Global microchip flaw could affect billions of devices

A microchip flaw that leaves devices vulnerable to hackers is much worse than first feared. Photo / 123RF

A global microchip flaw that leaves computers vulnerable to hackers is much worse than first feared, affecting potentially billions of devices including mobile phones.

Researchers who first discovered the "Meltdown" and "Spectre" bugs have now revealed the full extent of the issue after reports first emerged that computers running Intel chips could have their passwords and other data stolen.

The second of the two, Spectre, "could haunt us for some time," according to the researchers who discovered it. It affects chips designed by Arm Holdings, the British company whose designs are used in almost every smartphone and tablet, and AMD, another chipmaker, as well as Intel.

The researchers who discovered the flaws warned that there was no software update that could completely fix the Spectre bug, meaning that computers will be vulnerable for the foreseeable future. In comparison, Meltdown largely affects Intel chips and is easier to solve with a software update.

Both could allow malicious software, such as a computer virus, to steal passwords, emails, personal photos and other sensitive information stolen.

The United States government warned that the only way to fully fix the problems was to replace the CPU, the main processor in a computer or phone.

"The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware," US-CERT, the computer safety division of Homeland Security, said.

To date all Intel chips on the market are vulnerable to the problem.

Software from Apple, Google and Microsoft are all affected. Google said Android phones with the latest security updates were protected, and Microsoft said it was introducing an update for Windows 10 on Thursday, with older versions due to be updated next week. Apple has not yet said if a software update is coming.

Experts have warned that the patches could slow down computer performance, particularly on the servers used by companies. This could significantly increase the IT costs of businesses, although it is unclear to what extent the changes will affect personal computers.

Both bugs involve computer programs being able to access part of a computer system's memory, and the patches to guard against them create barriers that slow down how the programs carry out tasks, meaning it can take longer for an application to run.

The United Kingdom's National Cyber Security Centre, an arm of the Government Communications Headquarters, has said there is no evidence that the bug has been used by cybercriminals. However, researchers at Google who helped discover Meltdown and Spectre have said they were able to create software that exploited the flaw.