While Intel classified the threat as “medium,” security researchers have said Zombieload is far more serious. The vulnerability affects almost every Intel computer chip since 2011 and highlights how hackers could become savvier at targeting the security holes in Intel’s computer chips.
“On a scale of 1 to 10, this is ’10’ serious,” says Robert Siciliano, CEO of security awareness training firm Safr.me.
The Zombieload attack takes advantage of a design flaw in most Intel chips, allowing hackers to grab any data that was recently been accessed by the processor. The attack’s name is a reference to “zombie load,” which is when a computer processor can’t properly process a load of data and needs to ask for help in order to prevent a crash.
The bug was discovered by the same researchers at the Netherlands’ VU University and Graz University of Technology who found the Meltdown and Spectre vulnerabilities last year, which affected chips in almost every computer in the world, made by Intel, AMD, and others. Those bugs leaked personal information that was stored on computer processors. They took advantage of speculative execution, a process that helps modern processors anticipate what an app or operating system might need next, in order to run most efficiently.“Hardware flaws by their nature are very serious,” says Siciliano. While Zombieload shouldn’t be downplayed, he adds, it’s highly unlikely it will ever be used in the wild. “This particular one would require the hackers to have perfect conditions in order to exploit it,” Siciliano says. Microsoft, Apple, and Google have released patches. However, since it’s a hardware exploit, he adds, the problem will never completely be eliminated. Zombieload has also highlighted the way that computer bugs are responsibly disclosed and how companies choose to handle that information while trying to avoid a potential PR nightmare. The researchers shared their discovery with Intel last month and threatened to publish the details themselves if Intel didn’t disclose the bug in May, according to an interview with Dutch outlet NRC. The flaw was rated a 6.5 on a 10 point scale by Intel, putting it at a “medium” threat level, an assessment that left the researchers concerned the chipmaker was downplaying the severity of the flaw, perhaps to attract less attention for paying a big bug bounty. Intel’s bug bounty program pays $100,000 for the most severe threats. At a medium level, Intel’s bug bounty program guidelines, suggest a payment of $5,000. The researchers say they were offered a $40,000 bounty and an $80,000 gift, which they turned down. When asked for comment, Intel referred Fortune back to its bug bounty program requirements, eligibility, and award schedule. Casey Ellis, founder and chief technology officer at Bugcrowd, a platform that connects companies with ethical hackers, says Meltdown, Spectre, and Zombieload have placed Intel in the difficult position of figuring out the best way to respond to hardware-related security threats. “In this case, we are talking about issues that are etched into silicon chips that are in laptops and mobile phones,” he says. “The ability to mitigate that issue is understandably more complicated.”
Typically, after a security researcher notifies a company they’ve found a bug, it’s usually in the company’s best interest to keep it quiet—or risk having the news leak to malicious hackers who may be able to exploit an issue before it has been patched. “Disclosure issues are a double edged sword. On one hand, you notify those affected so they can defend themselves…. On the other hand, you also notify the adversaries and they have the potential to abuse the issue,” says Ellis. “All of those risk factors have been rolled out into how Intel has responded to it.”
While the attacks are complex, they also highlight the growing concern that hackers may be able to discover new entry points in computer chips that companies have previously been blind to. That makes it crucial that white hat hackers continue to test away, says Ellis.
“All of these issues were discovered by independent researchers. It wasn’t an intense quality assurance process [at Intel] or their internal security team,” he says. “It was people in the outside world who got curious to test where the limits are.”