Hexbyte  Tech News  Wired Senators Fear Meltdown and Spectre Disclosure Gave China an Edge

Hexbyte Tech News Wired Senators Fear Meltdown and Spectre Disclosure Gave China an Edge

Hexbyte Tech News Wired

A congressional hearing Wednesday on the Meltdown and Spectre chip vulnerabilities had all the technobabble and painful misunderstanding you’d expect. But the Senate Committee on Commerce, Science, and Transportation also raised an important practical concern: No one informed the US government about the flaws until they were publicly disclosed at the beginning of January. As a result, the government couldn’t assess the national security implications of or start defending federal systems during the months that researchers and private companies secretly grappled with the crisis.

“It’s really troubling and concerning that many if not all computers used by the government contain a processor vulnerability that could allow hostile nations to steal key data sets and information,” New Hampshire senator Maggie Hassan said during the hearing. “It’s even more troubling that these processor companies knew about these vulnerabilities for six months before notifying [the Department of Homeland Security].”

Attackers can exploit the Spectre and Meltdown chip bugs, which foreshadowed an entire new class of vulnerabilities, to steal many different types of data from a system. While the flaws have existed in the world’s most popular processing chips for 20 years, a series of academic researchers discovered them throughout the second half of 2017. Once informed of the issue, Intel and other chipmakers began a massive, clandestine effort to notify as many supply chain customers and operating system makers as possible, so they could start creating patches.

“It’s highly likely that the Chinese government knew about the vulnerabilities.”

Senator Bill Nelson

While Intel notified a group of international private tech firms—including some in China—during this process, the DHS and the US government in general didn’t learn of the situation until it was publicly disclosed at the beginning of January. Numerous senators at Wednesday’s hearing noted that this delayed disclosure may have given foreign governments the early warning the US didn’t have. If nation-state hackers weren’t already aware of Spectre and Meltdown and exploiting the bugs for espionage operations, they could have started in the months before patches started going out.

“It’s been reported that Intel informed Chinese companies of the Spectre and Meltdown vulnerabilities before notifying the US government,” Florida senator Bill Nelson said on Wednesday. “As a result, it’s highly likely that the Chinese government knew about the vulnerabilities.”

Intel declined to attend the hearing, but Joyce Kim, chief marketing officer of ARM—a Softbank-owned company that creates processor architecture schematics that are then manufactured by other companies—told the committee that ARM prioritized notifying its customers within 10 days of learning about Spectre and Meltdown. “At that point, given the unprecedented scale of what we were looking at, our focus was on making sure that we assessed the full impact of this vulnerability, as well as getting [information] to potential impacted customers and focusing on developing mitigations,” Kim told the senators. “We do have architecture customers in China that we were able to notify to work with them on the mitigations.”

Since the initial disclosure in January, researchers have discovered multiple other variants of Meltdown and Spectre that chipmakers have worked to patch. Kim explained that as these new strains have emerged over the past six months, ARM has worked more closely with DHS to create communication channels for disclosure and collaboration.

“We always want to be informed of vulnerabilities as quickly as possible, so that we can validate, mitigate, and disclose vulnerabilities to our stakeholders,” a DHS official told WIRED.

Intel said in a statement to WIRED, “We have been working with the Senate Commerce Committee since January to address the Committee’s questions regarding the coordinated disclosure process and will continue to work with the Committee and others in Congress to address any additional questions.”

Managing vulnerability discoveries is always complicated, but especially so when it involves numerous organizations. And the stakes of Spectre and Meltdown were higher than usual, because the bugs were found to be in the majority of devices around the world and had persisted for two decades. These conditions not only created a massive patching challenge for dozens of major companies, they also raised the question of whether the vulnerabilities had been discovered and quietly exploited for years by unknown entities or governments. The flaws would have been extremely valuable for intelligence gathering if a country knew how to exploit them.

“Nobody can address or even mention any of the real issues in these types of public hearings.”

Dave Aitel, Immunity

That’s what makes the notion, first reported by The Wall Street Journal, that Intel prioritized notifying Chinese firms over the US government so problematic. There is no specific evidence at this point that China actually abused Meltdown and Spectre as a result of these early disclosures, but the country is well known for aggressive state-sponsored hacking campaigns that have recently only grown in sophistication.

“A number of things probably combined to lead to the insufficiency of US government notification,” Art Manion, a senior vulnerability analyst at the CERT Coordination Center at Carnegie Mellon, which works on coordinating disclosures worldwide, told the committee. “We are actively working with industry contacts to remind them of the existing practice of notifying critical infrastructure and important service providers before public disclosure happens to avoid costly surprises.” When pressed by the committee, he added that the months-long wait to notify the US government about Meltdown and Spectre was a mistake on the part of chipmakers like Intel. “It is a rather long time, and in our professional assessment it is probably too long, particularly for very special new types of vulnerabilities like this,” he said.

Analysts say that pre-notifying DHS would be valuable in situations where a major vulnerability is about to be publicly disclosed. But they also caution that congressional hearings about security in general tend to mask or oversimplify deeply complex and nuanced topics. “Nobody can address or even mention any of the real issues in these types of public hearings,” says Dave Aitel, a former NSA researcher who now runs the penetration-testing firm Immunity. “DHS probably won’t get substantially more cooperation.”


More Great WIRED Stories

Read More

Senators Demand Answers From Amazon on Echo’s Snooping Habits

Senators Demand Answers From Amazon on Echo’s Snooping Habits

A Portland woman recently told a local news outlet that her Amazon Echo device had gone rogue, sending a recording of a private conversation to a random person in her contact list. On Thursday, two senators tasked with investigating consumer privacy sent a letter to Amazon CEO Jeff Bezos demanding answers.

In the letter, Republican senator Jeff Flake and Democratic senator Chris Coons, who serve respectively as chairman and ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law, ask Bezos to explain how exactly the Amazon Echo device listens to and stores users’ voices. The senators also seek answers about what the company is doing to protect users from having that sensitive information misused. Amazon didn’t respond to WIRED’s request for comment.

The letter, which was reviewed by WIRED, comes in the midst of what Flake calls a “post-Facebook” world, referring to the data privacy scandal in which Facebook says the data of as many as 87 million Americans may have been misappropriated by a political consulting firm called Cambridge Analytica. “Congress is feeling that we need to be ahead of the curve here,” Flake told WIRED. “Companies are establishing procedures and protocols, and we need to know what they are to make sure that privacy is protected.”

The letter specifically cites the Portland story, in which an Echo mistook part of a background conversation for the word “Alexa.” That caused the device to wake up. Once it started listening, the Echo misheard later parts of the conversation as a series of voice commands instructing it to send a message to one of the woman’s contacts. The mishap in Portland wasn’t caused by a glitch, the lawmakers write, but is instead an example of the Echo working “precisely how it was designed.” The letter demands “prompt and meaningful action” to prevent it from happening again.

“This incident makes it clear we don’t fully understand the privacy risks we’re taking,” Coons says. “Amazon owes it to the American people to be clearer about what’s happening with this technology.”

The letter asks Amazon to report the number of complaints the company has received from users about the Echo improperly interpreting a command. Among the nearly 30 questions contained in the letter are requests for details on when and how frequently the device sends voice data to Amazon’s servers, how long that recording is stored, and how that data is anonymized. The senators also ask Amazon to share information on how long the Echo records a conversation after it hears the word “Alexa,” and whether consumers have the ability to delete these recordings.

The answers to some of these questions are a matter of public record. As WIRED has explained, the Echo microphone is always live, but it’s only listening for its so-called “wake word.” Once it hears the word, “Alexa,” it begins recording and sends those clips to Amazon servers. That voice recording will stay there unless users take the time to manually delete it in the Alexa app. But other questions warrant further exploration. Flake and Coons want Bezos to explain, for example, “any and all purposes for which Amazon uses, stores, and retains consumer information, including voice data, collected and transmitted by an Echo device.” That explanation may be buried in the company’s terms of service somewhere, but the fine print that dictates what tech companies do with people’s data is often viewed differently when magnified.

Portland is hardly the first time users have reported their AI assistants misbehaving. Recently, users reported that their Echoes were laughing at them, a menacing quirk that Amazon attributed to the device mishearing the term “Alexa, laugh.” Amazon calls these mistakes “false positives,” where the algorithmic brain of Alexa believes it’s hearing something it’s not. But while these flukes make good headlines, the odds of an Amazon Echo mishearing its way through the multi-step process of sending a voice recording are slim.

And yet, the senators’ questions for Amazon are still valid. They extend far beyond the particulars of any single mistake and cut to the heart of a key issue facing tech leaders. For decades now, companies like Facebook, Google, and Amazon have collected unlimited amounts of data on their customers, given them minimal control over that data, and offered even less transparency into how they collect and store it. Now, after seeing how data can be manipulated for political purposes through the Facebook scandal, lawmakers are reevaluating the freedom they’ve given tech companies all these years.

“The age of innocence is gone,” says Flake.


More Great WIRED Stories

Read More