Chips from Intel, Arm Holdings and Advanced Micro Devices (AMD) all contained the flaw, according to a new report from Alphabet, Inc.'s Google Project Zero, whose stated goal is to determine security faults in new software on zero day — that being the day that hackers discover the flaw in any given software.
The flaw, code named "Spectre," allows chips from the three companies to be tricked into giving up secret information to hackers. Furthermore, Intel chips suffer from a separate flaw called "Meltdown," which allows hackers to bypass hardware barriers, allowing them to read memory and steal passwords.
Intel chips made in the last decade have a defect with their kernel memory, which normally cannot be accessed by users because it allows the processor to interface with applications. Meltdown allows the technologically savvy to access the kernel memory, which can expose private information such as passwords and exploit other flaws in the computer's security.
Speaking to Reuters, Project Zero member Daniel Gruss, who is also a researcher with the Graz University of Technology, referred to Meltdown as "probably one of the worst CPU bugs ever found."
Gruss added that Meltdown would be relatively easy to fix with software patches, but Spectre, while less dangerous, applies to far more devices and will be much more difficult to remedy.
The announcement sent shockwaves through the cybersecurity world. Intel and ARM on Thursday both announced their intent to release a patch as soon as possible that would purportedly close the hole through an update to their operating system.
"Intel has begun providing software and firmware updates to mitigate these exploits," Intel said in a statement. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time."
ARM spokesman Phil Hughes, meanwhile, said that they had already shared the patch with their partners, including Google (which extensively uses ARM processors in its Android mobile devices) and Samsung.
"This method only works if a certain type of malicious code is already running on a device and could, at worst, result in small pieces of data being accessed from privileged memory," Hughes said in an email statement.
Google issued a statement of their own, saying that their Android, Nexus and Pixel phones are protected, provided they're running the latest security updates. Users of Google's Chrome web browser and most of Google's Cloud projects will need to install updates.
Project Zero also said that Apple and Microsoft would issue patches of their own. Microsoft has declined to comment, while Apple has said that all Macintosh systems and devices running their Apple IOS are affected — but there were no reports of consumers being affected.
Speaking to Radio Sputnik's Loud & Clear with Brian Becker and John Kiriakou, NSA veteran-turned whistleblower William Binney called these security holes a major threat to privacy, as no computer is secure from government snooping. "If they're after you, they're going to get you," Binney said. "They have many ways of hacking through operating systems, firewalls, passwords — so if they're really after you, you're dead."
The flaw, according to Binney, "goes back to GCHQ [the Government Communications Headquarters, the British signal intelligence agency] hacking into Gemalto, a company in the Netherlands where they were manufacturing chips, and what they did was they scraped off the web all the equivalence of access codes and identifiers of devices. That's what you put in your computer or cell phone, so that when you log on your identifier goes up. That means the system has your access code to connect to you and send data to you."
"But when they did that they pulled down billions of relationships in the chips. If you have a computer or a cell phone, and you log onto the network, your identifier goes up. Then your access code is the network, it knows that from the chip, and therefore you can then work on the network. Your password is something that could protect your files, but the GCHQ was trying to break through passwords so now they can go directly to that attempt any time you log on anywhere in the world."
In other words, even encrypted communications through applications like Protonmail or WhatsApp are no protection from signals from intelligence agencies like GCHQ or the NSA because they have the ability to access your data directly through the computer's chip.