While Intel classified the threat as “medium,” security researchers have said Zombieload is far more serious. The vulnerability affects almost every Intel computer chip since 2011 and highlights how hackers could become savvier at targeting the security holes in Intel’s computer chips.
“On a scale of 1 to 10, this is ’10’ serious,” says Robert Siciliano, CEO of security awareness training firm Safr.me.
The Zombieload attack takes advantage of a design flaw in most Intel chips, allowing hackers to grab any data that was recently been accessed by the processor. The attack’s name is a reference to “zombie load,” which is when a computer processor can’t properly process a load of data and needs to ask for help in order to prevent a crash.
The bug was discovered by the same researchers at the Netherlands’ VU University and Graz University of Technology who found the Meltdown and Spectre vulnerabilities last year, which affected chips in almost every computer in the world, made by Intel, AMD, and others. Those bugs leaked personal information that was stored on computer processors. They took advantage of speculative execution, a process that helps modern processors anticipate what an app or operating system might need next, in order to run most efficiently.
Typically, after a security researcher notifies a company they’ve found a bug, it’s usually in the company’s best interest to keep it quiet–or risk having the news leak to malicious hackers who may be able to exploit an issue before it has been patched. “Disclosure issues are a double edged sword. On one hand, you notify those affected so they can defend themselves…. On the other hand, you also notify the adversaries and they have the potential to abuse the issue,” says Ellis. “All of those risk factors have been rolled out into how Intel has responded to it.”
While the attacks are complex, they also highlight the growing concern that hackers may be able to discover new entry points in computer chips that companies have previously been blind to. That makes it crucial that white hat hackers continue to test away, says Ellis.
“All of these issues were discovered by independent researchers. It wasn’t an intense quality assurance process [at Intel] or their internal security team,” he says. “It was people in the outside world who got curious to test where the limits are.”