Health services at risk from Intel chip vulnerability

Highly regulated sectors, such as public health institutions and government offices, are most at risk of compromise as a result of the security flaw present in modern microprocessors from Intel, Advanced Micro Devices and other manufacturers, according to security experts.

Widespread use of old computers and legacy components means software-based fixes being developed by companies like Microsoft may slow down already aging systems.

“This will adversely affect highly regulated sectors, such as the NHS,” said Michela Menting, digital security research director at ABI Research. “There’s a whole chain of authority that needs to run before machines can be altered. In addition to this wait time, once the patches are run, they are likely to slow down processing speeds.”

Cedric Thellier, chief technical officer at French cybersecurity advising firm Akerva, isolated healthcare institutions, as well as industrial players, as those that may be at a greater risk. He said it may simply prove too difficult to update some operationally sensitive systems upon which these organizations rely.

Reports emerged Tuesday that a feature used by billions of computer microprocessors had a vulnerability that hackers could exploit to gain access to private system data. A fix could be issued, but some computers may see a performance drag. The hardware-based nature of the underlying problem also means recall and replacement is almost certainly no option.

Intel-Sign-CROP.jpg
Intel Corp. signage is displayed at the entrance to the company\'s headquarters in Santa Clara, California. Photographer: David Paul Morris/Bloomberg

Large companies running database servers could see some of the biggest impact from any slowdowns, said Ian Batten, a computer science lecturer at the University of Birmingham.

"Industries where servers need to operate continuously," such as those that power cloud computing, "could feel an impact," said Ido Naor, senior security researcher at Kaspersky Lab.

Amazon.com, the biggest cloud-computing provider, previously said most of its affected AWS servers have already been secured. Microsoft said the majority of its Azure cloud infrastructure has been updated with the fix, and most customers won’t see a noticeable slowdown with the update.

While Intel has said there are no known incidents of this vulnerability being exploited so far, the company also said it may take weeks to fully protect systems running on its chips, and estimates of the degree of slowdowns the fixes may cause are based on simulations.

Peter Zaitsev, the co-founder and chief executive officer of Percona, a Raleigh, N.C. -based company that helps businesses set and manage large computer databases, said that firms running such databases might see a 10 percent to 20 percent slowdown in performance from the patches being issued. He said this was not enough to cause major disruptions for most applications. He also said that subsequent versions of the patch would likely limit any performance impacts.

He also said that in cases where a company has a server completely dedicated to a single application, there was likely no need to implement the patch because these machines are not susceptible to the attacks researchers have discovered.

Still, computers used by institutions like the U.K.’s National Health Service are already slow compared with the newest machines today. “Add to that an incremental slowdown,” Menting said, referring to the proposed software patches, “and we’re looking at a significant reduction in productivity.”

“We are aware of this issue and are continuing to work with stakeholders to ensure the risk is minimized," said an NHS spokesman. "There is no evidence to suggest this vulnerability has been exploited across health. We are constantly monitoring and continue to work closely with NCSC.”

Cybercriminals are likely to already be looking for ways to exploit the vulnerabilities, aware that not everyone will install the patches, said Naor.

Google said in a blog post that it privately informed Intel, ARM Holdings and AMD of these issues on June 1 last year to give them time to find remedies before the vulnerabilities became public. While the companies were working on fixes, the same vulnerabilities were independently discovered by a team of researchers affiliated with several academic institutions and computer-security firms.

Intel, responding to the reports, said the chip weakness doesn’t mean hackers could corrupt, modify or delete data, and the current solutions to the vulnerability “provide the best possible security for its customers.” There should be no impact on the company’s business, and performance slowdowns “should not be significant and will be mitigated over time,” the company said Wednesday.

Bloomberg News