When it first learned about critical flaws plaguing its processors, Intel told a small group of customers, among them are Chinese technology firms including Alibaba Group, but didn't include the U.S. government in its initial disclosures, a new report alleges.
Security researchers said that decision raises concerns, as it could have enabled Chinese companies to get ahold of information about Meltdown and Spectre before the public. No current evidence to suggest the information was misused, according to the researchers.
Intel Went To Chinese Companies First When Meltdown, Spectre Happened
It's been weeks since both chip flaws ravaged the entire tech industry — but there's still some potent debate and controversy about which companies Intel chose to disclose crucial information to. The huge debate arose from the vulnerabilities that could have been severely exploited by ill hands. Because they allowed access to sensitive user data, information about the flaws would be of tremendous benefit for intelligence agencies, according to Jake Williams, formerly of the National Security Agency.
Intel had originally planned to blow the lid off Jan. 9, but had to speed up its timetable when the news broke on Jan. 3, just a day after UK website The Register exposed the flaws to the public. But Williams claims that it is with "near certainty" Beijing was aware of what was going on, particularly Intel's discussions with Chinese tech firms.
A spokesperson for Intel told The Wall Street Journal that it wasn't able to tell everyone it planned to tell because The Register made the story public before the company intended to disclose it itself. That would seem to mean that Intel was going to give the U.S. government very little lead time ahead of the disclosure, as security editor for ZDNet Zack Whittaker points out on Twitter:
This is grade A crap. Several people told me Meltdown/Spectre's planned disclosure was set for Jan. 9 but was revealed on Jan. 3 after a PoC came out. Based on WSJ, Intel was going to tell the US gov. only a week before disclosure?! It knew since June! https://t.co/DLusu37zoL pic.twitter.com/3s9COTub0C
— Zack Whittaker (@zackwhittaker) January 28, 2018
Intel said early reportage of both flaws had derided its plans entirely, because it was planning to approach manufacturers and other firms to come up with solutions.
"Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication," the spokesperson said. "In this case, news of the exploit was reported ahead of the industry coalition's intended public disclosure date at which point Intel immediately engaged the US government and others."
Meltdown And Spectre Controversy
The Meltdown and Spectre flaws have caused widespread panic — and rightly so, since they theoretically can affect anyone using a computer. The solution? A massive cleanup effort to ensure patches, updates, and security fixes are pushed out quickly. It's still going on.
It's a tricky situation, of course. Yes, it's a given that Intel has to notify partners immediately, but it also has to limit those notifications to minimize leaks before the patches are ready. The issue is that it didn't do so well in acknowledging the implications of cherry picking who to tell first.