Google’s Tough Choice On How To Warn The World About Super Bugs
The job of the white-hat security researchers in Google’s Project Zero group is to break things. And they broke something very big when then discovered major security vulnerabilities in modern processors used in virtually any computing device manufactured in the last 20 years. The vulnerabilities leave Intel processors (and to a lesser extend ARM-based processors) open to attack from two exploits known as Meltdown and Spectre.
Meltdown and Spectre have the ability to penetrate the layers of apps and other software that sit between a machine’s user interface and its processor to let an intruder access sensitive data such as keystrokes, passwords, and all manner of personal and financial data. It’s scary stuff.
When Google’s Project Zero researchers discovered the vulnerabilities, and proved that they could be used as attack vectors, they found themselves in possession of some potentially dangerous information. And they faced a tough decision: How should they get the exploit information into the hands of people who could use it for the greatest good—such as providers of processors, operating systems, and cloud platforms—while preventing it from inadvertently falling into the hands of criminal elements who might use it maliciously?
Google ultimately decided to show its proof-of-concept data to a small group of key constituents. The researchers notified Intel first, to give it a head start on protecting its processors. Intel developed new security patches and is distributing them to computer makers that use its chips.
In a statement on Thursday, Intel declared that it “has developed and is rapidly issuing updates for all types of Intel-based computer systems—including personal computers and servers—that render those systems immune from both exploits (referred to as “Spectre” and “Meltdown”) reported by Google Project Zero.”
Amazon and Microsoft—and Google itself—have been using Project Zero’s research to create and issue patches for their cloud service servers, which are used by businesses small and large. The companies said in statements Wednesday they’re close to patching up all vulnerabilities.
Before giving these companies a heads-up, Google required them to sign non-disclosure agreements, preventing them from sharing data about the vulnerability—still undisclosed to the rest of us—with any third party. But there’s still a distinct danger that the proof of concept could be leaked to the public (and to hackers) before the service providers have a chance to completely patch up the vulnerabilities.
Notfiying The Little Guys
What about all the other small- and medium-size software and service providers that face the same security threat but were not provided with Google’s proof of concept information? The major service providers Google contacted are responsible for less than half of the web traffic that could be affected by Meltdown or Spectre, points out Cooper Levenson cyberlaw attorney Peter Fu. The rest of the traffic is wrangled by smaller providers.
Update #7 – Due to the incomplete information provided by hardware manufacturers, we joined forces with other impacted cloud providers including @linode, @packethost and @ovh to share information and work all together. https://t.co/iVHi72nmFJ
— scaleway (@scaleway) January 4, 2018
The fact is that Google’s NDA expires January 9 and has already leaked to the public, and the hackers will no doubt be ready and waiting for the exploit data to be released. Fu says this will leave many smaller software providers scrambling to get security patches out before hackers can strike.
But that may be a necessary consequence of Google’s strategy. “Google was caught in an impossible situation,” Fu said. “I’m starting to respect what they chose to do.”
“If they released the data to too many people, then the bad guys get the info and Google is held responsible for any early [hacks],” Fu said. “If they don’t give it to enough people, they look like they are playing favorites and exercising monopoly powers.”
Google did not respond to emails requesting comment for this story.
Fu said the federal government should have played a big role in the situation, but did not. “This is an area where the federal government should step in and provide a playbook,” Fu said. Fu said U.S.-CERT (the United States Computer Emergency Readiness Team, part of the Department of Homeland Security) is supposed to take charge of this type of potentially catastrophic security vulnerability.
The fact that Google’s first calls after the Zero team’s discovery were to large, private-sector tech companies, and not to the government, suggests that U.S.-CERT was not prepared to respond and coordinate a large-scale response. Had it done so, Fu says, Intel and Amazon and the others would still likely to have been provided with the exploit data but would have been held to secrecy by a federal order, not an NDA from Google.