase every year, a forecast that set the pace for the unbridled growth and innovation in computing that drives the tech industry today. But Moore originally made that forecast looking at the next 10 years. He wasn’t thinking that a similar pace would continue for another five decades.
Now Intel is facing multiple class-action lawsuits for how its handled its security holes, and the very promise that drove company to become one of the most powerful technology firms in the world may very well prove to be its Achilles’ heel.